There is an expression in forensics… “every contact leaves a trace.” In today’s hyper-connected, digital, world, it is difficult, if not impossible, not to leave personal information somewhere online while getting through your day.  Some of this information is generic or anonymous, but much more of it can directly reveal the identity of an individual.

Those identifying details are called Personally Identifiable Information (PII), which is the driving force behind the increasing number of government regulations around data privacy. The more PII we produce, the more complex keeping it safe becomes.

Adding to the complexity, is the terminology used: “Personal Data”, “Personally Identifiable Information” and there is a further classification of “Sensitive Personally Identifiable Information”.

Personally Identifiable Information (PII)

Personally identifiable information, or PII, is information that companies and organizations may hold on individuals that can be tied to the individuals’ identities – either on its own or combined with a limited amount of other data.

This is a term most often used in the US, although there is no single legal document that defines it, rather is found in various Federal or State laws.  The US Office of Privacy and Open Government defines it as…

“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

Non-Sensitive Personally Identifiable Information or Linkable Data

It is also referred to “linkable data” as it requires more “pieces of information” together to establish an individual’s identity. Some examples of linkable or non-sensitive PII:

• mother’s maiden name
• partial address, like a country or zip code
• website username
• email address
• IP address

Sensitive Personally Identifiable Information or Linked Data

PII is considered as “sensitive” if its loss, disclosure, or misuse could result in harm, embarrassment, inconvenience, or unfairness to an individual. 

For instance, the following information is considered to be sensitive PII:

• financial information
• medical information
• social insurance number
• health care number
• passport information

Again, despite the wide variety and sensitivity of this information, there is not a single, global definition of what Personally Identifiable Information or what types of information it encompasses. As a result, definitions of PII can differ among organizations and across borders.

Non-Personally Identifiable Information or Linkable Data

Non-personally identifiable information, or non-PII, is is data about a person, or data resulting from their activities, that on its own cannot be used to identify them.

This could be because the information is already anonymous and part of a larger data set (general statistics on product purchases for example, or because it has been anonymized.

Some examples of non-Personally Identifiable Information:

• IP addresses that have been fully or partially masked
• aggregated statistics from the user base for a product or service
• an age range, e.g. 35-44
• gender
• census data 
• data that has been anonymized by encryption, removal of identifying information, or other technique

It Seems Like A Hot Mess

However, despite the wide variety and sensitivity of such information, there is not a single, global definition of Personally Identifiable Information (whether sensitive or not) what types of information it encompasses.

As a result, definitions of PII can differ among organizations and across borders.

Keeping on top of the variety of legislations, terms, and data sources requires specialized expertise and tools.

This post may contain affiliate links. This means we may receive a percentage of the sale in commission. We only recommend products we use ourselves and believe in. Thank you for supporting us!