Submitted by on
Home> Guides> Governance> What Is Personally Identifiable Information?

Home > What Is Personally Identifiable Information?

What Is Personally Identifiable Information (PII)?

Personally identifiable information or PII is any data that can identify an individual or distinguish one person from another. It can be used to determine or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. For example, quasi-identifiers do not uniquely identify an individual in and of themselves but can create a unique identifier when combined with other quasi-identifiers.

Taking even simple security steps and being mindful of how personally identifiable information is shared and stored can prevent identity theft.

PII can be labeled as sensitive or non-sensitive. 

Non-sensitive PII is information that can be transmitted in an unencrypted form without resulting in harm to an individual, including bits of data that can be easily gathered from public records, phone directories, corporate directories, and websites. Examples of non-sensitive PII are US Zip Codes, race, gender, date of birth, and religion. By itself, this information could not be used to discern an individual’s identity.

Sensitive PII is information that, when disclosed, could result in harm to an individual. Because this type of sensitive data is often bound by legal, contractual, or ethical requirements for restricted disclosure and protection, it is often encrypted in transit and at rest. Examples of sensitive PII include biometric data, medical information, personally identifiable financial information (PIFI), and unique identifiers, such as passport or US Social Security numbers.

How Identity Thieves Use PII

Identity thieves can use PII to perpetrate all manner of fraud and other crimes. It only takes a few bits of PII for identity thieves to be off and running. The kinds of PII that identity thieves look to steal frequently change, depending on the criminals’ objectives.   

PII is gathered from digital and physical locations. Digital files are sometimes stolen from one or a few individuals’ digital devices. In other cases, massive data breaches result in volumes of PII being stolen from an organization. Physical files also provide a wealth of PII. Examples of PII that can be gathered from physical files include bills, receipts, a physical copy of birth certificates, Social Security cards, or lease information, which can be stolen from homes, offices, or cars. In common parlance, this is often referred to as “dumpster-diving.” 

PII is also bought and sold on the dark web. Examples of PII available on the dark web range from social media credentials and credit card numbers to medical records and application passwords.

Using PII, identity thieves can commit theft and fraud in another person’s name. After pilfering a user’s PII, identity thieves use PII to maliciously:

  • Apply for loans or lines of credit
  • Change a billing address so victims do not know about the fraudulent activities
  • Drain financial accounts 
  • Procure a mobile phone 
  • Make purchases with credit cards
  • Obtain a new driver’s license or official ID 
  • Open a bank account and write bad checks 
  • Steal tax refunds

Protecting Customer and Client PII

PII from customers and clients, as well as other sensitive data, must be protected by systems and processes that organizations continuously collect, store, and distribute. It is also critical that employees, partners, and third-party contractors understand the importance of protecting PII and the potential repercussions of mishandling sensitive data.

The many systems, processes, and solutions for protecting customer and client PII include the following approaches:

  • Destroy or remove old media with sensitive data 
  • Install software, application, and mobile updates as soon as they are available
  • Invest in identity theft protection solutions and programs 
  • Never provide login, personal, or financial information on unsecured sites (i.e., look for HTTPS:// in the URL on your browser)
  • Require two-factor authentication for access
  • Shred any papers with PII or sensitive information  
  • Train users to identify and avoid phishing scams
  • Update account passwords regularly
  • Use secure wireless networks and virtual private networks (VPNs), rather than public Wi-Fi

Vendor Access to PII

Managing vendor access to PII is not very different from internal protocols related to systems access. Vendor access to PII can be handled by structuring processes to mirror internal access policies.

  • Establish processes for how third-party vendors are granted privileged access 
  • Require that the individual granting privileged access have sufficient rights and authority to do so 
  • Ensure that any actions taken with granting/revoking access and usage are auditable and trackable 
  • Grant only the minimum level of access that users need to get their jobs done
  • Implement processes for vendor off-boarding when access is no longer needed
  • Define policies for how vendors are granted access to privileged resources, based on standards set by external governing bodies and data privacy regulations, such as NIST, ISO, PCI-DSS, HIPAA, and GDPR 
  • Have remote vendors use multi-factor authentication

PII Examples

Biometric Data

  • Facial recognition data
  • Fingerprints
  • Full-face photographs
  • Handwriting analysis
  • Retina scans
  • Typing recognition
  • Voice pattern data
  • Voiceprints

Commercial Information

  • Invoices for sales and purchases
  • Marketing records
  • Pre-sales queries
  • Property records

Direct Identifiers

  • Alias
  • Bank account number 
  • Birthplace
  • Credit card number
  • Date of birth
  • Debit card number
  • Driver’s license details
  • Email address
  • Fax number
  • Financial records
  • Home address
  • Image of the subject’s signature
  • Investment account numbers
  • License plate number
  • Maiden name 
  • Mobile phone number
  • Mother’s maiden name
  • Passport information
  • Personal property records
  • Real (i.e. Legal) name
  • Social security number
  • State ID card number
  • Telephone number
  • Vehicle registration
  • Vehicle title
  • (US) Zip Code

Education Information

  • Educational records
  • Grades acquired
  • Grants and scholarships allocated
  • Institutes attended
  • Years attended

Geolocation Data

  • Geolocation data associated with application activity
  • Geotags on files such as photos and videos
  • Images containing identifiable location information, such as pictures of street names
  • Mobile device location history and tracking data

Indirect Identifiers

  • Account names
  • IP addresses
  • References to any records that hold direct identifiers, such as a ticket number or an invoice number
  • Unique identifiers
  • Usernames

Inferred Data

  • Aptitudes 
  • Attitudes
  • Characteristics
  • Intelligence
  • Personal Preferences
  • Psychological trends and predispositions
  • Social and political tendencies

Internet Data

  • App activity
  • Browsing history
  • Cookie preferences
  • Login credentials such as screen names and passwords
  • Matches with marketing personas
  • Search history
  • Website analytics


  • Employer Identification Number (EIN)
  • Employment records
  • Insurance information
  • Military credentials
  • Personnel records
  • Tax information
  • Taxpayer Identification Number (TIN)

Protected Health Information (PHI)

  • Admission and discharge dates
  • Appointment reminders
  • Beneficiary numbers
  • Blood test results
  • Health insurance
  • Health insurance beneficiary numbers
  • Health status
  • Invoices
  • Medical device identifiers and serial numbers
  • Medical histories
  • Medical identification numbers
  • Medical records
  • Mental health records
  • Patient identification number
  • Payment history
  • Test results
  • X-rays

Professional Data

  • Copies of contracts and correspondence
  • Employee ID
  • Evaluations reports (i.e. performance evaluations) 
  • Internal memos that refer to a specific employee
  • Remittance details
  • Salary records

Protected Class Data

  • Age
  • Citizenship status
  • Disability
  • Gender (including details of pregnancy and parental status)
  • Nationality
  • Race
  • Sexual orientation

Why Properly Protecting PII Is Important

Motivated criminals backed with powerful algorithms can make use of any information in their march toward identity theft. Taking even simple security steps and being mindful of how information is shared and stored can prevent identity theft.

When in doubt of whether a bit of information is or could be PII, the default reaction should be to protect it. Even the smallest detail that may seem to be completely useless in terms of identification can support identity theft when used in combination with other information.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Last Updated: 16th February, 2022

Share this Page

Get started with Egnyte.

Request Demo