What is PII? The Complete Guide to Personally Identifiable Information
Your sales rep pastes a customer contract into a chatbot to get a quick summary. It works. The problem is what else was in that contract. A home address. A phone number. A signature block. Maybe even a Social Security number.
TL;DR
PII stands for Personally Identifiable Information. It is any data that can identify a specific person, either directly (like a Social Security number) or indirectly when combined with other data (like date of birth plus ZIP code). Protecting PII starts with knowing where it lives, limiting who can access it, and keeping it from leaving your systems in places you cannot audit, including employee use of AI tools.
Table of Contents
What does PII stand for?
PII stands for Personally Identifiable Information. In plain English, it means information that can be used to figure out who a person is.
Sometimes it is obvious. A Social Security number points to one person. So does a passport number. Other times, it is about combination. One data point might not identify someone by itself, but two or three together can narrow it down to a single individual.
PII definition
A useful working definition is this:
PII is any data that identifies a person, or can identify a person when combined with other data.
How NIST describes PII
The U.S. National Institute of Standards and Technology (NIST) uses a broad, security-friendly view: information is PII if it can distinguish or trace a person's identity, either alone or when linked with other information.
That framing matters because it matches real risk. Attackers and scammers do not need one perfect identifier. They need enough details to impersonate someone, reset an account, or commit fraud.
Why the acronym matters in compliance
Different laws use different terms. You will see:
- PII in security programs, vendor policies, and U.S. guidance
- Personal data in GDPR
- Personal information and sensitive personal information in California privacy rules
- PHI in HIPAA
The labels differ, but the day to day work is similar: identify sensitive data, restrict access, prevent unnecessary sharing, and keep evidence for audits.
What is considered PII?
PII usually falls into two practical categories: direct identifiers and indirect identifiers. You need both in your policy, because most real exposure incidents involve indirect identifiers that did not look sensitive at first.
Category 1: Direct identifiers
Direct identifiers are data points that can identify a person on their own, or very close to it. These are the items your team already treats as sensitive.
- Social Security numbers and tax IDs
- Driver's license and passport numbers
- Biometric identifiers (depending on how they are stored and used)
- Account credentials (usernames and passwords together)
Category 2: Indirect identifiers
Indirect identifiers are data points that become identifying when combined with other data. Individually, they can look harmless. Together, they are often enough to pinpoint a person.
- Date of birth plus ZIP code
- Employer plus job title plus city
- Device ID plus location history
Linked vs linkable information
Another helpful distinction is linked vs linkable.
- Linked means the data is already tied to a person in your systems, like a customer record with a name and address.
- Linkable means the data can be tied to a person with additional context, like a unique device ID that becomes identifying once it is associated with an account.
Key point: PII is not just a list of fields. It is a relationship between data and identifiability. That is why "PII detection" is not only pattern matching for Social Security numbers. It is also understanding context.
18 common examples of PII (with categories)
If you are building a policy, training content, or a data classification standard, you need concrete examples. The list below is a practical starting point for most teams.
| # | PII example | Category | Why it matters |
|---|---|---|---|
| 1 | Full name | Identity | Often the glue that links other data to a person |
| 2 | Social Security number | Government ID | High risk for identity theft and fraud |
| 3 | Driver's license number | Government ID | Common in verification and background checks |
| 4 | Passport number | Government ID | Used for travel, verification, and identity proofing |
| 5 | Tax ID (TIN) | Government ID | Used in payroll and financial reporting |
| 6 | Home address | Contact | Used for impersonation, doxxing, and account takeover |
| 7 | Email address | Contact | Key to phishing and password resets |
| 8 | Phone number | Contact | Used for SIM swaps, phishing, and verification bypass |
| 9 | Date of birth | Profile | Common identity verification factor |
| 10 | Place of birth | Profile | Often used in verification workflows |
| 11 | Bank account number | Financial | Direct path to fraud and unauthorized transfers |
| 12 | Credit/debit card number | Financial | High fraud risk; often regulated separately (PCI) |
| 13 | Account credentials | Access | Immediate account takeover risk |
| 14 | Security question answers | Access | Often reused and easy to exploit when leaked |
| 15 | Biometric identifiers | Biometric | Not changeable if compromised |
| 16 | Employee/student ID | Work/education | Often maps directly to internal accounts and access |
| 17 | Online identifiers | Digital | Can track and single out individuals across systems |
| 18 | IP address | Digital | Can identify or help single out a person with context |
Sensitive vs non-sensitive PII
You will sometimes hear teams split PII into sensitive and non-sensitive categories. That can be useful, as long as it does not turn into a permission slip to be careless with "non-sensitive" data.
What "sensitive PII" usually means
Sensitive PII is information that creates a higher risk of harm if exposed. Think fraud, identity theft, or direct financial loss.
- Social Security numbers and tax IDs
- Driver's license and passport numbers
- Bank account and payment card numbers
- Biometric identifiers
- Account credentials
What "non-sensitive PII" usually means
Non-sensitive PII is often basic contact or profile data. It can still cause harm when exposed, but it is usually lower risk by itself.
- Business contact information in a public directory
- Work email addresses (depending on context)
- Job titles
Practical tip: Risk changes with context. A work email address in a public press release is one thing. A work email address in a list of customers for a sensitive product is another.
PII under different laws and frameworks
There is no single global definition of PII that fits every rule. Most teams operate under multiple privacy obligations at once, and the same dataset can fall under different labels depending on who holds it and why.
GDPR: "personal data"
GDPR uses the term personal data. The concept is broad: information related to an identified or identifiable natural person. This often includes direct identifiers and online identifiers that can single out a person.
California privacy rules
California privacy rules focus on personal information, which is generally information that identifies, relates to, describes, or can be linked to a consumer or household. They also introduce a "more sensitive" category.
HIPAA: PII vs PHI
HIPAA uses the term Protected Health Information (PHI). PHI is health information linked to an individual, held or transmitted by certain healthcare entities. Health-related details become PHI when connected to healthcare context.
PII vs PHI vs sensitive personal information
| Term | What it means | Where it is used | Practical note |
|---|---|---|---|
| PII | Data that identifies a person directly, or can identify them when combined with other data | Security programs, U.S. guidance, vendor policies | Best used as a risk category, not a rigid list |
| PHI | Health information tied to an individual, in regulated healthcare contexts | HIPAA compliance and healthcare workflows | Depends on healthcare context and who holds the data |
| Sensitive personal information | A subset of personal information treated as higher risk | Some privacy laws and privacy programs | Useful for setting stricter controls and approvals |
How to protect PII in your team
Protecting PII is not one tool and it is not one policy. It is a set of habits and controls that keep sensitive data from wandering into places you cannot see.
1) Start with an inventory
Most teams think they know where personal data lives. They are usually half right. Start by mapping where PII enters your systems, where it is stored, and where it exits.
2) Collect less and keep it for less time
The safest PII is the PII you do not store. Every extra field collected "just in case" becomes a liability you have to protect and explain.
3) Control access
Use least privilege and role-based access. Require multi-factor authentication on systems with PII. Log access to sensitive records.
4) Protect data in transit and at rest
Encryption is not a silver bullet, but it is still foundational. Use encryption for stored data and for data moving between systems.
5) Use masking and redaction
Encryption protects stored data. It does not help when your team needs to view or use data. That is where masking and redaction matter. Masking replaces sensitive values with a safer format. Redaction removes or blacks out sensitive content.
6) Catch leaks at exit points
The highest risk exit points today are email, file sharing, support tools, browser-based AI tools, and copy/paste into third-party systems.
7) Train for normal mistakes
Most exposure is not a hacker story. It is a workflow story. Training works best when it is specific: what data can go into a chatbot, how to use approved templates, when to ask for help.
8) Manage vendors
If a vendor processes personal data, they are part of your risk surface. That includes AI tools, meeting transcription tools, CRM add-ons, and browser extensions.
9) Prepare for incidents
You need a plan that answers: How do we find out what happened? How do we stop it from continuing? Who needs to know, and when?
PII in the age of AI
AI tools did not create PII risk. They changed the speed and the path of exposure. Copy and paste used to be internal. Now it can be external in one step.
Where PII enters AI prompts
Most PII exposure through AI happens in normal work: summarizing customer emails, drafting responses to complaints, cleaning up spreadsheets, writing performance reviews, or debugging logs that include customer details.
What can go wrong
When personal data is pasted into an external AI tool, risks include loss of visibility (no audit trail), retention uncertainty, access expansion (more people/systems have access), and data mixing.
A simple rule for your team
If you would not put it in an email to a stranger, do not paste it into an AI tool. Use approved workflows that remove personal details first.
How to use AI without sending PII
There are three approaches that work in real teams:
- Use placeholders instead of real data. Your team usually does not need the exact Social Security number. They need structure and context.
- Redact or mask before the data leaves. Add a filter between your team and the AI tool, so sensitive data is caught before it leaves. SecuredAI can detect and mask sensitive data automatically.
- Make "approved AI" easy. Shadow tools spread when the official option is slow or frustrating. Give your team a short list of approved tools with clear rules.
Frequently Asked Questions
What is PII and what are some examples?
What does PII stand for?
What is considered personally identifiable information?
What are the 18 types of PII?
Is an IP address PII?
What is sensitive vs non-sensitive PII?
Protect PII in your AI workflows
Secured AI automatically detects and masks sensitive data before it reaches AI systems, keeping your team productive and your data protected.