Directly identifiable data
|“||includes what was once referred to as PII:||”|
In information security and privacy, "personally identifiable information" or "personally identifying information" (PII) is any piece of information which can be used to uniquely identify an individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual, or information that can be used to distinguish or trace the individual's identity. Generally included in this category are an individual's name or another personal identifier, social security number, biometric records, date and place of birth, and mother's maiden name.
Although the concept of PII is ancient, it has become much more important as information technology and the Internet have made it easier to collect PII, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to plan a person's murder or robbery, among other crimes. As a response to these threats, many website privacy policies specifically address the collection of PII, and lawmakers have enacted legislation to limit the distribution of and accessibility to PII.
A common misconception is that PII only includes data that can be used to directly identify or contact an individual (e.g., name, e-mail address), or personal data that is especially sensitive (e.g., Social Security number, bank account number). The OMB and NIST definition of PII is broader. The definition is also dynamic, and can depend on context. Data elements that may not identify an individual directly (e.g., age, height, birth date) may nonetheless constitute PII if those data elements can be combined, with or without additional data, to identify an individual. In other words, if the data are linked or can be linked ("linkable") to the specific individual, it is potentially PII.
Moreover, what can be personally linked to an individual may depend upon what technology is available to do so. As technology advances, computer programs may scan the Internet with wider scope to create a mosaic of information that may be used to link information to an individual in ways that were not previously possible (this is often referred to as the "mosaic effect").
Sometimes multiple pieces of information, none of which alone is considered PII, might still uniquely identify a person when combined. For example, what if a company employ only one 39-year old female with a residence in Roanoke, Virginia. In that case, the employer, age, gender, and city of residence are not PII elements by themselves, but become PII when they are presented together. This scenario is an example of PII established through indirect inference, while data elements such as a driver's license number constitute PII through direct inference.