What is Personal Identifiable Information (PII)?

When used alone or in conjunction with other relevant data, personally identifiable information (PII) can be used to identify individuals.

Personal Identifiable Information may contain direct identifiers that can identify a person uniquely or other sensitive data, such as:

  • Passport Information
  • Home Address
  • Telephone Number
  • Email Address
  • Login Details
  • Internet Protocol Addresses

While quasi-identifiers (indirect and on its own may not be enough to identify an individual), such as:

  • First or last name
    (must be common; otherwise can be used as a direct identifier)
  • Gender
  • Race
  • City
  • Job position
  • Country

Together, one or more quasi-identifiers can be used to recognise a specific individual, so be careful of what your organisation shares.

Want a 77% head start on ISO 27001 certification?

What is Personal Data?

Personal data and personally identifiable information are two classifications of data that often cause confusion for companies that collect, store and examine such data.

Personal data is information that is related to an individual. What identifies an individual could be as straightforward as a name, number, or it could include other factors such as an internet protocol address or a cookie.

You need to take into account whether the individual is still identifiable if you cannot directly identify them from that information. All of the means reasonably likely to be used to identify that individual should be considered, along with the information you are processing.

Even if an individual is identified or identifiable, directly or indirectly, from the data you are handling, it is not personal data unless it relates to the individual.

Taking into account a range of components, including the content of the information, the purpose or purposes for which you are handling it, and the likely impact or effect of that processing on the individual is what you need to consider when considering whether information “relates to” an individual.

If you can distinguish an individual from others, then that person is identified or an identifiable person. Usually, an individual’s name, together with some other information, will be enough to identify them.

GDPR describes related factors as “factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”

These factors are characteristics that can be related to a specific person, meaning in theory, you can identify them.

What Laws and Standards Cover Personally Identifiable Information?

Worldwide many countries have their own laws and standards ensuring that personally identifiable information is protected, such as:

United Kingdom

  • The UK Data Protection Act 2018 (superseded the UK Data Protection Act 1998)
  • Article 8 of the European Convention on Human Rights
  • The UK Regulation of Investigatory Powers Act 2000
  • Employers’ Data Protection Code of Practice


  • The Federal Act on Data Protection 1992


  • Privacy Act
  • Ontario Freedom of Information and Protection of Privacy Act
  • Personal Information Protection and Electronic Documents Act
  • Ontario Personal Health Information Protection Act

New Zealand

  • The Privacy Act 1993

European Union

European data protection law does not utilise the concept of personally identifiable information, and its scope is instead determined by a non-synonymous, more comprehensive concept of “personal data”.

  • General Data Protection Regulation (GDPR)
  • Article 8 of the European Convention on Human Rights
  • Directive 2002/58/EC (also known as the E-Privacy Directive)
  • Directive 2006/24/EC (also known as the Data Retention Directive)

United States (Federal Laws)

  • The Privacy Act of 1974
  • US ‘Privacy Shield’ Rules
  • Title 18 of the United States Code, section 1028d(7)


  • The Privacy Act 1988

Want a 77% head start on ISO 27001 certification?

PII Security Controls and the Data Privacy Framework

Businesses can protect sensitive data like payments, personal information, and intellectual property by using a Data Privacy Framework.

How to define sensitive data, how to analyse risks affecting the data, and how to implement controls to secure it are outlined in the legal framework. You can emphasise the most sensitive and valuable data within your organisation by using the Data Protection Framework.

You can use this to create design controls suitable for your organisation’s structure, culture, regulatory requirements, and security budget.

Sensitive vs Non-Sensitive Personally Identifiable Information

Personally identifiable information can be classed as either sensitive or non-sensitive.

Sensitive PII has to be processed & protected differently from other personal information & data, and this is because the information is susceptible to nefarious actions.

The following includes some identifiers that are sensitive personally identifiable information:

  • Trade union membership
  • Mental health
  • Genetic or biometric data
  • Political beliefs

Non-sensitive PII is classified as information or data that can be transmitted via an unencrypted form without causing harm to the individual in question. The easiest way to visualise what non-sensitive information is, data that can be found in public records, phone books and websites. This information can be things such as race, gender, date of birth, etc. This information by itself cannot be enough to identify an individuals identity.

When being stored or processed electronically, it’s a good idea to protect sensitive personal identifiable information in transit and at rest with suitable encryption.

Due to this information being publicly available, non-sensitive personally identifiable information may be transmitted or stored in plain text without being harmful to the individual.

How Is PII Used in Identity Theft?

If they get a hold of these identifiers, identity thieves can use personal identifiable information to commit fraud in a person’s name. Criminals can apply for loans or lines of credit, make purchases, drain financial accounts, and more.

Identity thieves can also use your sensitive PII to commit synthetic identity theft. Synthetic identities are created when an identity fraudster combines someone’s personally identifiable information with other people’s information to create a synthetic identity.

Another way criminals can use your personally identifiable information is by selling your sensitive data on the dark web. Here you will find PII such as Netflix passwords all the way to credit card numbers. This information is regularly sold on the internet’s underbelly for financial gain, demonstrating the importance of customer data security.

Want a 77% head start on ISO 27001 certification?

What Is Protected Health Information?

Another type of personal identifiable information is protected health information (PHI), also known as electronic health information (ePHI). This is any personal information linked to an individual about health status, healthcare provision, payment for healthcare and more. This is always interpreted broadly and mostly includes any part of the patients’ medical records or payment history.

There are various forms of protected health information, the most common being personal health records (PHR). Wearable technology, electronic health records, and mobile applications are examples of other types of PHI. There has been an increase in the number of concerns about the safety and privacy of PHI in recent years.

Frequently Asked Questions

What Is Non-Personal Data?

Non-personal data is part of the overall Data Governance Strategy of a region or country. While personal data falls under Data Protection Legislation such as GDPR, other kinds of data would fall under the scope of Non-personal data regulation.

What Is the Meaning of ‘Relates To’?

You often hear the phrase "relates to" when referring to a particular individual, but usually, it's not so clear. Data that identifies an individual, even without a name associated with it, may be personal data if you are processing it to learn or record something about that individual or where the processing impacts that person. Meaning the data may "relate to" an individual in a number of different ways.

What Are the User Rights for PII?

More rights and policies have been put in place for citizens to ensure their data is kept secure. There must be a lawful purpose for storing and processing sensitive personal data of a data subject. In relation to GDPR, There needs to be a document of explicit consent from the individual regarding what data is being collected, how long it will take, and what it will be used for. Citizens have a right to request that their information is securely deleted if an organisation that stores personal data does not have the correct processes in place to manage it. Detailed reports of when consent to store data was given, the security precautions in place, and how it is being processed are required by organisations.

Who Is Responsible for Safeguarding PII?

The responsibility for protecting the data is not solely the responsibility of the organisation; it may be shared with the individual owners. There is a possibility that companies may not be legally liable for the PII they hold. Data controllers safeguard data within an organisation, generally with the help of data processors. The common perception is that organisations are responsible for personally identifiable information, so it's widely accepted that it's best practice to secure your customers PII. One of the most common and cost-effective ways to do this is via a data privacy framework.

What Should You Do if a Data Breach Occurs?

The only thing more terrifying than a data breach is multiple data breaches. If a breach occurs, organisations must report it to the Information Commissioner's Office (ICO). They have to keep a log of the breach and notify customers if it's likely to affect their privacy. Someone other than the data controller may get unauthorised access to personal data during a personal data breach incident. A personal data breach can also materialise if there is unauthorised access within an organisation or if the data controller's own employee accidentally alters or deletes personal data.

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.