Personally Identifiable Information (PII)

Any information that can be used to identify or trace a particular individual constitutes PII (Personally Identifiable Information). Among the information is social security numbers, driver's licenses, bank accounts, addresses, birthplaces, medical information, and more. It is a common term in the U.S.

The term "personal data" is more commonly used in Europe, and specifically under the GDPR. PII, as well as online identifiers, are all considered personal data. Therefore, cookies and browsing history are also considered personal data.

The management of PII will often require additional protections due to the sensitive nature of the data and requires considerable attention and supervision in order to meet GDPR compliance. If it is to be considered PII, data must not only identify the individual to whom it pertains, but also "must concern the individual in some way." 

The PII umbrella of information

The first thing to consider when determining whether data constitutes PII is whether its content directly or indirectly identifies or makes identifiable the individual to whom it pertains. 

Usually, directly identifying data consists of one or more of the following: the individual's name, social security number, street address, email address, etc. 

Even without this information, some data elements may still allow an individual to be identified indirectly, such as based on age, race, gender, or location. 

If indirect identification is involved, it is sometimes less obvious whether the individual is at risk of being identified and will usually require a more rigorous and thorough analysis.

Processing PII Data

For any organization that manages and processes data, knowing and understanding PII is crucial. Intentional or unintentional mishandling of PII can result in serious consequences in terms of both privacy protection and criminal prevention.

In addition to being knowledgeable about how PII should be handled, you should also be aware of the regulations applicable to your particular field. In every manner of data collection or use, personal data should be treated with utmost care, vigilance, and properly safeguarded against possible misuse.

Other depictions of personal information:

  • SPI - Sensitive personal information - Data which is more significantly related to the notion of a reasonable expectation of privacy, such as medical or financial information. However, data may be considered more or less sensitive depending on context or jurisdiction. Recently the U.S. Federal Trade Commission classified TV-viewing data as "sensitive."
  • NPI - Nonpublic personal information - Nonpublic personal information is any personally- identifiable, financial information that is not publicly available.
  • MNPI - Material nonpublic information - Material nonpublic information is data relating to a company that has not been made public but could have an impact on its share price. It is against the law for holders of nonpublic material information to use the information to their advantage in trading stocks.