The Complete Guide to PII

Cole PrudenPersonal Data, PII, PII Examples

An example of PII data by PII Tools

Ever wondered what’s the difference between PII and personal data? Maybe you wanted to see a list of PII types and its examples? Not sure when regular information turns into PII? Read on to find all the answers and more.

PII… Ever Heard of It?

To start, let’s get the definition out of the way. PII stands for Personally Identifiable Information, but what does that actually mean?

The answer: Any information about an individual that can be used to distinguish or trace an individual’s identity. That includes names, dates of birth, health records…all kinds of stuff.

But if you’re looking to get more specific, you’ll be interested to hear that no government body or regulation officially defines PII. All you need to know is that most professionals turn to the definition given by the National Institute of Standards and Technology. But if you’re feeling too lazy to actually click the link, here’s a summary for you:

“PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” – NIST

Isn’t Personal Data Just the Same Thing?

No. Although similar, they don’t have everything in common. Before we go any further, you’re going to want to know the difference between PII and personal data, especially since you’re sure to see the two mixed up way too often online. This is the simplest way I can think of to display these differences:

PII:

  • Used in the USA.
  • An “umbrella” term that classifies various kinds of personal information.
  • No official or regulation-based definition (the one from NIST is the best we’ve got).

Personal Data:

  • Used in Europe.
  • Clearly defined in the GDPR as such: “Personal data are any information which are related to an identified or identifiable natural person”.
  • “Personal data” is the official term and must be recognized by anyone storing this kind of information on anyone living in Europe (whether or not your company is actually based in Europe).

You’re interested in PII, otherwise you wouldn’t have ended up reading this article. And since you’re already here, you should probably be aware of the other related types of PII. There’s sensitive data, protected data, protected health information, and more. To take a deep dive on the subject, be sure to check out our article PII and Its Many Forms.

Alright, that’s enough explaining. Let’s get to the reason why we’re all here: The List of PII Examples.

PII Examples

PII includes, but is not limited to:

  • Names: Full name, First name, last name, maiden name, mother’s maiden name, or alias.
  • Personal identification numbers: Social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number.
  • Personal address information: Street address, or email address.
  • Personal telephone numbers
  • Personal characteristics: Photographic images (particularly of the face or other identifying characteristics), fingerprints, or handwriting.
  • Biometric data: retina scans, voice signatures, or facial geometry.
  • Information identifying personally owned property: VIN number or title number
  • Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person.

To make things as clear as possible, here’s a table of what the types of PII listed above could look like in the real world:

If you want to get a tighter grasp of PII examples, check our article PII Examples on this topic. Spoiler alert: It contains real-life examples for you to download and use.

What? There’s a Second List?

The list doesn’t stop there, however. Some information on its own doesn’t constitute PII, simply because it’s vague enough that you can’t match it to a specific person.

Example 1: A document that just has the last name “Smith” on it, with no other identifying information. This is because “Smith” is the most common last name in the US, with over 2 million people sharing this name.

Example 2: A file that gives no information about a person other than their date of birth. Just think, out of the 7.674 billion people alive today, how many of them share the birthday of March 12? Even if you add the year (e.g., 2001), there are still millions of people born on that same day.

How Does “Regular” Information Become PII?

So, what’s the big deal? The big deal is even though some information might not be used to directly identify someone, it can still be grouped with other information to then do just that, thus transforming it from just random information into PII.

Let’s take a look at some of the other examples that aren’t quite PII yet, but could be if joined with other information:

  • Place of birth
    • Example: Capio Saint Göran’s Hospital, Stockholm, Sweden
  • Business telephone number
    • Example: +420 888 999 101
  • Race
    • Example: Hispanic or Latino, White, American Indian, Black, etc.
  • Religion
    • Example: Buddhism, Christianity, Islam, Judaism, etc.
  • Geographical indicators
    • Example: Tequila, champagne, parmesan cheese, etc. (words that identify a product originating from a unique location)
  • Employment information
    • Example: Employee pay rate ($7.25 per hour), employee contract, bonuses, and benefits (dental or health insurance, gym membership, etc.)
  • Medical information
    • Example: Record of a patient’s symptoms, examinations, test results, diagnosis, treatment, plans for future healthcare, etc. (Keep in mind, medical information may be subject to additional HIPAA requirements.)
  • Educational information
    • Example: Attendance, test scores, report card information, tuition fees, etc. (Keep in mind, educational information may be subject to additional FERPA requirements.)
  • Financial information
    • Example: Credit ratings, financial statements, third-party credit analyses, income, balance sheets, etc.

To help illustrate how this non-PII info can be combined with other non-PII info to become PII, we have created the table below.

Just picture you come across a document, an email, a report—anything really—that combines two previously separate pieces of non-PII info. And since they’ve now been combined, you can identify WHO that document, email, or report is actually talking about.

Data Anonymization and De-Anonymization

Within the same vein of different pieces of data being strung together to create PII, you’ll often hear the terms “data anonymization” and “data de-anonymization”. In short, anonymization is the process of masking users’ information as they transact in various fields, such as health services, social media, e-commerce, etc.

This information is encrypted to protect it as it passes between machines, or certain information is deleted to render what remains non-PII. However, this process isn’t bullet-proof.

De-anonymizing data reverses the work done by anonymization by matching shared sets of data that have been stripped of PII with other easily-accessible data sets found online. In this way, data miners can combine and connect information until they arrive on someone’s personal identity or transaction history.

With this in mind, it’s always best to safeguard any PII you may be sending with the best anonymization tools possible. But the first step to protecting your PII is to arm yourself with knowledge, which is exactly what you’ve done here. Now, only one question remains: Why is PII (whether it’s yours or someone else’s) even worth protecting?

Why PII is Important For All of Us

For whatever reason you were interested in these lists, it’s important to remember that we all have a right to our private information. And that right carries over to the companies that collect PII. Any time you buy something online, sign up for social media, or fill out a contact form, you’re giving your PII to someone else. It’s then up to the companies to store that PII in a secure location, to protect it from hackers, data leaks, or even from it being misused in-house.

Keep that in mind the next time you sign up for that “free” newsletter or give your credit card information over the phone. Or if you work for a company that handles PII, it’s up to you to ensure the information entrusted to you doesn’t fall into the wrong hands.

And why’s that? Easy. Because it’s the right thing to do.

Find Out How PII Tools Helps You Organize PII Correctly