Protecting PII: Examples, laws, and standards

Personally identifiable information (PII), is any piece of data that could be used—either alone or when combined with other data—to identify an individual. Some types of PII are obvious, such as a name or Social Security number, but others are more subtle.

One avatar is uniquely identified among others at the center of a bullseye in a digital environment.
DEM10 / Getty Images

PII definition: What is personally identifiable information?

PII, or personally identifiable information, is any piece of data that someone could use to figure out who you are. Some types of PII are obvious, such as your name or Social Security number, but others are more subtle—and some data points only become PII when analyzed in combination with one another.

The United States General Services Administration uses a fairly succinct and easy-to-understand definition of PII:

The term “PII” ... refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available—in any medium and from any source—that, when combined with other available information, could be used to identify an individual.

PII is increasingly valuable, and many people are increasingly worried about what use their PII is being put to, whether as part of legitimate business use by the companies that collect it or illicit use by the cybercriminals who seem to have all too easy a time getting ahold of it. This has led to a new era of legislation that aims to require that PII be locked down and its use restricted.

But if the law makes companies responsible for protecting personally identifiable information, that raises an important question: what qualifies as PII?

What are examples of PII?

There are a number of pieces of data that are universally considered PII. Some of the most obvious include:

  • Name
  • Address
  • Email
  • Telephone number
  • Date of birth
  • Passport, driver's license, or other government-issued ID number
  • Social Security number, or equivalent government identifier
  • Fingerprint or other biometric data
  • Credit or debit card number

But in some ways, trying to nail down every possible specific kind of PII is a process that's missing the point. More and more cybersecurity experts and regulatory agencies are thinking of PII in terms of what it can do if abused, rather than what it specifically is. We already saw some of that in the GSA definition above: PII is, to be a bit tautological, any information that can be used to identify a person, and sometimes you have to consider that information in a larger context in which other such information is also floating around out there. For instance: is your mother's maiden name PII? Well, by itself, probably not. But if a hacker has your mother's maiden name and your email address, and knows what bank you use, that might pose a problem, as that's a frequent security question used for password resets.

The Department of Energy has a definition for what it calls high-risk PII that's relevant here: "PII, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual." Though this definition may be frustrating to IT pros who are looking for a list of specific kinds of information to protect, it's probably a good policy to think about PII in these terms to fully protect consumers from harm.

PII vs. PHI

Before we move on, we should say a word about another related acronym you might have heard. PHI stands for protected health information, and it's a special category of PII protected in the United States by HIPAA and the HITECH Act. Essentially, it's PII that can also be tied to data about an individual's health or medical diagnoses. HIPAA Journal has more details, but the important points are that any organization that handles PHI in connection with treating a patient has an obligation to protect it, and health data can be shared and used more widely—for research or epidemiological purposes, for instance—if it's aggregated and has PII stripped out of it. 

HIPAA was passed in 1996, and was one of the first U.S. laws that had provisions for protecting PII, a move spurred by the sensitive nature of medical information. As the easy transmission (and theft) of data has become more commonplace, however, more laws have arisen in jurisdictions around the world attempting to set limits on PII's use and impose duties on organizations that collect it.

PII laws

A constellation of legislation has been passed in various jurisdictions to protect data privacy and PII. These laws are of different levels of strictness, but because data flows across borders and many companies do business in different countries, it's often the most restrictive laws that end up having the widest effects, as organizations scramble to unify their policies and avoid potential fines.

The United States does not have a single overarching data protection law beyond the provisions of HIPAA and other legislation pertaining to healthcare; that said, those laws apply to any companies that do business with healthcare providers, so their ambit is surprisingly wide. In addition, several states have passed their own legislation to protect PII. The California Privacy Rights Act, which went into effect in 2020, is one of the strictest, and has become something of a de facto standard for many U.S. companies due to California's size and economic clout, especially within the tech industry. Virginia followed suit with its own Consumer Data Protect Protection Act, and many other states are expected to get in on the game. It's also worth noting that several states have passed so-called safe harbor laws, which limit a company's financial liability for data breaches so long as they had reasonable security protections in place.

Internationally, though, the 800-pound gorilla in the world of data privacy law comes from Europe. 

What is PII for the GDPR?

The European Union's General Data Protection Regulation (GDPR) went into effect in 2016 and was a huge shakeup in the world of PII. It imposed strict rules on what companies doing business in the EU or with EU citizens can do with PII and required that companies take reasonable precautions to protect that data from hackers. Companies also have to allow EU citizens to delete their data upon request in the so-called right to be forgotten.

The list of data the GDRP protects is fairly broad as well, and includes:

  • Basic identity information such as name, address, and ID numbers
  • Web data such as location, IP address, cookie data, and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

It's worth noting that the GDRP's reach goes far beyond the EU's borders. Companies all over the world need to accommodate the regulation in order to get access to the lucrative European market. And the GDRP served as a model for California's and Virginia's legislation.

NIST PII standards

The U.S. may not have an overarching data protection law, but the National Institute of Science and Technology (NIST) has issued a Guide to Protecting the Confidentiality of PII that serves as the foundation for PII security at many federal agencies. Under these guidelines, PII includes (but is not limited to):

  • Name, such as full name, maiden name, mother's maiden name, or alias
  • Personal identification number, such as social security number (SSN), passport number, driver's license number, taxpayer identification number, or financial account or credit card number
  • Address information, such as street address or email address
  • Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry)
  • Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information)

Protecting PII

The protection of PII is obviously a vast and ever-changing topic, and the specifics of what you're legally obligated to do in this area will depend on the regulatory framework your company operates under. The NIST guide linked to above is actually a great starting point if you want to explore a framework for PII protection. But if you want a very basic checklist to give you a sense of the scope of the problem, data security vendor Nightfall's compliance checklist is a good place to start. They recommend that you:

  • Identify and classify the data under your control that constitutes PII
  • Create a policy that determines how you'll work with PII
  • Implement the data security tools you need to carry out that policy
  • Practice identity and access management to control and record who has access to PII
  • Monitor and respond to threats

Who is responsible for protecting PII?

Under most privacy legislation, final legal responsibility for protecting PII ultimately falls on the company that controls the PII itself. In this area, legislation jibes with popular sentiment: most consumers believe companies should be responsible for the data they use and store.

Some privacy legislation mandates that companies designate specific individuals who have responsibilities in regard to PII. HIPAA requires that companies nominate a specific privacy officer for developing and implementing privacy policies. The GDPR defines several roles that are responsible for ensuring compliance: data subject—the individual whose data is collected; data controller—the organization that collects the data; data processor—an organization that processes data on behalf of the data controller, and the data protection officer (DPO)—an individual at controller or processor organizations who is responsible for overseeing GDPR compliance.

It's worth noting that the terms used in the laws aren't necessarily the actual job titles these people will have within a company, and often these responsibilities are assigned to existing roles within IT. That said, many larger companies are beginning to see protecting PII and complying with privacy regulations as a full-time job, held by someone referred to as a Digital Privacy Officer or a similar title.

PII certification

Hopefully it's clear at this point that PII protection is an important role at any company. If you're interested in a career in this area, it can't hurt to get a certification showing that you know your stuff when it comes to data privacy. Here are six of the hottest data privacy certs:

Copyright © 2022 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline