As the threat of data breaches and hacks remains urgent and enterprise companies strive to protect their data and comply with privacy laws and regulations around Personally Identifiable Information (PII), the question often arises: “What is PII?”
The answer to this question is complex and requires careful consideration, as the U.S. Office of Management and Budget (OMB) emphasizes that the definition of PII is not “anchored to any one single category of information or technology” but instead requires a careful case-by-case assessment of risk.
The U.S. Government Services Administration (GSA) defines PII very broadly as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”
This may include basic personal information like name, address, social security number, and date and place of birth, as well as digital information like biometric data and email addresses.
But the definition of PII may also vary slightly based on geographic location, as California and the EU have implemented their own data privacy laws with slightly different yet sophisticated definitions of personal information and personal data respectively.
The California Consumer Privacy act defines personal information as “information that identifies, relates to, or could reasonably be linked with you or your household.” It highlights examples including: records of products purchased, internet browsing history, geolocation data, fingerprints, preferences, and characteristics.
The General Data Protection Regulation (GDPR) of the European Union includes the above examples, but expands the definition of personal data in the EU to include any “online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
However, this is only a small list of what could be considered PII.
Because PII is also about the risks that emerge for an individual to be identified when multiple pieces of information are put together, PII entails a consideration of the ways data that is not currently identifying could become identifying when combined with other information.
It’s important to emphasize that PII is not a laundry list of items. PII is more like a framework for assessing risk and must be considered in the context of a dynamic landscape where threats can be unpredictable and the types of potentially identifying data are continually changing along with technology.
The U.S. National Institute of Standards and Technology (NIST) provides a starting point for answering the question of ‘What data is PII?’, drawing from definitions of PII from OMB Memorandums 07-16 and 06-19.
NIST states that PII is: “(1) Any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
Other examples include:
In further seeking to answer the question ‘what data is PII?’, we should consider that, by nature of its broad definition, PII includes data points and information we are familiar with as well as information that we may not have conceived of as potentially personally identifiable yet.
When it comes to understanding what data qualifies as PII, it can range from data and information that has long been understood to be personally identifiable, like Social Security Numbers, to brand new types of PII like keystroke identification, a biometric identifier based on an individual’s unique, personal typing style.
As companies and organizations seek to define and protect PII, it’s normal to ask what PII even means. To understand the meaning of PII, it may help to think of PII as a story of humans in society, and that story begins at birth.
From day one of our lives when we are assigned names and birthdays to adulthood and the accompanying driver’s licenses, credit cards, bank account numbers, and even medical records and photographs of our faces, we have bits and pieces of information associated with our identities that are either partly or entirely unique to us.
As these bits and pieces of information accumulate over time, they have the potential to paint an increasingly detailed picture of who we are, especially in combination or totality.
The more unique the pieces of information are to us as individuals – such as Social Security Numbers – the more sensitive they are in and of themselves. But information that may not immediately seem like PII at first can easily become identifying when combined with other information. For example, a photograph of a face alone may not seem identifying, but when it is combined with a name and a birthday, it could become PII.
The GSA states that “it is important to recognize that information that is not PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other information, could be used to identify an individual (e.g., Social Security Number (SSN), name, date of birth (DOB), home address, personal email).”
As a concept, the meaning of PII is forward-looking and future-focused because it requires considering what could potentially happen that could create new risks for people to be identified. Sometimes what PII entails only becomes known after the fact, which is why it’s so important to be proactive when it comes to securing and protecting PII or potential PII.
Virtru’s end-to-end encryption solutions help you and your teams safeguard PII that needs to be shared: Think spreadsheets containing customer information, patient health records, onboarding documents for new employees, student rosters, and other data. That information needs to be protected at all times, during its entire lifecycle.
You’ll want to consider all the locations where PII is stored and shared, including:
To assess the PII that is stored and shared across your organization, check out our Cross-Department Data Protection Checklist.
To chat with one of our data protection experts about Virtru’s encryption solutions, contact Virtru today to start the conversation.