What Is PII Data — And Why It Matters for Security and Compliance
Privacy laws generally require protection for any data that can be used to ascertain an individual’s identity.
Key Takeaways:
- PII includes any data that can identify a person, either directly or indirectly.
- PII varies in sensitivity, but all forms require protection.
- Protecting PII is both a legal requirement and a risk‑reduction strategy.
In this article, I look at Personally Identifiable Information (PII) and why it’s important to identity and protect it in your organization.
What is PII data?
Personally Identifiable Information (PII) refers to any information that can be used to identify a specific individual.
Types of PII
Although all personally identifiable information is linked to a specific individual, there are various types of personally identifiable information.
| Category | Subtype | Description | Examples |
|---|---|---|---|
| Personally Identifiable Information (PII) | Direct Identifiers | Data that can immediately identify an individual on its own, without needing additional information. | Full name, Social Security number (SSN), driver’s license number, passport number, bank account number, credit card number, phone number, IP address, fingerprints, facial recognition data, retinal scans |
| Personally Identifiable Information (PII) | Indirect Identifiers | Data that does not uniquely identify an individual by itself, but can do so when combined with other data. | Date of birth, name (when common), place of birth, mother’s maiden name |
| PII Classification | Sensitive Data | PII that could cause significant harm if exposed, such as financial loss, identity theft, or personal risk. | Bank account numbers, credit card numbers, healthcare information, login credentials, employment records, government-issued ID numbers |
| PII Classification | Non-Sensitive Data | PII that is generally publicly available and easier to obtain, though it can still be harmful if misused. | Full name, home address, phone number (e.g., listed in phone books or online directories) |
Direct identifiers
As the name suggests, a direct identifier is personal data that can immediately identify an individual without the need for any additional data. For example, a person’s name, driver’s license number, social security number (ssn), credit card numbers, passport numbers, or bank account number could be used to instantly identify someone specific.
Even a phone number or an IP address could be considered to be a direct identifier. Direct identifiers can also include biometric identifiers. Biometric records might include fingerprints, facial recognition data, retinal scans, and other types of biometric data.
Indirect identifiers
Personal data can also exist in the form of indirect identifiers. An indirect identifier is data that might not be able to positively identify an individual by itself, but can become an identifier when it is combined with other data.
As an example, a date of birth is meaningless by itself, because there are countless people who were born on any given day. Similarly, a person’s name might not necessarily be a direct identifier (although it could be), because there are many people who have identical names to one another. However, when you collectively examine a person’s name and birthday, the odds of the data pointing to a specific individual greatly increase.
The same basic concept holds true for a person’s mother’s maiden name or their place of birth. While a this information might not mean much by itself, it can be used to positively identify an individual when it is combined with other pieces of information.
Sensitive data vs non-sensitive data
PII is sometimes further categorized as being either sensitive data or non-sensitive data. Sensitive data is data that could potentially cause harm if exposed. As an example, exposing someone’s bank account number or credit card numbers would likely result in financial harm. The same could also be said of healthcare information, logon information, employment information, or any government issued ID numbers.
Conversely, non-sensitive data consists of PII that is easily obtained from public sources. As an example, a person’s full name, address, and phone number are all forms of personally identifiable information, but are publicly available in phone books or online. While it is true that such information could potentially be harmful if misused, the readily accessible nature of this data is what causes it to be considered non-sensitive.
Why PII needs protection
PII must be protected because individuals can suffer serious harm in the event that their personal data becomes exposed. Hackers and cyber criminals go to great lengths to access sensitive information for use in identity theft schemes or for the purposes of committing financial fraud.
Data breaches resulting in the exposure of sensitive data often begin with a phishing attack. A cybercriminal may trick a user into entering their credentials into a fake website. Credentials might be associated with a user’s work account, social media account, or even online shopping account.
Once credentials have been entered, the attacker can use them to gain access to any data that the user has access to. Of course, phishing is not the only type of attack that is used. Social engineering attacks are also common.
PII and data protection laws
Because the exposure of personal data can result in significant harm, there have been numerous privacy laws created in the interest of protecting sensitive PII.
GDPR
Among the most stringent of these privacy laws is the General Data Protection Regulation (GDPR) created by the European Union. GDPR imposes extremely strict requirements pertaining to the collection, storage, and processing of personal information for citizens of the European Union.
HIPAA
The United States has also created various laws aimed at maintaining data privacy. For example, the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is a privacy act that establishes data security and access control requirements for healthcare organizations.
State protection laws
HIPAA is only one of several privacy acts enacted by the federal government. Additionally, some state level government agencies have created their own laws for protecting individual privacy. As an example, the California Consumer Privacy Act (CCPA) gives California residents specific rights with regard to how their personal data is being handled.
How organizations protect PII
Organizations generally go to great lengths to protect PII against unauthorized access. This tends to be especially true where financial information is concerned, but privacy laws generally require protection for any data that can be used to ascertain an individual’s identity.
Anonymizing data
The controls that organizations put into place tend to vary based on the legal requirements and on how the data will be used. As an example, consider a healthcare organization that has just completed an important study. They would need to release their data to the scientific community so that the study can be appropriately peer reviewed. However, privacy laws prevent the data from being released. As such, these types of studies commonly anonymize the findings so that the data can be presented without the risk of anyone’s identity being compromised.
Technical and administrative controls
Beyond anonymizing data, organizations use a combination of technical and administrative controls to keep data safe. Technical controls are cybersecurity related and may include things like access control permissions, firewalls, and other security devices. NIST provides detailed recommendations for how an organization can best protect it’s IT infrastructure. Data protection laws almost always include technical data protection requirements and those requirements are generally based on NIST recommendations.
Administrative controls pertain to an organization’s functionality. There might for example, be administrative controls requiring certain doors to be locked or preventing certain employees from being in present in locations where they might accidentally be exposed to sensitive data.
Employee training
Employee training plays a critical role with regard to administrative safeguards. Human error is easily one of the leading factors in data breaches, and so it is essential for organizations to properly educate staff about the proper handling of sensitive data. In regulated industries, such training is also essential for avoiding regulatory violations and the hefty fines that come with them.
Data minimization
One more principle that comes into play when protecting PII is that of data minimization. Simply put, data minimization means collecting only the data that is absolutely necessary and not keeping the data for any longer than is required by law or by the organization’s operational requirements. Organizations often put data retention policies into place to automate data lifecycle management, ensuring that aging data that is no longer needed is purged at the appropriate time.
What does PII mean?
PII stands for Personally Identifiable Information and refers to any data that can identify an individual, either on its own or when combined with other information. This includes both direct identifiers (like Social Security numbers) and indirect identifiers (like dates of birth or IP addresses).
What are examples of PII data?
Common examples of PII include names, home addresses, email addresses, phone numbers, government-issued ID numbers, and financial account details. Less obvious examples—such as IP addresses, biometric data, or location data—may also qualify as PII when they can be linked to a specific person.
What is not considered PII?
Information that cannot be linked to an identifiable individual is generally not considered PII. This includes fully anonymized or aggregated data, as well as generalized information that cannot reasonably be traced back to a specific person.
As an internationally bestselling tech author and a former 22-time Microsoft MVP, Brien Posey has written or contributed to dozens of books and created a variety of full-length video training courses on all sorts of IT and space-related topics. He’...
