Personally Identifiable Information

Why Trust Techopedia

What Does Personally Identifiable Information Mean?

Personal Identifiable Information (PII) is a label used to describe data that directly or indirectly identifies a specific individual.


Examples of PII include names, addresses, biometrics and alphanumeric account numbers.

  • Name — includes full names, maiden names, mother‘s maiden names, nicknames and aliases.
  • Address — includes street addresses, email addresses, IP addresses and MAC addresses.
  • Biometrics — includes photographs, x-rays and other types of bio-based data such as fingerprints.
  • Alphanumeric account numbers — includes telephone numbers, driver‘s license numbers, taxpayer IDs, patient IDs, vehicle registration numbers and credit card numbers.

In many parts of the world, personally identifiable data has to be collected, stored and destroyed in accordance with compliance rules and regulations. Because non-PII can easily become PII if additional information is made publicly available, this type of data should be periodically reviewed to determine whether its IT risk management level has changed.

Risk impact levels (low, medium, high) for PII are subjective and based on the potential harm that inappropriate access, use or disclosure of the personally identifiable information would cause. The likelihood of risk is greatly reduced if an organization minimizes the amount of PII it collects, stores and shares.

Techopedia Explains Personally Identifiable Information

PII breaches can be dangerous to both individuals and businesses. Individuals whose PII is compromised raise the risk of identity theft. Businesses that allow their customers’ PII to be compromised raise the risk of losing the public’s trust and facing legal repercussions. Because PII is protected by privacy regulations, decisions about what PII to collect or share should be made in consultation with an organization’s Chief Privacy Officer (CPO), Data Protection Officer (DPO) and legal team.

In many parts of the world, businesses are responsible for ensuring that their customer’s PII is protected by reasonable safeguards. Risks to exposure can be contained and minimized by proactively creating an incident response plan for PII breaches. The plan should address how and to whom breaches will be reported, as well as when and how individuals whose PII has been compromised will be notified.

Legal mandates regarding PII can be complex and often change incrementally over time. This is why it’s important for an organization to review and update their incident response plans on a regular basis. Minimally, a plan for protecting PII should ensure the following:

  • PII will only used by or disclosed to authorized entities.
  • PII will be destroyed at the appropriate time in compliance with regional record retention requirements.
  • Information security controls for protecting PII will be reviewed on a regular schedule.
  • PII in digital formats will be encrypted or obfuscated in some other manner to protect it from cybersecurity threats.

Related Terms

Margaret Rouse
Senior Editor
Margaret Rouse
Senior Editor

Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.