Personally Identifiable Information (PII): Your Guide to PII Compliance
Unless you live a completely disconnected life, there are pieces of your personal information everywhere. Not all of it is personally identifiable information (PII)… Yet. The definition of what is PII and what doesn’t changes frequently. And, the definition of PII varies based on who you ask.
Additionally, some information that’s not considered PII can become PII when it’s combined with other personal information.
So, there’s a lot to work through. But, understanding PII is important for protecting yourself from fraud and identity theft, and for complying with personal data protection laws.
Complying with personal data protection laws is most difficult. Each set of personal protection laws has its own definition of PII. Which means that compliance with one set of laws may not meet the standards for another set of personal protection laws.
This guide will give you a good working definition of PII and a quick PII compliance checklist for assessing your compliance with personal protection laws.
What is Personally Identifiable Information?
Personally identifiable information (PII) is any piece of information that can be used to identify a specific person. In most cases, the information must be capable of distinguishing one individual from another to be considered PII.
That means that something like a first name is not PII, because it’s likely that many people have that first name. However, a full name — first, middle, and last — is considered PII by many organizations. It’s much less likely that many people have that same full name.
That brings up the categories of PII. There are two types of PII: linked information and linkable information.
Linked Information
Linked information is any piece of data that can be used to identify a person, with very little or without any additional information. Linked information includes:
- Full name
- Social security number
- Telephone number
- Email address
- Home address
- Driver’s license number
- Passport number
- Credit card number
- Birth date
- Login information
This isn’t a comprehensive list of linked information. If you’re unsure if a piece of data is linked information or not, consider how likely it is that two people have that same information. For instance, social security numbers are individualized and assigned to one person. No two people have the same SSN, but sometimes SSNs get miss-indexed, abused, shared, stolen, so that can be confusing. However, it’s considered linked information since SSN is supposed to be unique.
But, if you have a last name by itself, it’s quite likely that many people have that last name. So, it’s not linked information, since a last name can’t be used to identify a person without other personal information.
A last name alone would fall into the second category of PII, linkable information.
Linkable Information
Linkable information is personal information that must be combined with other pieces of personal data to identify a specific individual. Linked information includes:
- First or last name
- Country
- State
- City
- Postal code
- Sex
- Race
- Approximate age (i.e. 18–24)
- Job title or position
- Place of work
Typically, linkable information is data that, by itself, identifies a whole lot of people. But, would narrow it down to a single person if you combine it with other pieces of personal data.
If you’re trying to protect yourself from identity theft, you need to be most careful with your linked information (but, don’t be cavalier with linkable information just because it’s less sensitive). A clever identity thief needs only a couple pieces of linked information to cause problems for you.
On the other hand, if you’re concerned about regulatory compliance, things are more complex. Different governing agencies have different rules for handling PII. These varying rules stem from differences in what is considered PII.
In the United States, the National Institute of Standards and Technology (NIST) uses this definition of PII:
“PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
