Personally Identifiable Information

Updated Sept 21, 2020 · 10 min read

What is personally identifiable information (PII)?

Personally identifiable information (PII) is any information that, when used alone or with other information, can identify a specific person. Examples of PII include full names, Social Security numbers (SSN), bank account numbers, and email addresses.

With the emergence of more and more data, companies leave themselves potentially exposed to data breaches that can result in the loss of PII. It’s crucial that companies handle customers’ sensitive information carefully, and many regulatory bodies require them to do so.

Direct vs. quasi-direct identifiers

PII that can be used alone or with other relevant information to identify a specific person is called direct identifiers or sensitive data. Examples of direct identifiers include SSNs, passport information, driver’s licenses, biometric data, mailing addresses, and credit card information. Direct identifiers, when disclosed to harmful actors, can result in possible dangers to an individual and must be handled with extreme care.

Quasi-identifiers or non-sensitive data are information that can be combined with other quasi-identifiers to recognize a specific person. Examples of quasi-identifiers include race and gender, zip code, date of birth, and religious preference. Quasi-identifiers can be easily gathered from phone books and other public records and directories.

Importance of safeguarding PII

Exposed PII can be used for a number of malicious purposes that include selling data on the dark web, committing identity theft and other fraudulent uses of information, faking important documents, and opening fake accounts as the specific person.

As a response to these dangers, many companies have defined privacy policies that specifically address how they gather and dispose of PII. Lawmakers have also enacted legislation, such as the General Data Protection Regulation (GDPR) in the European Union, in an effort to limit the accessibility of PII and to hold organizations accountable for the PII data they collect.

Protected health information (PHI)

Protected health information (PHI) includes information used by medical firms that identify patients, including their name, address, birthday, and medical records. For hackers, PHI also offers a wealth of direct and quasi-direct identifiers that can be sold and used to hold patients hostage to payoffs. Similar to PII, PHI must be protected and handled with the same level of confidentiality.

Safeguarding PII

Companies that use and store PII normally anonymize the data, which involves encrypting and obfuscating the PII. By anonymizing sensitive data, companies can ensure they’re adhering to regulations and focusing on only the information that relates to a company’s goals.

You can also take steps to mitigate your vulnerability to hackers. They include:

  • Being careful about the information you upload on the Cloud.
  • Limiting the types of information you share on social media.
  • Locking devices when they’re not in use.
  • Protecting your Social Security number when someone asks for it.
  • Purchasing or browsing financial information on websites with HTTPS in the URL.
  • Shredding important documents when they’re no longer relevant.
  • Storing your Social Security card and passport in a safe place.
  • Using multi-factor authentication to sign in to websites and applications.
  • Using secure wireless networks, rather than public Wi-Fi.
  • Using virtual private networks (VPNs).

Related Terms


Authorization refers to the policies that dictate what users can access when they use a system or application. Authorization is used as a ...