Personally identifiable information (PII) is a term mostly used in the U.S., while the term personal data is defined in the EU General Data Protection Regulation (GDPR) and used in the EU.
However, there is often confusion on whether Personally identifiable information and personal data are synonyms or have slightly different meanings. The answer can be a bit more complicated than it initially seems.
What is PII?
Personally identifiable information, or PII, is any piece of information that can be used to identify an individual directly or indirectly.
However, the definition of PII can differ, depending on the source, since it is not defined by a single piece of legislation.
The definition of the National Institute of Standards and Technology (NIST) explains PII as:
“Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
However, since there is no single source of the definition of PII, the best way to determine PII is through individual assessment paying attention to the law, procedure, regulation, or standard governing your specific industry or field.
Organizations should be responsible for compliance with the applicable data protection laws, and one of the first steps towards compliance is understanding which data is considered PII (or personal data) and if it requires additional safeguards.
Difference between PII and personal data
Since the U.S. legal system is composed of different regulations and federal and state laws, the definition of PII is fragmented and not as concise and structured as the personal data defined in the GDPR.
The difference between PII and personal data is hard to outline since PII is defined across multiple regulations, laws, and procedures, such as:
- Health Insurance and Portability Act (HIPAA),
- Children’s Online Privacy Protection Act (COPPA)
- Federal Trade Commission (FTC),
- U.S. Department of Labor, or
- National Institute of Standards and Technology (NIST).
Various sources define the same subject or specific part of it (like HIPAA covers PHI or protected health information) and therefore create a lot of fine variations.
Sometimes the definition of personal data set out in the GDPR can be wider when compared to PII because it includes the data where the link between the personal data and an identifiable individual is not so tangible.
In that case, personally identifiable information can be considered a subset of the GDPR definition.
Examples of Personally Identifiable Information (PII)
PII can include full name, email address, social security number, phone number, driver’s license number, IP address, passport number, home address, geolocation, and sensitive data like biometric or medical records.
It is important to note that not all Personally Identifiable Information requires the same level of protection and is not equally sensitive.
The best way to differentiate sensitive data is by asking if disclosing the PII can cause severe damage to the individual.
Examples of PII
- Address information
- Full Name
- Email address
- Personal telephone number
- Login data
- Credit card number
- Social Security Number (SSN)
- Passport number
- Driver’s license number
- Biometric data: fingerprints, retina scans, or voice signature
- Medical records
Examples of linkable information
Quasi-identifiers or linkable information is not considered PII on their own. However, when linked to other personal information, they could identify a specific individual and, in this context, can also represent PII.
For example, Latanya Sweeney, the founder of the Data Privacy Lab, used a combination of quasi-identifiers like gender, birth dates, and postal codes to uniquely identify an individual and concluded that the combination of all three is sufficient to identify 87% of individuals in the United States.
Linkable information is information about the individual or related to an individual for which there is a possibility of logical association with other information about the individual (and therefore, you can identify the individual).
- Date of birth
- Business telephone number
- Place of birth
- Education information…
What is not considered PII (non-PII)?
Non-PII would be a piece of information that doesn’t allow you to identify a person.
However, it becomes very vague what is not considered PII when compared to personal data which is very clear about the distinction.
Some definitions do not include cookie IDs or IP addresses, which is directly colliding with the GDPR’s definition.
- Aggregated Statistics
- Internet Protocol (IP)
- Media Access Control (MAC) addresses
- Cookie ID
- Device ID
What is personal data under the GDPR?
Understanding the concept of personal data defined by the GDPR is one of the basics for obtaining GDPR compliance and therefore needs to be understood properly.
It is even more important since companies that process personal data of EU citizens or residents are obligated to comply with the GDPR, not just EU-based organizations.
GDPR, Article 4 (1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
This means personal data is considered to be (but is also not limited to):
- name and last name
- home address
- identification number
- Internet Protocol address (IP address)
- cookie ID
- sensitive data such as criminal records, medical records, religious and philosophical beliefs and more…
What is not considered personal data?
According to the GDPR, there is some information that is not considered personal data and includes (but is not limited to):
- Information about legal entities such as companies or public authorities. An exception is if the information is related to an individual (partners, company employees, stakeholders, managers) if the individual can be identified as and the information is related to that individual
- company registration number
- the email address that does not contain personal data (firstname.lastname@example.org)
- information related to the deceased individual
- anonymized data
Pseudonymization and anonymization of personal data
Think of pseudonymization as a security measure to help encrypt and secure personal data. However, GDPR still considers it personal data since the process is reversible, so you are still obligated to comply.
On the other hand, anonymization irreversibly alters data so the data subject is no longer identifiable directly or indirectly and is no longer considered personal information.
Knowing whether the data you process is considered PII or personal data or none will become crucial in your compliance journey and help you avoid any misconceptions and unnecessary costs.
We recommend you to conduct the assessment for each data set you process to make sure it is considered personal data so you can comply with applicable laws.
Organizations should have an insight into the data they are processing, minimize the use, collection, and retention of PII or personal data to what is strictly necessary to accomplish their business purpose and implement proper procedures and technical and organizational safeguards.