Personal Identifiable Information (PII)

PII is media-agnostic, so the definition applies to paper, electronic, and any other types of data. This may include information:

• Like name, social security number address, email address, or other identifying codes or numbers that are directly tied to an individual
• Like a combination of birth date, geography, gender, race, and other descriptors that can be linked to other data elements to identify a specific individual
• That allows a person to be contacted, either physically or online

Since PII includes information from which a person’s identity can be directly or indirectly inferred, it’s important to understand the difference between direct and indirect identifiers:

• Direct identifiers – these allow a person to be identified without additional information (social security numbers, passport numbers, driver’s license numbers, bank account information, etc.)
• Indirect identifiers – these can identify a person when coupled with additional data (the last four digits of a person’s social security number, birth date, street address without the city, etc.)

What is the History of PII?

The United States first passed a federal law around the collection, storage, use, and dissemination of Personal Identifiable Information with the Privacy Act of 1974. This act specifically applied to PII maintained by federal agencies. The Privacy Act has since been amended to include:

• Protections against the disclosure of Personal Identifiable Information records without a person’s consent
• Rules that govern the collection of a person’s Social Security Number
• Prohibitions against the maintenance of records on how a person exercises their First Amendment rights
• Rights for individuals to access and request corrections on any maintained records about their identity.

PII Meaning and Significance

How one defines PII's meaning impacts how confidentiality rules and compliance with regulations apply. Since the loss of Personal Identifiable Information can cause significant harm to individuals, there are safeguards across industries to protect it. There are myriad federal laws that govern the collection, use, transmission, processing, and disclosure of PII, including:

• Health Insurance Portability and Accountability Act (HIPAA) – HIPAA creates national standards to prevent the unauthorized disclosure of sensitive patient health information.
• The Gramm-Leach-Bliley Act (GLBA) – GLBA requires financial institutions to clearly state their information-sharing practices and to protect sensitive customer data.
• Children's Online Privacy Protection Act (COPPA) – COPPA seeks to protect the privacy of children and requires parental consent before collecting or using personal information from users under the age of 13.

Personal Identifiable Information meaning does not include information that is publicly available or lawfully available from local, state, or federal government records.

How Are PII Laws and Regulations Established?

While a general PII meaning is globally understood, it may be defined differently across different countries and regions as well as within different regulations. One example is the HIPAA data privacy standard, which follows a prescriptive formula in its definition of PII. The EU’s General Data Protection Regulation (GDPR), on the other hand, is a broader data protection law. GDPR uses a principles-based approach to defining Personal Identifiable Information that may differ from the definition used in HIPAA.