What does pii include?
Personally Identifiable Information (PII) includes: “(1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”1 Examples of PII include, but are not limited to:
The following examples on their own do not constitute PII as more than one person could share these traits. However, when linked or linkable to one of the above examples, the following could be used to identify a specific person:
Examples of services or work involving vendor access to PII include:
If you have any questions about this guide, please contact the University of Pittsburgh’s Office of University Counsel: http://ouc.pitt.edu/
Additional Resources:
1 OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.
PII is used in the US but no single legal document defines it. The legal system in the United States is a blend of numerous federal and state laws and sector-specific regulations. They all define and classify different pieces of information under the PII umbrella.
On the other hand, personal data has one legal meaning, which is defined by the General Data Protection regulation (GDPR), accepted as law across the European Union (EU).
Both terms cover common ground, classifying information that could reveal an individual’s identity directly or indirectly.
But why is all that so important? As a website admin, app creator or product owner, you need to be aware that the traces visitors and users leave behind could be of a sensitive nature. These traces might enable you to identify individuals, so you need to handle such data with the utmost caution. From a legal standpoint, it could be a matter of breaches and violations with serious consequences. Grasping the bigger picture is crucial for your organization’s security and legal compliance.
Table of contentsWhat is personally identifiable information (PII)?What pieces of information are considered PII?What is non-PII?What is personal data?What is non-personal data?How PII differs from personal dataLegal frameworkWhere rules on PII and personal data applyPII, non-PII and personal data: Staying up to date on data privacy regulations
PII is often referenced by US government agencies and non-governmental organizations. Yet the US lacks one overriding law about PII, so your understanding of PII may differ depending on your particular situation.
The most common definition is provided by the National Institute of Standards and Technology (NIST).
However, the line between PII and other kinds of information is blurry. As stressed by the US General Services Administration, the “definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified”.
According to NIST, PII can be divided into two categories: linked and linkable information.
Linked information is more direct. It could include any personal detail that can be used to identify an individual. Examples of this kind of PII include:
Linkable information is indirect and on its own may not be able to identify a person, but when combined with another piece of information could identify, trace or locate a person.
Here are some examples of PII that can be considered linkable information:
Non-personally identifiable information (non-PII) is data that cannot be used on its own to trace, or identify a person.Examples of non-PII include, but are not limited to:
However, the classification of PII and non-PII is vague. Moreover, NIST doesn’t reference cookie IDs and device IDs, so many AdTech companies, advertisers, and publishers consider them as non-PII. As we’ll see, this is in contrast to the definition of personal data, which treats such digital tackers as information that could identify an individual.
Personal data is a legal term that the GDPR defines as the following:
This definition applies not only to a person’s name and surname, but to details that could identify that person. That’s the case when, for instance, you’re able to identify a visitor returning to your website with the help of a cookie or login information.
Under the GDPR you can consider cookies as personal data because according to
And the definition of personal data covers various pieces of information such as:
Basically, it’s any information relating to an individual or identifiable person, directly or indirectly.
Following the GDPR provisions, non-personal data is data that won’t let you identify an individual. The best example is anonymous data. According to
Other examples of non-personal data include, but are not limited to:
As we’ve already mentioned, in certain contexts the differences between these two types of data seem quite vague. If we need to draw a clear line here, then we would apply the legal framework and whom this data applies to.
All rules and responsibilities regarding personal data are set out by the GDPR, which aims to strengthen and unify data collection from EU residents. This also means that there is a more unified approach to enforcement, which has been steadily increasing since May 2018, when GDPR entered into force.
It’s much harder to define a single piece of legislation that controls PII because of the lack of a single federal law governing its use. However, among the various laws that do govern the collection and usage of PII, the most prominent are:
Furthermore, both governmental and non-governmental organizations regulate the proper use of PII, including:
Since personal data is strictly connected to the GDPR, it concerns all residents and citizens of the member states of the European Economic Area – the 27 Member States of the EU plus Iceland, Liechtenstein, and Norway. We’ll refer to this group as EU residents, for short.
Still, the scope of the GDPR is not really limited to the EU. It impacts not only EU-based entities, but virtually every business dealing with the data of EU residents.
By contrast, it’s much more difficult to determine the jurisdictions where PII is applicable.
Even in the US, where PII is certainly applicable, how it’s applied varies both from state to state and from sector to sector. Several legal documents and industry standards have their own opinion about what PII is.
As a result, determining who PII applies to and how is quite difficult.
The broad definitions of PII and personal data are evolving to cover more and more kinds of data. The differences between the two are also becoming less distinct. The legal requirements are getting stricter on both sides of the Atlantic.
Those changes will bring new challenges. For organizations of all kinds, this means taking a closer look at the data they collect and keeping up with the changing legal landscape to stay compliant.
Personally Identifiable Information (PII) includes: “(1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”1 Examples of PII include, but are not limited to:
The following examples on their own do not constitute PII as more than one person could share these traits. However, when linked or linkable to one of the above examples, the following could be used to identify a specific person:
Examples of services or work involving vendor access to PII include:
If you have any questions about this guide, please contact the University of Pittsburgh’s Office of University Counsel: http://ouc.pitt.edu/
Additional Resources:
Personally identifiable information (PII) is information that, when used alone or with other relevant data, can identify an individual.
PII may contain direct identifiers (e.g., passport information) that can identify a person uniquely, or quasi-identifiers (e.g., race) that can be combined with other quasi-identifiers (e.g., date of birth) to successfully recognize an individual.
Advancing technology platforms have changed the way businesses operate, governments legislate, and individuals relate. With digital tools like cell phones, the Internet, e-commerce, and social media, there has been an explosion in the supply of all kinds of data.
Big data, as it is called, is being collected, analyzed, and processed by businesses and shared with other companies. The wealth of information provided by big data has enabled companies to gain insight into how to better interact with customers.
However, the emergence of big data has also increased the number of data breaches and cyberattacks by entities who realize the value of this information. As a result, concerns have been raised over how companies handle the sensitive information of their consumers. Regulatory bodies are seeking new laws to protect the data of consumers, while users are looking for more anonymous ways to stay digital.
Personally identifiable information (PII) can be sensitive or non-sensitive. Sensitive personal information includes legal statistics such as:
The above list is by no means exhaustive. Companies that share data about their clients normally use anonymization techniques to encrypt and obfuscate the PII, so it is received in a non-personally identifiable form. An insurance company that shares its clients’ information with a marketing company will mask the sensitive PII included in the data and leave only information related to the marketing company’s goal.
Non-sensitive or indirect PII is easily accessible from public sources like phonebooks, the Internet, and corporate directories. Examples of non-sensitive or indirect PII include:
The above list contains quasi-identifiers and examples of non-sensitive information that can be released to the public. This type of information cannot be used alone to determine an individual’s identity.
However, non-sensitive information, although not delicate, is linkable. This means that non-sensitive data, when used with other personal linkable information, can reveal the identity of an individual. De-anonymization and re-identification techniques tend to be successful when multiple sets of quasi-identifiers are pieced together and can be used to distinguish one person from another.
Multiple data protection laws have been adopted by various countries to create guidelines for companies that gather, store, and share the personal information of clients. Some of the basic principles outlined by these laws state that some sensitive information should not be collected unless for extreme situations.
Also, regulatory guidelines stipulate that data should be deleted if no longer needed for its stated purpose, and personal information should not be shared with sources that cannot guarantee its protection.
Cybercriminals breach data systems to access PII, which is then sold to willing buyers in underground digital marketplaces. For example, in 2015, the IRS suffered a data breach leading to the theft of more than a hundred thousand taxpayers’ PII.
Using quasi-information stolen from multiple sources, the perpetrators were able to access an IRS website application by answering personal verification questions that should have been privy to the taxpayers only.
Many thieves find PII of unsuspecting victims by digging through their trash for unopened mail. This can provide them with a person's name and address. In some cases, it can also reveal information about their employment, banking relationships, or even their social security numbers.
Nowadays, the Internet has become a major vector for identity theft. Phishing and social engineering attacks use a deceptive-looking website or email to trick someone into revealing key information, such as their name, bank account numbers, passwords, or social security number. It is also possible to steal this information through deceptive phone calls or SMS messages.
While it is not possible to fully protect yourself, you can make yourself a smaller target by reducing the opportunities to steal your PII. Experian, one of the top three credit agencies, lists several steps that you can take to reduce your surface area.
For example, a locked mailbox or PO box makes it harder for thieves to steal your mail and removing personal identification from junk mail and other documents makes it harder for identity thieves to associate a name with an address. Also, avoid carrying more PII than you need—there's no reason to keep your social security card in your wallet.
Likewise, there are some steps you can take to prevent online identity theft. Data leaks are a major source of identity theft, so it is important to use a different, complex password for each online account. Always encrypt your important data, and use a password for each phone or device. It is also a good idea to reformat your hard drive whenever you sell or donate a computer.
The definition of what comprises PII differs depending on where you live in the world. The following are the privacy regimes in specific jurisdictions:
In the United States, the government defined "personally identifiable" in 2020 as anything that can "be used to distinguish or trace an individual's identity" such as name, SSN, and biometrics information; either alone or with other identifiers such as date of birth or place of birth.
In the European Union (EU), the definition expands to include quasi-identifiers as outlined in the General Data Protection Regulation (GDPR) that went into effect in May 2018. The GDPR is a legal framework that sets rules for collecting and processing personal information for those residing in the EU.
Personal information is protected by the Privacy Act 1988. This law regulates the collection, storage, use, and disclosure of personal information, whether by the federal government or private entities. Later amendments regulate the use of healthcare identifiers and establish the obligations of entities that suffer from a data breach.
The Personal Information Protection and Electronic Documents Act regulates the use of personal information for commercial use. This is defined as information that on its own or combined with other data, can identify you as an individual.
Personal data encompasses a broader range of contexts than PII. For instance, your IP address, device ID numbers, browser cookies, online aliases, or genetic data. Certain attributes such as religion, ethnicity, sexual orientation, or medical history may be classified as personal data but not personally identifiable information.
In early 2018, Facebook Inc. (META), now Meta, was embroiled in a major data breach. The profiles of 30 million Facebook users were collected without their consent by an outside company called Cambridge Analytica. Cambridge Analytica got its data from Facebook through a researcher who worked at the University of Cambridge. The researcher built a Facebook app that was a personality quiz. An app is a software application used on mobile devices and websites.
The app was designed to take the information from those who volunteered to give access to their data for the quiz. Unfortunately, the app collected not only the quiz takers' data but, because of a loophole in Facebook's system, was able also to collect data from the friends and family members of the quiz takers.
As a result, over 50 million Facebook users had their data exposed to Cambridge Analytica without their consent. Although Facebook banned the sale of their data, Cambridge Analytica turned around and sold the data to be used for political consulting. Mark Zuckerberg, Facebook founder and CEO, released a statement within the company's Q1-2019 earnings release:
The data breach not only affected Facebook users but investors as well. Facebook's profits decreased by 50% in Q1-2019 versus the same period a year earlier. The company accrued $3 billion in legal expenses and would have had an earnings per share of $1.04 higher without the expenses, stating:
The following day, on April 25, 2019, Meta announced it was banning personality quizzes from its platform.
Companies will undoubtedly invest in ways to harvest data, such as personally identifiable information (PII), to offer products to consumers and maximize profits. Still, they will be met with more stringent regulations in the years to come.
Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., ...
