What Is Personally Identifiable Information (PII)?
Also shortened to PII, personally identifiable information is a term that refers to any information that can be used to identify individuals, either directly or indirectly. Examples of information that comes under the banner of PII are:
- full names
- email addresses
- passport or ID numbers
- social security numbers
- car registration numbers
- passport numbers
- fingerprints and other biometric data
All of the above can potentially be used – in isolation – to identify an individual person.
PII is a legal term in some countries, including the United States, where it is defined in the Guide to Protecting the Confidentiality of Personally Identifiable Information, maintained by the National Institute of Standards and Technology (NIST). In some other countries, related legislation simply refers to “personal information”.
What Are Quasi-Identifiers?
Although they are not PII in isolation, quasi-identifiers are groups of data points that, combined, can help identify a person – and thus, are considered similarly important to privacy considerations by many.
In many cases, combinations of different data points, such as a ZIP code, a date of birth and a gender, can be used together to identify an individual.
In fact, a US governmental study suggests that these pieces of information would be sufficient to identify 87% of the US population.
These combinations are known as pseudo-identifiers or quasi-identifiers. In Europe, they come under the banner of PII, but this is not the case in the USA.
Learn about synthetic identity fraud and the measures you can take to keep your business safe
Learn More
How Should Organizations Handle Personal Data?
When determining how to handle personal data, organizations must consider both best practice, and privacy and compliance legislation. 137 of the 194 countries in the world have specific legislation around data protection and privacy – which include the EU’s GDPR and California’s CCPA.
Exact requirements for handling personal data are complex, but the general principles are as follows:
- Companies should practice data minimization – collecting and storing only the data they need to manage the services they provide.
- Businesses should define the purpose for which they collect data, document this, and make details available to customers.
- Data should be accurate, up to date, and only retained for as long as necessary.
- Data should be encrypted, stored securely, and protected against unauthorized access.
- Personal data should only be collected when it is lawful to do so.
It’s worth noting that in terms of legal compliance, companies must often consider the laws in all of the countries they serve, as well as where they are based. For example, businesses that operate services and websites that are accessible in the EU will have to comply with GDPR, even if they are themselves based in the US.
Sensitive vs Non-Sensitive PII
Personally identifiable information is broadly divided into sensitive PII and non-sensitive PII. The fundamental difference is that non-sensitive PII is information that is freely available in the public domain, in OSINT sources such as telephone directories and public websites. Sensitive PII is information that should be (and is generally) kept private. As such, when companies are making use of it, it should be stored and processed securely.
There can be some nuance in exactly which types of data are considered sensitive and non-sensitive in different jurisdictions.
Examples of Sensitive PII
- passport data
- bank account information
- passwords and biometric data
- personal telephone numbers
- medical records
- tax details
- personnel records
Examples of Non-Sensitive PII
- IP addresses
- business telephone numbers
- birth dates
- ethnicities
- home or work addresses
In many cases, combinations of non-sensitive PII facilitate the identification of individuals – such as combining a name and a date of birth.
Similarly, while simple first name/last name combinations often cannot identify an individual (because many other people share the same name), the addition of middle names or other pieces of information does allow for the identification of an individual person.
How to Protect Your Customers’ Personally Identifiable Information
If you run a business, failing to protect your customers’ PII can have serious ramifications, from potential data breaches to compliance penalties. Moreover, privacy is an increasing concern for consumers, so PII breaches can take their toll on your reputation.
Here are some key steps to take:
- Practice data minimization. Only collect and store information that is essential for providing your products and services.
- Ensure data is encrypted and that suitable precautions are taken when storing, processing and moving it.
- Only provide access to PII to those staff members who specifically require it to do their jobs.
- Educate customers on the principles of cyber awareness.
- Ensure compliance with local and international data security regulations, bringing in expert assistance if needed.
How Can PII Be Hacked?
Data leaks of personally identifiable information are a key cause of concern for companies and individuals, as the information can be further used to enable further fraud, causing financial losses to the individual or even, sometimes, implicating them in cirminal activity.
Such information can also be obtained through shoulder-surfing, social engineering, unauthorized physical access, breaking into systems and devices, and other methods.
Some PII, such as fingerprints, constitutes biometrics and indeed, biometrics hacking is an increasing pain point around the world and often involves reproducing the biometric characteristics used to identify the person.
Once hacked or stolen, PII is used by fraudsters to enable identity fraud and several other types of schemes. Moreover, it can be combined with made-up data points to create synthetic identities, which are used in similar ways to fake and stolen IDs.
How to Protect Your Own Personally Identifiable Information
Here are some ways that you as an individual can protect your personally identifiable information:
- Stay cyber-aware, particularly around scams such as phishing and social engineering.
- Avoid games and social media quizzes that require you to unnecessarily hand over personal information or authorization to access such information.
- Use VPNs on public Wi-Fi networks.
- Be selective when sharing information such as passport details and social security numbers. Adopt a high bar of trust when sharing these things with companies.
- Encrypt sensitive data files.
- Use complex passwords, and don’t write them down or store them in plain text format. Consider using a reputable password manager.
- Be aware of physical methods fraudsters may use to access PII – from searching paper recycling bins to shoulder-surfing behind laptops and smartphones in public places.
How Governments Are Trying to Protect Your Information
Governments take two key approaches to helping protect citizens’ personally identifiable information:
- imposing privacy protection legislation such as GDPR and The Data Protection Act
- awareness campaigns to help people learn how to protect their own data
It’s important to recognize, in both cases, that authorities generally tend to shift the onus onto companies and individuals.
Differing regulations in specific countries – and even different US states – mean that there are no specific steps being taken globally to protect PII. It’s ultimately down to businesses and individuals to do all they can to protect this information.