What is personally identifiable information (PII)?

According to the NIH, "Personally identifiable information (PII) refers to information that can be used to distinguish or trace an individual’s identity, either alone (direct) or when combined with other personal or identifying information that is linked or linkable to a specific individual (indirect)".

Defining Personally Identifiable Information

Personally identifiable information is any data or information that can be used to identify a specific individual. PII extends to sensitive information like financial details, medical records, and biometric data. Essentially, if a piece of information can be linked to a particular person, it qualifies as PII.

Common examples of PII

1. Full names: Your full name, or even just your first and last name, falls under PII. It's one of the most basic yet crucial pieces of personal information.
2. Addresses: Whether it's your home address or work address, this information is personally identifiable. It reveals where you live or conduct your daily activities.
3. Social security numbers: In the United States, these unique identifiers are a prime example of PII. They're required for various official purposes, making them highly sensitive.
4. Phone numbers and email addresses: Contact information is highly personal and considered PII. These details are frequently used for communication and verification.
5. Financial information: Bank account numbers, credit card details, and financial transaction history are all forms of PII. 
6. Medical records: Health information, insurance details, and medical history are sensitive PII. 
7. Biometric data: Fingerprints, facial recognition data, and other unique physical or behavioral characteristics are considered PII. 

Why PII matters

The importance of PII lies in privacy and security. Mishandling or inadequately protecting PII can lead to various risks, including identity theft, fraud, and invasion of privacy. When malicious actors gain access to PII, they can impersonate individuals, commit financial crimes, or engage in other harmful activities. Protecting PII is a matter of personal privacy and a fundamental aspect of data security in both personal and professional contexts.

How to handle and protect PII

1. Encryption: Use encryption methods to secure PII during storage and transmission. This ensures that even if unauthorized access occurs, the data remains unreadable.
2. Access controls: Implement strict access controls and permissions to limit who can view, modify, or access PII. Only authorized individuals should have access.
3. Data minimization: Collect and retain only the PII necessary for a specific purpose. Avoid collecting excessive information that is not needed.
4. Security measures: Employ robust cybersecurity measures, such as firewalls, antivirus software, and intrusion detection systems, to protect against data breaches and cyberattacks.
5. Regular audits: Conduct regular audits and assessments to identify vulnerabilities and ensure compliance with data protection regulations.

Legal and regulatory framework

Various laws and regulations exist to ensure the responsible handling of PII. For instance:

• Health Insurance Portability and Accountability Act (HIPAA): HIPAA is a U.S. law that governs the use and disclosure of PII in healthcare settings, usually known as protected health information. Covered entities, such as healthcare providers and insurance companies, must adhere to HIPAA standards.
• Data breach notification laws: Many countries and states have data breach notification laws that require organizations to inform individuals if their PII is compromised in a data breach.

Go deeper: HIPAA Compliant Email: The Definitive Guide

What is the difference between PII and PHI?

Protected health information (PHI) is a subset of PII that specifically pertains to an individual's health and medical records. 

In contrast, PII encompasses a broader range of personal data, including but not limited to names, addresses, and financial information. It is not limited to healthcare-related information. 

Related: What is the difference between PII and PHI?

FAQs

Are pseudonymized data and anonymized data considered PII?

Pseudonymized data, where identifying information is replaced with a pseudonym, and anonymized data, which has been altered to prevent identification, may still be considered PII if there is a way to re-identify individuals using additional information.

Can publicly available information be considered PII?

Publicly available information, such as information found in public records or widely available directories, may not be considered PII under certain privacy laws if it is freely accessible and does not reveal sensitive details about an individual's private life.

What are the implications of international data transfers involving PII? 

When transferring PII internationally, organizations must ensure compliance with data protection laws and regulations of the exporting and importing countries.