Personally Identifiable Information (PII)

Personally Identifiable Information (PII) is information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. This term is commonly used in US federal regulations and information security contexts. PII includes direct identifiers (name, Social Security number, biometric records) that uniquely identify an individual, and indirect identifiers (date of birth, place of birth, mother's maiden name) that when combined with other information can identify an individual. The National Institute of Standards and Technology (NIST) further distinguishes between linked PII (information about or related to an individual maintained in a system of records) and linkable PII (information about or related to an individual for which there's a possibility of logical association with other information about the individual). Some regulations differentiate between sensitive and non-sensitive PII. While PII is widely used terminology in the US, the GDPR uses "personal data" which has a broader definition. Understanding what constitutes PII in your organization is crucial for implementing appropriate security controls, breach notification procedures, and privacy safeguards. Different sectors and regulations may define PII differently, so context matters.