Personally Identifiable Information (PII)

WHAT IS PERSONALLY IDENTIFIABLE INFORMATION (PII)?

Personally Identifiable Information (PII) is information that can be used to uniquely identify, contact, or locate a single person.

The following are examples of PII:

• Name
• Date of birth
• Address
• Telephone number
• Email address
• Social Security number
• Driver’s license number
• Passport number
• Account passwords
• Financial account numbers (bank accounts, credit card, etc.)
• Biometric data (fingerprints or retina scans)
• National identification numbers (US SSN and UK NI number)

How to protect PII at your business

Take the following steps to protect PII at your business, including customer data and sensitive information about your employees:

• Review all the information you collect currently. If you are not using it, then delete it.
• Make sure whatever data that is collected is relevant to your business purpose and would not be considered PII.
• When possible, send the masked version of the password instead of sending a plain text – never send a plain text password over email or other insecure channels.
• When no longer needed for business purposes, securely destroy all personal data in accordance with privacy laws and company policies. If you are unable to determine if something constitutes PII by your organization, ask your organization’s privacy officer for assistance and avoid any resources that would likely provide unreliable data.
• Only use reliable government resources to help identify if something qualifies as PII.
• If you are unsure whether or not something constitutes PII, err on the side of caution – when in doubt, it probably will be considered PII by an EU regulator.

How to find out if the information you hold is PII

There are many sources available to help you determine if the personal data you are holding could be considered PII. The UK Information Commissioner’s Office has published a list of online resources that can help organizations identify what type of personal data they are holding and how it should be handled in compliance with GDPR.

Steps to take if you think PII has been compromised

If you suspect you have been compromised, do not attempt to cover it up. Take the following steps:

• Contact a lawyer.
• Contact your local data protection authority (DPA). The DPA has a number of actions available for companies that breach GDPR regulations and could help mitigate future penalties if taken quickly enough.
• Keep your customers and employees informed. Make sure you let them know where to find the relevant information about how the incident occurred and what steps you are taking to prevent it from happening again.

Frequently asked questions about personally identifiable information

What is the definition of PII under GDPR?

PII refers to “information which can be used on its own or with other information to identify an individual”. Any data that relates directly or indirectly to a living person will be considered personal data. The ICO also has some guidelines about how companies should identify the type of PII they are holding and what it could be used for. This includes guidance on specific points such as geo-location, IP addresses, health data, racial or ethnic information, political opinions, religious beliefs and sexual orientation.

How do you define ‘identifiable’?

While PII is most often considered as personal data which can identify an individual, this is not always the case. For example, IP addresses are frequently used to identify individuals and they also count as personal data. However, it is possible to have information that does not directly identify someone but could still lead to identification if combined with other sources of data. The GDPR emphasises that it should be possible for companies to specify whether or not a piece of information counts as personally identifiable information using “appropriate technical… [or] organisational measures”.

What about pseudonymous data?

In some circumstances, pseudonymous data may be treated by a company as anonymous and therefore beyond the scope of GDPR consent requirements. This will be the case if it is impossible or impractical to connect the data to a specific individual. It does not allow companies to process personal data without consent and so pseudonymous data must still meet the other requirements under GDPR.

What about sensitive personal information?

The definition of PII includes “sensitive” information, meaning it should receive additional protection under the law. Sensitive information can be divided into two categories: ‘special’ and ‘very special’. For example, genetic data and biometric data will automatically fall into the ‘special’ category as both types relate directly to an individual’s genetics and physical characteristics. Other forms of sensitive information such as trade union membership, religious beliefs and sexual orientation would only become very special if they were combined with something else that would make them unique to an individual.

What if I don’t know who the data subject is?

Data which does not directly identify an individual can still be personal data if it could lead to identification if combined with other pieces of information. The GDPR makes this clear by saying that any information which may be linked to a natural person will count as PII “if such linking reasonably implies” that the person is identified, even when they are not explicitly named in the data. This means that companies need to know whether or not it is possible for someone outside of their organisation to link the data being processed back to a specific individual.

What protection does anonymisation provide?

Anonymisation can reduce the risk of identification but this will depend on how much information has been removed and what other variables exist. If individuals could still be identified by looking at other sources of data held by companies then the anonymised data would count as PII. As well as anonymising data, companies must make sure they separate any possible PII from anonymised data as well as ensuring that the remaining information does not allow individuals to be identified.

Why is PII important?

It is important to understand the criteria for PII because it determines whether or not companies must comply with stricter rules under GDPR. Since PII can be stolen, lost or exposed by cyber-attacks, protecting this data remains a top priority for many organisations. As well as containing sensitive information which may put an individual at risk of fraud or blackmail, PII also has other uses outside of direct marketing. For example, PII may be used to help create profiles of individuals that can then be exploited by companies in order to decide what kind of services they should receive.

What qualifies as PII?

Any information that allows individuals to be identified directly or indirectly, by reference to an identifier such as: name, location, online identifier; or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

What is not PII?

Personal data which has undergone pseudonymisation, meaning that it can no longer be attributed to a specific data subject without the use of additional information. However, pseudonymised data may still be personal data if it is possible to combine the pseudonym with other identifiers in order to link it back to an individual.

What is a PII violation?

Violation of PII occurs when companies fail to take the appropriate steps to protect sensitive data. This may be due to human error or a system glitch which causes personal information to be lost, stolen or exposed by cyber-attack. Because of the risks associated with mishandling PII, GDPR states that even accidental exposure can result in companies being fined.

What are the consequences for public authorities?

If PII data is processed by public authorities, the data protection officer must be able to demonstrate how they comply with GDPR. This means that public authorities cannot collect or process any more personal information than they need for their specific purposes and must destroy any information which is no longer necessary.

What are the consequences for companies?

The GDPR states that some forms of PII are considered more sensitive than others. More stringent rules apply to processing personal data related to criminal convictions or offences which require stricter safeguards, such as encryption and pseudonymisation for example. If companies are found to have mishandled more sensitive forms of PII they could be faced with fines.

Is a photo considered PII?

The GDPR does not explicitly include a photograph as part of the definition of PII. However, any information that can be used to identify an individual, such as a facial image, may be considered personal data depending on its context and purpose. As a result, any photo which includes a person could be considered a violation of GDPR if it contains their name or other forms of PII without explicit consent from the subject. Information contained in the metadata relating to the photo would also have to comply with GDPR regulations for it to remain compliant with GDPR rules.

What is PII under CCPA?

The California Consumer Privacy Act (CCPA) is similar to GDPR in that it includes the concept of “personally identifiable information” which means any information that can be used to distinguish or trace an individual’s identity, like their name and contact details. However, unlike GDPR it does include other forms of PII such as biometric data, Internet Protocol (IP) addresses, digital identifiers used for devices like mobile phones and video game consoles and personal medical information.

Who is responsible for protecting PII?

Under GDPR, mainly the company that collects, processes or owns it. However, even companies without custody of personal information must be prepared to demonstrate compliance with GDPR regulations if requested by supervisory authorities.

What can cybercriminals do with stolen PII?

Cybercriminals may sell PII on the dark web in order to make money. Alternatively, they could use it themselves to commit identity theft by opening fraudulent accounts or accessing bank details and other financial information without the victim’s knowledge.