Personally Identifiable Information

This non-exhaustive list shows examples of what may be considered personally identifiable information:

  • Name: full names (first, middle, last name), maiden name, mother’s maiden name, alias
  • Addresses: street address, email address
  • Phone numbers: mobile, business, personal
  • Asset information: internet protocol (IP), media access control (MAC)
  • Personal identification number: social security number (SSN), passport number, driver’s license, state identification number, taxpayer identification number, patient identification number, financial account or credit/debit card
  • Personal features: photographic images (that have distinguishing features e.g. show the face), x-rays, fingerprints, retina scan, voice signature
  • Information identifying personally owned property: Vehicle Registration Number

Information can also be linked to identify an individual. This information that can be combined with others to form a person’s identity may also be regarded PII:

  • Date of birth
  • Place of birth
  • Race
  • Religion
  • Weight
  • Activities
  • Geographical location
  • Employment information
  • Medical information
  • Education information
  • Financial information
  • Family members

Additional information considered personal data under GDPR:

  • Ecommerce order ID
  • IP address
  • Cookie ID
  • Location data
  • Data held by a doctor that could uniquely identify an individual
  • Other “online identifiers” such as tools, applications, or devices (like their computer/smartphone)
  • “Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.” – European Commission.

What’s non-PII

  • Information that can’t be used to identify an individual
  • Anonymised data
  • A company registration number

Comentários