top of page

A Beginner's Guide to Identifying Personally Identifiable Information (PII)

Updated: Feb 18, 2024

White business cards with personal information

How to Identify PII


Put simply, Personally Identifiable Information (PII) refers to any information that can identify an individual.  That is why it is so important to understand and why it is the cornerstone of every data privacy and protection conversation.  For individuals and companies that collect personal information, it is important to be able to recognize PII so you can properly protect it.  So, what exactly is it and how will you know it when you see it?

Let’s start with easy ones.  Some pieces of data, by themselves, can definitively distinguish one person from another.  Things such as Social Security Numbers, passport numbers, alien registration numbers, driver’s license numbers, government issued id numbers, credit card numbers, financial account numbers, and biometric information (voice, fingerprints, retina, and facial scans) are a one-to-one match with a specific person.  In these cases, additional data is not needed for this data to be considered PII.  These need to be handled with the utmost care.

It gets more challenging with other pieces of data such as names, email addresses, home addresses, and phone numbers.  For a person named John Smith, his name alone may not be enough to definitively identify him.  However, for a person with a very unique or one-of-a-kind name, that may not be the case.  Today, the vast majority of email addresses and phone numbers belong to a single person, however there are many cases where an entire family or group may share the same address or number.  In that case, whether that would be considered PII may be a bit of a gray area.

With pieces of data such as date of birth, ethnicity, and gender, there are millions of people that share these identifiers.  If you just had this information with no other associated data, it would be very difficult to identify a person. However, if you combine this information with other data such as a full name, a home address, an email address, or phone number, it starts to get easier to narrow it down to a single person.  In this case, the combination of two or more pieces of data could qualify as PII.

There are many different definitions of PII floating around and, although they share the same general ideas, they are all a little bit different.  In addition, not everyone will interpret the same definition in the same way.  A legal team at one company may have a different interpretation of what constitutes PII than a legal team at another company.  My advice would be, if you are not sure whether it is considered PII and you cannot find a specific interpretation that makes sense to you, consider it PII. Better safe than sorry and your customers will appreciate it.
5 views0 comments

Yorumlar


bottom of page