Privacy Decrypted #7: What is PII?

If you are doing research into data privacy laws, you will eventually come across the terms “personally identifiable information” and “personal data”. We explain what those terms mean, how they are different, and what you can do to protect your PII online.

While they are similar concepts with a great deal of overlap, personally identifiable information (PII) covers a narrower range of data and is the primary focus of data privacy laws in the US, while personal data covers a broader range of data and is the primary focus of the GDPR.

A simple way to keep them straight is remembering that all PII is considered personal data, but not all personal data is considered PII.   

Knowing these terms is important because the data they describe qualify for special protections. Under the GDPR, you can request that an organization delete your personal data from their systems or send you a copy so that you can take it to a different organization. And under data privacy laws in the US, organizations are forbidden from collecting or sharing certain types of PII.

You can also improve your privacy simply by limiting how much PII you share and knowing how to remove or protect what data is already out there. 

What is personally identifiable information?
What is personal data?
How does anonymization affect personal data?
Where could an identity thief access my personal data?
How can I remove my personal data from the internet?

What is personally identifiable information?

This is slightly tricky since what qualifies as “personal data” or “personally identifiable information” can vary depending on which country you live in. We’ll look at how the US defines PII and how the EU defines personal data since those two definitions have the broadest impact on the internet. 

According to the US’s National Institute of Standards and Technology (NIST), PII refers to any information that can be used to distinguish or trace an individual’s identity or any other information that is linked or linkable to an individual. 

A non-exhaustive list of information that can be used to distinguish or trace your identity includes:

  • Personal identification information: Name, Social Security number (in the US), passport number, driver’s license number, or taxpayer identification number 
  • Personal address: home address or email address
  • Personal phone number
  • Protected health information: medical record numbers, medical histories, test results, or health insurance number
  • Financial records: credit or debit card numbers, bank account numbers, or other bank or financial information
  • Photographs: particularly with your face or other identifying characteristics visible
  • Biometric data: fingerprints, retina scans, voice signatures, or facial geometry
  • Identification numbers for objects you own: Vehicle Identification Number (VIN), home or vehicle title number

Linkable information is essentially information that alone cannot identify you but can reveal your identity when combined with other data. Types of linkable data include your:

  • Date of birth
  • Place of birth
  • Mother’s maiden name
  • Business phone number
  • IP addresses
  • Business mailing or email address
  • Race
  • Religion
  • Geographical indicators
  • Employment information
  • Medical information
  • Education information
  • Financial information

In the US, PII is governed at the federal level by the Privacy Act of 1974. As one might expect from legislation from the 1970s, it was not written with the internet in mind and is ambiguous in many situations. More recent laws cover specific portions of PII (HIPAA covers “protected health information”, COPPA covers children’s PII, California’s Consumer Privacy Act covers Californians’ PII, etc.), but there currently is no US equivalent for the EU’s GDPR. 

This piecemeal approach is just one more reason why the US needs new data privacy legislation.

What is personal data?

A commonsense definition of personal data is any information that relates to an identified or identifiable individual that is alive.

If you live in the European Union, the GDPR governs how your personal data can be collected and used. The GDPR explains what it legally considers personal data in Article 4.(1). Its definition is very inclusive and covers any information that relates to a particular person. 

This GDPR instructs regulators to interpret “any information” as broadly as possible, which covers more information than most countries recognize. This means that, according to the GDPR, personal data includes the list of PII above as well as:

  • Trade union membership
  • Genetic information
  • Political opinions
  • Religious and ideological convictions

Persona data can also include innocuous data if it acts as a quasi-identifier. For example, “pepperoni pizza”, on its own is not personal data. However, if it is stored on file as your favorite food, it is personal data. It becomes personal data because of its connection to you.

The context in which a piece of data is being used can affect whether it is considered personal data as well. In this example, assume you are in the background of a landscape photo. If that photo is printed in a private photography book, it is not personal data. However, that same photo in the hands of an investigator could be considered personal data. 

Learn more about what the GDPR considers personal data

How does anonymization affect personal data?

Anonymization is the processing of data so that it cannot be used to directly or indirectly identify an individual. (“Indirectly identify” means you should not be able to combine it with other data to identify an individual.) For data to truly be anonymized, this process must also be irreversible. This process is important because personal data that has been anonymized no longer qualifies as personal data and no longer requires special safeguards under the GDPR or US privacy laws. 

Where could an identity thief access my personal data?

Unfortunately, there are many places where your personal data is accessible online, often without your knowledge. Here are some of the most common places your data can be exposed online.

Social media

This is the obvious place to start. Even if you don’t state outright in your Facebook or Twitter profile what your name, birthday, or address is, an attacker can usually deduce this information by going through your and your friends’ posts. For example, by finding a friend’s photo of you blowing out candles on a cake in front of balloons that say “You’re 30!”, someone can figure out your age, when your birthday is, who your close friends and family are, and whether you prefer chocolate or vanilla icing.

Data brokers

There are dozens of data brokers, like Whitepages, Intelius, and Spokeo, that collect online data on you and combine it with public records and other publicly available datasets. They then sell this data, usually to advertisers, but it is also often available online to anyone with a subscription.

Data breaches

While the amount varies, all companies ask you for some personal information when you sign up or create an online profile. Whatever data you share with them could be exposed if that company or service suffers a data breach.

Phishing attacks

Attackers might also attempt to trick you into revealing personal data with phishing attacks. They typically try to instill a sense of urgency in an attempt to make you respond without thinking, but you can avoid being tricked as long as you are vigilant. If you are ever in doubt, do not share your personal data until you have verified who is on the other end of the email or message you received.

Learn how to prevent phishing attacks

How can I remove my personal data from the internet?

The easiest way to protect your personal data is to not share it in the first place, but this is not the only option. If you want to protect your privacy, you can take steps to limit how much of your personal data is online. 

Delete or lock down your social media accounts

The most secure option is to download your data from Facebook, Instagram, Twitter, Snapchat, TikTok, Linkedin, and any other social media service you use and delete your accounts. However, this is not your only option. All the major social media platforms let you limit who sees your posts and profile. This is an effective alternative if you don’t want to completely remove yourself from social media. 

Delete your profile from data brokers’ websites

Data brokers are legally required to delete your data if you request them to, so that should be your next step. The added benefit here is that this will also remove most of your personal data from Google search results as well. 

Unfortunately, if you do this yourself, you will need to contact each data broker individually. However, this DIY guide will walk you through the opt-out steps for all the most popular data brokers.

Limit how much data you share with online services

You should treat every online service you sign up for as though it might be breached. This means limiting the information you share to the absolute minimum it needs to deliver you the service you want. Simple steps, like deleting a saved credit card number or home address from your profile, can prevent your personal data from being exposed if there is a breach. 

Use services that use strong encryption and have good track records

While it is extremely difficult to definitively prevent all data breaches, companies can take proactive steps to mitigate the damage a breach would do. For example, ProtonMail stores all emails on our servers using zero-access encryption. We encrypt your messages with your public key, and they can only be decrypted with your private key, which we don’t have access to. This means that if we ever suffered a data breach, your messages would remain secure.

This is not an exhaustive list, but taking these four steps will dramatically reduce how much of your personal data is easily accessible online and ultimately improve your privacy.

To protect your personal data and secure your email, try ProtonMail for free. We believe that you should be able to choose what happens to your data. Join us in our fight for an internet where privacy is the default.

About the Author

Richie Koch

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.