Personally identifiable information (PII) is a term used in the U.S., while the term personal data is mostly used in Europe and is defined in the EU General Data Protection Regulation (GDPR).
However, there is often confusion on whether Personally identifiable information and personal data are synonyms or they have a slightly different meaning. The answer to that can be a bit more complicated than it seems at first.
What is PII?
Personally identifiable information or PII is any piece of information that can be used to identify an individual directly or indirectly.
However, the definition of PII can somewhat differ, depending on the source since it is not regulated by a single piece of legislation.
The definition of the National Institute of Standards and Technology (NIST) explains PII as:
“Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
However, since there is no single source of the definition of PII, the best way to determine what is and what isn’t PII is through individual assessment paying attention to the law, procedure, regulation, or standard governing your specific industry or field.
Organizations should be responsible for compliance with the applicable data protection laws and one of the first steps towards compliance is understanding which data is considered PII (or personal data) and if it requires additional safeguards.
Difference between PII and personal data
Since the U.S. legal system is composed of different regulations and different federal and state laws, the definition of PII is fragmented and not as concise and structured as the personal data defined in the GDPR.
The difference between PII and personal data is hard to outline since PII is defined across multiple regulations, laws, and procedures, like:
- Health Insurance and Portability Act (HIPAA),
- Children’s Online Privacy Protection Act (COPPA)
- Federal Trade Commission (FTC),
- U.S. Department of Labor, or
- National Institute of Standards and Technology (NIST).
A variety of sources define the same subject or specific part of it (like HIPAA covers PHI or protected health information) and therefore create a lot of different fine variations.
Sometimes the definition of personal data set out in the GDPR can be wider when compared to PII because it includes the data where the link between the personal data and an identifiable individual is not so tangible.
In that case, personally identifiable information can be considered as a subset of the GDPR definition. However, there are also other definitions that closely correspond with the GDPR definition of personal data.
Examples of Personally Identifiable Information (PII)
PII can include full name, email address, social security number, phone number, driver’s license number, IP address, passport number, home address, geolocation, and sensitive data like biometric data or medical records.
It is important to note that not all Personally Identifiable Information requires the same level of protection and is not equally sensitive.
The best way to differentiate sensitive data is by asking if disclosing the PII can cause severe damages to the individual.
Examples of PII
- Address information
- Full Name
- Email address
- Personal telephone number
- Login data
- Credit card number
- Social security number (SSN)
- Passport number
- Driver’s license number
- Biometric data: fingerprints, retina scans, or voice signature
- Medical records
Examples of linkable information
Quasi- identifiers or linkable information are not considered PII on their own. However, when linked to any other personal information, they could identify a specific individual and in this context can represent PII as well.
For example, Latanya Sweeney, the founder of the Data Privacy Lab, used a combination of quasi-identifiers like gender, birth dates and postal codes to uniquely identify an individual, and concluded that the combination of all three is sufficient to identify 87% of individuals in the United States.
Linkable information is information about the individual or related to an individual for which there is a possibility of logical association with other information about the individual (and therefore you can identify the individual).
- Date of birth
- Business telephone number
- Place of birth
- Education information…
What is not considered PII (non-PII)?
Non-PII would be a piece of information that doesn’t allow you to identify a person.
However, it becomes very vague what is not considered PII when compared to personal data that is very clear about the distinction.
Some definitions do not include cookie IDs or IP addresses, which is directly colliding with the GDPR’s definition.
- Aggregated statistics
- Internet Protocol (IP)
- Media Access Control (MAC) addresses
- Cookie ID
- Device ID
However, NIST states that linked information can be asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific identifiers that link to a particular person or small group of people. That means cookies and device ID can be considered a PII. Again, depending on who you ask.
What is personal data under the GDPR?
Understanding the concept of personal data defined by the GDPR is one of the basics for obtaining GDPR compliance, and therefore needs to be understood properly.
It is even more important since companies that process personal data of EU citizens or residents are obligated to comply with the GDPR, not just EU-based organizations.
GDPR, Article 4 (1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
This means personal data is considered to be (but is also not limited to):
- name and last name
- home address
- identification number
- Internet Protocol address (IP address)
- cookie ID
- sensitive data such as criminal records, medical records, religious and philosophical beliefs and more…
What is not considered personal data?
According to the GDPR, there is some type of information that is not considered personal data and includes (but is not limited to):
- information about legal entities such as companies or public authorities. An exception is if the information is related to an individual (partners, company employees, stakeholders, managers) if the individual can be identified as and the information is related to that individual
- company registration number
- the email address that does not contain personal data (firstname.lastname@example.org)
- information related to the deceased individual
- anonymized data
Pseudonymization and anonymization of personal data
Think of pseudonymization as a form of a security measure that can help you encrypt and secure personal data. However, GDPR still considers it personal data since the process is reversible, so you are still obligated to comply.
On the other hand, anonymization irreversibly alters data so the data subject is no longer identifiable directly or indirectly, and therefore it is no longer considered to be personal information.
Knowing whether the data you process is considered PII or personal data or none will become crucial in your compliance journey and help you avoid any misconceptions and unnecessary costs.
We recommend you to conduct the assessment for each data set you process to make sure if it is considered personal data so you can comply with applicable laws.
Organizations should have an insight into the data they are processing, minimize the use, collection, and retention of PII or personal data to what is strictly necessary to accomplish their business purpose, and implement proper procedures and technical and organizational safeguards.