Introducing Professional Services. Learn how we can help accelerate your payments transformation.Learn more →
According to the Department of Labor (DOL), Personal Identifiable Information (PII) is any information from which a person’s identity can be either directly or indirectly inferred.
PII is media-agnostic, so the definition applies to paper, electronic, and any other types of data. This may include information:
- Like name, social security number address, email address, or other identifying codes or numbers that are directly tied to an individual
- Like a combination of birth date, geography, gender, race, and other descriptors that can be linked to other data elements to identify a specific individual
- That allows a person to be contacted, either physically or online
Since PII includes information from which a person’s identity can be directly or indirectly inferred, it’s important to understand the difference between direct and indirect identifiers:
- Direct identifiers – these allow a person to be identified without additional information (social security numbers, passport numbers, driver’s license numbers, bank account information, etc.)
- Indirect identifiers – these can identify a person when coupled with additional data (the last four digits of a person’s social security number, birth date, street address without the city, etc.)
What is the History of PII?
The United States first passed a federal law around the collection, storage, use, and dissemination of Personal Identifiable Information with the Privacy Act of 1974. This act specifically applied to PII maintained by federal agencies. The Privacy Act has since been amended to include:
- Protections against the disclosure of Personal Identifiable Information records without a person’s consent
- Rules that govern the collection of a person’s Social Security Number
- Prohibitions against the maintenance of records on how a person exercises their First Amendment rights
- Rights for individuals to access and request corrections on any maintained records about their identity.
PII Meaning and Significance
How one defines PII's meaning impacts how confidentiality rules and compliance with regulations apply. Since the loss of Personal Identifiable Information can cause significant harm to individuals, there are safeguards across industries to protect it. There are myriad federal laws that govern the collection, use, transmission, processing, and disclosure of PII, including:
- Health Insurance Portability and Accountability Act (HIPAA) – HIPAA creates national standards to prevent the unauthorized disclosure of sensitive patient health information.
- The Gramm-Leach-Bliley Act (GLBA) – GLBA requires financial institutions to clearly state their information-sharing practices and to protect sensitive customer data.
- Children's Online Privacy Protection Act (COPPA) – COPPA seeks to protect the privacy of children and requires parental consent before collecting or using personal information from users under the age of 13.
Personal Identifiable Information meaning does not include information that is publicly available or lawfully available from local, state, or federal government records.
How Are PII Laws and Regulations Established?
While a general PII meaning is globally understood, it may be defined differently across different countries and regions as well as within different regulations. One example is the HIPAA data privacy standard, which follows a prescriptive formula in its definition of PII. The EU’s General Data Protection Regulation (GDPR), on the other hand, is a broader data protection law. GDPR uses a principles-based approach to defining Personal Identifiable Information that may differ from the definition used in HIPAA.
Try Modern Treasury
See how smooth payment operations can be.
Learn
Compliance is a crucial function for any company that moves money on behalf of their customers. Dive into the fundamentals behind key compliance processes like KYC, KYB, transaction monitoring, and more.
Compliance risk management (CRM) is the ongoing process of identifying, assessing, and mitigating potential risks that threaten an organization’s business.
Customer due diligence (CDD) is a process used at financial institutions (FIs) when working with potential new customers.
The Customer Identification Program (CIP), part of the Know Your Customer program guidelines, requires that financial institutions in the U.S. verify that customers (both individuals and businesses) are who they say they are when they open new accounts for themselves or other people.
FinCEN, short for Financial Crimes Enforcement Network, is a government bureau that aims to prevent money laundering and other financial crimes—and punish bad actors that commit them.
Know Your Business (KYB) is a set of verification procedures that helps companies avoid getting into business with criminals.
The Office of the Comptroller of the Currency (OCC) is a federal agency that "charters, regulates, and supervises" all national banks.
According to the Department of Labor (DOL), Personal Identifiable Information (PII) is any information from which a person’s identity can be either directly or indirectly inferred.
A Politically Exposed Person (PEP) is someone that might be more likely to break the law or be corrupt because of the power their position affords them.
Specially Designated Nationals (SDN) are individuals and entities tied to countries that the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has hit with sanctions.
A Suspicious Activity Report (SAR) is a report that a bank or other financial institution must file if it suspects that a customer might be breaking the law and committing fraud, financing terrorism, or laundering money.
Anti-money laundering (or AML) compliance entails a careful adherence to rules and regulations aimed at combating illicit financial activities.
Know Your Customer or Know Your Client (KYC) is a set of guidelines for verifying the identity of a customer and gauging the associated risk of working with them.
The Office of Foreign Assets Control (OFAC) is a financial intelligence and enforcement agency under the jurisdiction of the US Treasury Department.
PCI DSS certification means your business has met the requirements laid out in the Payment Card Industry Data Security Standard (PCI DSS) to secure payment card data.
Service Organization Control 2 (SOC 2) is a voluntary auditing procedure that service providers complete to keep their clients’ data secure from cyber attacks.
Section 314(a) is part of the USA Patriot Act that enables financial institutions (FIs) and law enforcement to work together to fight money laundering and terrorist activity.
Section 314(b) and Section 314(a) of the USA Patriot Act both relate to information requests under the Banking Secrecy Act (BSA).
A currency transaction report (CTR) is a report made by U.S. financial institutions aiming to prevent money laundering.
An Agent of the Payee is a person, entity, or other intermediary specifically appointed by a payee to process and collect payments on their behalf.
Identity Verification APIs allow businesses to streamline the process of checking the identities of new users by automatically, and in some cases instantly, verifying their provided identifying information.
The Bank Secrecy Act (BSA)—also known as the Currency and Foreign Transactions Reporting Act—is a piece of legislation designed to help prevent fraud.
The Electronic Fund Transfer Act (EFTA) is a federal law in the U.S. that regulates electronic transactions to protect consumers.
Subscribe to Journal updates
Discover product features and get primers on the payments industry.