What is Personally Identifiable Information?
What is PII, non-PII, and personal data?
In the world of data, some information is classed as more sensitive. Personally identifiable information (PII) includes things like names and addresses that can be used to identify specific individuals. Non-personally identifiable information, on the other hand, may seem less of a concern, but it still adds to an overall picture of an individual’s personal data.
As the company that launched PII Scanner, Syntho is here to help you understand personal data, personally identifiable information, and non-personally identifiable information, along with the legal framework that governs all those concepts and tips for protecting personally identifiable information.
What is PII?
What is considered PII?
PII includes information that is generally considered sensitive (such as social security numbers or driver’s license numbers) as well as information that appears less sensitive at first glance (such as email addresses or postal addresses). Examples of PII include various types of information used for direct and indirect identification:- Basic identity information
- Contact information
- Financial information
- Biometric data
- Health information
- Usernames
- IP addresses
- Demographic information
- Educational information
- Employment information
What is not considered PII?
Information that is generally not considered personally identifiable information does not directly identify a person or cannot be used on its own to distinguish or trace a specific individual.
What is not PII? Examples include:
- Anonymized data (information stripped of identifiers)
- De-identified data (information that was made less identifiable through pseudonymization or tokenization)
- Publicly available information (data that is freely accessible and commonly found in public records)
- Generalized demographic data (information about groups or categories of people)
- Aggregate data (information that combines information from multiple individuals)
- Non-personal information (company names, product serial numbers, etc.)
- Encrypted data (information transformed using encryption methods)
What is sensitive PII?
Often, sensitive and non-sensitive PII information differs depending on the context. For instance, a person’s gender, ethnicity, or political beliefs may be considered sensitive PII in some scenarios and non-sensitive in others.
However, some data has heightened risks associated with its exposure or misuse that could lead to harm, embarrassment, or discrimination.
This kind of sensitive information includes:
- Financial information (bank account numbers, credit card numbers beyond just the number itself, financial transaction records)
- Health information (medical records, health insurance information, mental health history, information about medical conditions, medications, treatments)
- Biometric data (fingerprints, retina scans)
- Genetic information (DNA sequences or genetic test results, family medical history)
- Social Security number (SSN)
- Sexual orientation or gender identity
- Health insurance information (policy numbers, claims history, benefits information)
- Criminal history (criminal record or involvement with law enforcement)
- Location data (real-time or historical)
- Trade union membership
- Immigration status (citizenship, residency status, or immigration history)
- Content of private communications that reveal personal or sensitive information
What is non-sensitive PII?
Non-sensitive personally identifiable information is personal data that is not inherently sensitive or private in nature. This type of information is often necessary for routine business transactions, communication, or service delivery, but it does not typically involve highly sensitive or confidential details about an individual.
Non-sensitive PII includes:
- Individual’s identity information: name without sensitive details like middle names or date of birth without the year/month/day
- Contact information: addresses without sensitive details like apartment numbers or non-personal email addresses or phone numbers
- Employment information: job title or position
- Education information: school attended without specifying academic performance or disciplinary records, degree obtained without graduation date
- Publicly available information: information found in public directories or records (e.g., business contact details)
- Transaction or purchase history: records of purchases or transactions without sensitive financial details
- Vehicle information: vehicle make, model, and year, vehicle identification number (VIN)
- IP address: when used for general analytics or website traffic monitoring
What is non-PII?
Non-PII data stands for Non-Personally Identifiable Information. This is all personal data that can be used indirectly to identify a specific person. Non-PII is considered sensitive, especially when combined with other non-PII variables, as a combination of three non-PII variables can easily identify individuals. Non-personally identifiable information can be used to analyze patterns and trends to help companies make informed decisions about their products, services, and strategies.
Under data protection regulations, organizations are expected to handle personal data—which includes both PII and non-PII—responsibly and ethically and ensure that it is not used in a way that could harm individuals or violate their privacy.
Here are some examples of non-personally identifiable information:
- General demographic data: age range, gender distribution
- Occupation
- Zip codes, regions, time zones
- Income levels not connected to specific individuals
- General patient visit counts
- Admission/discharge dates
- Medical diagnosis without patient names
- Statistical information and survey responses
- Device information (type, operating system)
- Transaction history without personal details
- User preferences
- Website traffic data, browser data, cookies, server logs
What is personal data?
Personal data is a broad term used primarily in the EU to denote any information that can be used to directly (PII) or indirectly (non-PII) identify a specific individual. This includes information that is factual or subjective and may relate to a person’s physical, mental, social, economic, or cultural identity.
Data protection regulations (such as GDPR, HIPAA, or CCPA) require organizations that collect, store, or process personal data (PII and non-PII) to take appropriate measures to ensure its privacy and security. This includes preventing data breaches and unauthorized access to personal data, notifying individuals if a data breach does happen, and allowing individuals to access, modify, or delete their personal data.
What is non-personal data?
Non-personal data doesn’t refer to a specific person. This information is not inherently linked or linkable to individuals or their identities, which makes it non-sensitive data.
Non-personal data can still provide insights and contribute to decision-making processes without raising privacy concerns. For instance, it can be aggregated, anonymized, or generalized for research, analysis, system optimization, or statistical reporting.
The difference between PII and personal data
Personal data and personally identifiable information are related concepts but have slightly different scopes and serve different purposes in the context of privacy and data protection regulations.
PII | Specific information that directly identifies a person | Often defined more narrowly and may vary depending on legal or regulatory contexts | Used in contexts where the focus is on data privacy and protection, especially in the United States |
Personal data | Any information that relates to an identified or identifiable natural person | A broader term that encompasses a wide range of information, including both PII and non-PII | Is defined by data protection laws like the GDPR in the EU and privacy laws worldwide |
The major difference is that personal data includes any information related to an identifiable individual, whereas PII refers specifically to data elements that can directly identify individuals.
Laws and regulations surrounding PII and personal data
The legal framework for data privacy varies by jurisdiction, with different countries and regions having enacted laws and regulations to protect the privacy and security of personal data.
By 2023, 162 national data privacy laws and 20 bills were active. The most comprehensive of them include:
- The EU’s General Data Protection Regulation (GDPR)
- The California Consumer Privacy Act (CCPA)
- The US Health Insurance Portability and Accountability Act (HIPAA)
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
- Brazil’s Lei Geral de Proteção de Dados (LGPD)
- South Africa’s Protection of Personal Information Act (POPIA)
- Japan’s Act on the Protection of Personal Information (APPI)
- Australia’s Privacy Act 1988
How can personally identifiable information be stolen?
PII can be stolen through online and physical means, such as:
- Data breaches
- Phishing attacks (tricking people into disclosing their PII)
- Malware (keyloggers, spyware, trojans)
- Physical theft of laptops or smartphones with PII
- Social engineering (impersonating bank representatives or IT support staff)
- Data interception during transmission over insecure networks or Wi-Fi connections
While it’s cybercriminals who usually break into systems to retrieve PII, weak passwords and clueless users can often be the reason sensitive information is stolen. So, on top of taking data protection measures, companies should continually educate workers on how they should handle data and related systems.
Tips on how to protect personally identifiable information
Follow these tips to maintain the privacy of PII and prevent identity theft or misuse of personal data:
- Data encryption: implement strong encryption algorithms to encrypt PII both at rest (stored data) and in transit (data being transmitted over networks)
- Access control: implement role-based access control (RBAC) and regularly review and update access permissions to align with business needs
- Data redaction: implement redaction mechanisms to remove or obscure PII from documents, reports, or screenshots
- Secure storage and transmission: store PII in secure, tamper-proof storage systems with appropriate access controls and auditing mechanisms.
- Data loss prevention (DLP): DLP tools can help enforce data security policies, detect anomalies or policy violations, and prevent data leakage
- Data masking and tokenization: replace sensitive PII with pseudonymized or tokenized values while preserving referential integrity and usability
- Audit logging and monitoring: regularly review audit logs and monitor for suspicious or unauthorized activities
- Vulnerability assessments and penetration testing: run regular tests to identify and remediate security vulnerabilities in systems that store or process PII
- Employee training and awareness: foster a culture of security awareness and accountability by teaching employees about security best practices and procedures for handling sensitive data
- Incident response and contingency planning: establish clear procedures for reporting, investigating, and responding to security breaches, and regularly test the incident response plan through simulated exercises