Whether you’ve heard of the term or not, we all have personally identifiable information, or PII. And since everyone has it, and improperly managing it can pose risks, you should be familiar with what it is and how it impacts your privacy.
In simple terms, PII is any data that can be used to identify an individual. This includes information like a person's full name, Social Security number, date of birth, physical address, email address or phone number. It also includes biometric data like fingerprints or retinal scans and more general information like race, sex or occupation.
PII is collected by organizations ranging from banks and medical offices to government agencies and credit card companies. That data is collected in order for them to provide services and complete transactions (such as loan applications or account setups). While the gathering and use of large amounts of PII has become increasingly common in the digital age, it puts individuals at greater risk for identity theft and fraud.
In this overview, we'll discuss what PII is, its different types and the steps you should take to protect it.
What is considered PII (personally identifiable information)?
While there are varying definitions of PII, the Consumer Financial Protection Bureau defines it as "information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual." Put another way, PII is any type of data you could use to locate, contact or identify a person. In many cases, you must combine various pieces of data to identify an individual. For example, a name may not be enough to uniquely identify someone unless you combine it with other information like their address, date of birth or Social Security number.
Various laws and regulations exist to protect your PII, like the Health Insurance Portability and Accountability Act (HIPAA) for medical data, the Fair Credit Reporting Act (FCRA) for credit information and the Children’s Online Privacy Protection Act (COPPA) for data collected from children under the age of 13. Aside from these federal U.S. laws, there are also stricter regulations from specific jurisdictions and other countries, like the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). All of these regulations involve strict rules for the collection, storage and use of PII in an attempt to protect individuals’ privacy and security.
Information that isn't considered PII includes data anonymized or aggregated to a point where it no longer identifies an individual. Examples include the average age of customers in a given area, the total number of people that live in a certain ZIP Code or the average salary for a specific occupation. This type of data, known as non-personally identifiable information (non-PII), isn't typically subject to the same data privacy regulations as PII.
Examples of PII Data
While PII can come in various forms, it's generally grouped into two categories: (1) sensitive PII and (2) non-sensitive PII. The distinction between the two varieties of PII is crucial as they're subject to different levels of data protection as well as regulations for how they’re able to be used. They also differ in what kind of notification is required when collecting the data.
Sensitive PII is any information you could use to identify a person, which if disclosed could result in serious harm or distress. Examples of sensitive PII include:
- Personal financial information (e.g., credit card numbers and bank account information)
- Social Security number and other government-issued identification numbers
- Medical records
- Driver’s license number
- Biometric records (e.g., fingerprints, retinal scans and facial recognition)
- Passport information
- Mailing address
- Password information
- School identification numbers
Sensitive PII faces significant regulation in most jurisdictions and is accompanied by strict rules governing how it must be collected, stored, used and disposed of. Generally speaking, companies must utilize various methods to encrypt and anonymize these personal identifiers when sharing any information about their customers. This helps ensure the data isn't abused in any way and doesn't fall into the wrong hands.
Non-sensitive PII is any information that can identify an individual but doesn't result in serious harm if compromised. Examples of non-sensitive PII include:
- Race and ethnicity
- Marital status
- Date or place of birth
- ZIP Code
- IP address
Typically, companies can gather this type of information from public sources, like phonebooks, internet databases and court records. Organizations use this data for demographic analysis and marketing and may also collect and use it to create a better customer experience, like tailored content or product recommendations. Non-sensitive PII isn't regulated as strictly as sensitive PII in most jurisdictions. However, organizations must still ensure they collect and use it in accordance with applicable laws and regulations.
Although non-sensitive PII is much less likely to cause any serious harm to an individual, it can still be used to identify a person when combined with other bits of information. An often-cited U.S. government study found that 87% of Americans can be uniquely identified by just three pieces of non-sensitive PII: ZIP Code, date of birth and gender. With big data becoming increasingly pervasive, the ease with which these pieces of information can be combined to create a robust profile of an individual is increasing.
PII protection best practices to follow
Just as you wouldn't leave your wallet out in the open, it's just as important to keep your PII safe and secure. From encrypting sensitive data and using strong passwords to utilizing the best identity theft protection services, there are a number of steps you can take to actively protect your PII. The following section explores some best practices for personal identifiable information protection.
1. Use strong and unique passwords for accounts containing PII
Ensuring your passwords are strong and unique will go a long way in protecting personal identifiable information. According to guidance from the FBI and the National Institute of Standards and Technology (NIST), password length is generally more important than complexity. This doesn't mean you should only use numbers or the same letter over and over, as those kinds of passwords are easily discovered by hackers. Instead, aim for passwords of at least 15 characters, which include a mix of uppercase letters, lowercase letters, numbers and special characters.
2. Enable two-factor authentication for added security
Two-factor authentication (2FA) is a security measure that adds a second step to the identity verification process. In addition to entering your username and password, you'll need to provide another form of verification (e.g., a security code sent to your phone or email). This provides another layer of security that protects your PII and greatly reduces the risk of unauthorized account access.
3. Encrypt sensitive data when storing or transmitting it
Encryption is a way of protecting data by encoding it so only authorized users can access it. Unencrypted data is significantly easier for hackers to access. One widely used encryption method is HTTPS, which is a secure version of the application layer protocol used for accessing websites on the internet. To ensure the security of your sensitive information when entering it online, always check for a padlock icon in the URL bar to verify that it's transmitted over HTTPS.
You should also consider using the best virtual private networks (VPN) to encrypt your data. A VPN encrypts the connection between your device and the internet, which makes it more difficult for an unauthorized person to access your data. It's always advisable to use a secure VPN when using public Wi-Fi and transmitting sensitive information.
4. Regularly update software to address vulnerabilities
Software updates are critical for securing data storage and transmission. As new threats arise, software developers frequently release updates to fix any vulnerabilities in their programs. In order to ensure your PII and other sensitive data is protected, it's best to use the latest version of all your software and utilize an automated patch management system to keep everything up-to-date.
5. Be cautious when sharing PII online or offline
Take caution when sharing sensitive personal information, whether you're doing this online, by phone or in person. Avoid sharing your PII unless it's absolutely necessary and only share it with reliable sources. You should never leave any physical or electronic documents that contain PII in plain sight or within reach of the general public. This includes hard copies like bank statements or tax returns, as well as digital copies like emails or text messages. You may also want to invest in a shredder, which you can use at home to destroy routine documents that contain PII, such as credit card statements and utility bills.
6. Use secure networks and connections when accessing PII
When accessing PII, it's best to use networks and connections you can trust. Try to avoid connecting to public Wi-Fi networks or using unsecured connections when accessing potentially sensitive data. Instead, opt for secure networks and connections that encrypt data in transit. If you really need to use a public network, make sure you’re using a secure VPN to protect your data.
7. Safely dispose of physical documents containing PII
While it may seem far-fetched for someone to rummage through your trash bins, you should still take caution to secure and properly dispose of documents containing PII. Whenever possible, opt to use a secure electronic alternative rather than relying on physical documents. However, when that isn't practical, you should securely shred all physical documents containing PII before disposing of them.
8. Regularly monitor financial statements and credit reports for suspicious activity
To ensure your PII is safe, regularly check your financial statements and credit reports for any suspicious activity. With data breaches and hacking becoming commonplace, even big companies with big budgets for safeguarding data aren't immune. If you notice unusual activity, report it promptly. To find out what to do if your information is found on the dark web or how to lower your risk of identity theft, read our full guide on how to protect yourself online.
9. Use a reputable VPN service when browsing online
There are many VPN services available and it can be confusing trying to select the best one. Experts advise that you should look for the following features when making your choice:
- No logs policy: The VPN service should not log any of your data, including your browsing history, traffic or IP address.
- Strong encryption: The VPN service should use strong encryption to protect your data. Today, the most common encryption algorithm used by VPNs is AES-256. It’s widely considered to be impenetrable with current technology.
- Good track record of security: Reputation counts. Choose a VPN service that has a good track record of security. Avoid those that have been hacked in the past.
- Fast upload and download speeds: You’re less likely to use a VPN that frustrates you because it’s too slow.
Easy to use: The VPN service should be easy to use, even for novices. If it’s cumbersome to use or difficult to understand, you’re less likely to employ it regularly.
How to remove personal information from the internet
If you're worried about your online privacy or discover that your personal data is at risk, there are a few steps you can take to decrease or almost completely remove your digital presence, including the following:
- Check privacy settings on social media profiles.
- Request people-search sites and other information brokers remove your data.
- Limit the amount of personal info you share online.
- Regularly delete emails, posts and other online content.
- Set up Google Alerts to monitor for unwanted references.
- Use tools like AdBlock and Privacy Badger to help protect your online privacy.
While these steps may not completely eliminate your digital footprint or remove all of your PII from the internet, they can help protect your personal information and reduce the amount of your data available online.
PII vs PHI: What's the difference?
PII and PHI, or protected health information, are two similar but slightly different terms related to your personal data. While PII is information you can use on its own or with other information to identify a single person, PHI is sensitive health information that includes anything related to:
- An individual's past, present or future physical or mental health.
- The provision of health care to an individual.
- The past, present or future payment for the provision of health care to an individual.
Examples of PHI include medical records, test results, medical account numbers and any other identifying data related to a person's physical or mental health. While PII is regulated by the Fair Credit Reporting Act and other state and federal laws, PHI is further protected by HIPAA. This set of regulations provides specific rules and guidelines around the storage, use and sharing of protected health information.
What is PII FAQs
What is not PII?
What law establishes PII?
Is phishing responsible for PII data breaches?
Summary of Money's guide to what PII is
With a seemingly endless stream of news stories about data breaches and identity theft, it’s more important than ever for you to be aware of how your PII is being collected, stored and used. Some of this information has the potential to cause seriously damaging financial or reputational harm if it falls into the wrong hands. From using strong passwords with 2FA enabled to regularly monitoring your accounts for suspicious activity, there are several lines of defense you can put in place to help protect your PII and mitigate damage if it does become compromised. By understanding the difference between sensitive and non-sensitive PII and taking a proactive protective approach, you can rest assured that you’re doing your best to protect your data from being incorrectly used.