What is personally identifiable information?
As your organization collaborates, creates, and solves problems, you work with data of all sorts. You receive, use, store, and transmit data, and you need advanced tools for keeping it secure — especially if that data is personally identifiable information (PII).
Before you can safeguard your PII responsibly, you need to know what it is and why it's so essential to secure. That's why we've created this comprehensive guide to PII and its protection.
What is PII?
"Personally identifiable information" is legal terminology with a few formal definitions in different security contexts. Generally, PII is information that provides essential clues about a person's identity.
Unauthorized individuals looking at PII information would easily be able to tell who it belongs to. They could identify or locate those people or distinguish them within a particular context. The connection between the information and the person can be direct or indirect — as long it's enough for the data to point back to the person in any way.
Understanding PII helps your company better address its responsibilities surrounding the data it stores and works with. It lets you give clients protection and peace of mind, and it enables you to comply with relevant data privacy laws.
PII and privacy legislation
PII requires relatively strict handling protocols, especially if it is sensitive PII whose disclosure could cause harm to the person identified. Compromised PII puts people's physical and financial safety in jeopardy.
To protect people and their personal data, many countries have enacted legislation that defines PII and regulates safeguards for it. Countries have slightly varying definitions of personal information. Still, they all tend to define PII as identifying information, and they enforce rules about its protection.
Identifying PII that poses a privacy breach is sometimes a matter of context. It often depends on whether the PII data is also sensitive. And PII that counts as sensitive information in one scenario may not count as sensitive in another.
For example, a list of people who attended a volunteer orientation at the local food pantry is PII because it identifies individuals. It isn't usually sensitive data, though, because it doesn't provide essential personal information. On the other hand, a list of people who received a vaccine at the local clinic is both PII and sensitive information. It provides identifying information about the individuals and their confidential medical history. A leak or breach of this data would be a reportable privacy incident.
PII in the United States
The organization that governs PII in the United States is the National Institute of Standards and Technology (NIST). Its publication on PII, "Guide to Protecting the Confidentiality of Personally Identifiable Information," defines PII as information that could be used to trace or distinguish a person's identity. Information like a person's legal name, Social Security number (SSN), and biometric data falls into this category.
NIST guidelines are recommendations rather than laws. No single federal regulation governs the security and privacy of PII. Instead, a patchwork of state and federal laws provides certain protections in different areas.
For example, the Federal Trade Commission Act (FTC Act) prohibits deceptive and unfair practices in PII collection, handling, use, and disclosure during trade. The Gramm-Leach-Bliley Act (GBLA) regulates PII in the financial sector. The Health Insurance Portability and Accountability Act (HIPAA) protects PII in the health care field from fraud, theft, and unauthorized disclosures. The Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act (CFAA) govern electronic communications and prevent unauthorized computer use as it pertains to PII.
Other federal laws, as well as numerous state and local laws, provide additional PII protections. California and Massachusetts have passed particularly stringent data privacy laws.
PII in the European Union
The European Union (EU) initially implemented the Data Protection Directive (DPD), Directive 95/46/EC, to protect PII. It defined PII, known in the EU as "personal data," as data that could identify an individual through an ID number or factors pertaining to any of these aspects of the person's identity:
Since 2019, the General Data Protection Regulation (GDPR), one of the strictest data security and privacy laws worldwide, has replaced the Data Protection Directive. It integrates personal data privacy laws across Europe. It builds on the primary tenets of the DPD, mandating more specific data protection requirements, enabling more robust enforcement, imposing stiffer penalties, and expanding the scope of its PII regulation globally.
PII in Australia
Australia's Privacy Act of 1988 is the main piece of legislation that protects PII. Its protections address the collection, storage, use, and disclosure of PII in the private and federal public sectors.
The Privacy Act defines personal information much more broadly than most other countries do. It classifies PII as information or even an opinion, true or untrue, that could directly identify an individual or from which the person's identity could reasonably be determined.
The Privacy Act includes 13 Australian Privacy Principles (APPs) that apply to most federal agencies and many private sector organizations. It also regulates PII in tax filing, consumer credit reporting, and health care.
PII in New Zealand
New Zealand's Privacy Act 2020 addresses "personal information" instead of calling it PII. It defines personal information as information about an identifiable individual. Names, contact information, health records, financial data, and purchase records all fall into this category.
The Privacy Act provides specific rules for protecting personal information and defines the responsibilities of organizations handling that information. In New Zealand, for example, consumers have the right to know what personal information organizations have from them and correct that information if it's wrong.
PII in Canada
In Canada, PII falls under the domain of the Personal Information Protection and Electronic Documents Act (PIPEDA). This act and the related Privacy Act define "personal information" as any data that could identify a person, either on its own or combined with other data.
PIPEDA applies to private sector organizations that engage in commercial activities, while the Privacy Act applies to federal government agencies. Individual Canadian provinces also have private sector information privacy laws, as well as rules governing the collection and use of personal health care information.
What is considered PII?
Most countries that define and regulate personal information have specific criteria for what constitutes PII. Information is generally considered PII if it is enough to identify the person it belongs to. Certain types of records, identification numbers, and other unique metrics often fall into the category of PII.
What are some examples of PII?
Here are some pieces of information that generally qualify as PII:
- Address information
- ID numbers, like driver's license numbers or SSNs
- Records, like medical or criminal history records
Any of these pieces of information would be enough to pinpoint a specific person. SSNs and driver's license numbers are unique. Biometrics — that is, unique physical characteristics like fingerprints, retinal patterns, and DNA — are unique as well. Medical, financial, and criminal records often contain enough specific information to identify individuals.
In the United States, the NIST's Guide to Protecting the Confidentiality of Personally Identifiable Information categorizes several different types of information as PII:
- Full name
- Maiden name
- Date and place of birth
- Home address
- Email address
- Phone number
- Taxpayer ID number
- Driver's license
- License plate number
- Credit card numbers
- Financial account numbers
- Digital identity
- Login ID
- Screen name
- Photographic image
- Genetic information
- Voice signature
- Other biometric information
- Medical records
- Educational records
- Financial records
PII may also take the form of "pseudo-identifiers" or "quasi-identifiers." These pieces of information do not identify a person directly. Still, taken together with other information, they help identify the person. For example, one study sponsored by Carnegie Mellon University and the U.S. Census Bureau found that a combination of place of residence, date of birth, and gender is enough to identify 53% of the U.S. population.
Pseudo-identifiers are a more common legislative consideration in Europe than they are in the United States. U.S. laws do not generally consider them, but European laws often treat them as PII.
Who bears responsibility for protecting PII?
Responsibility for protecting PII is often shared, which can make it a complicated subject. Both your organization and individual data owners bear some responsibility for safeguarding PII.
However, public perception is often different. Consumers tend to believe companies are solely responsible for protecting their personal data. Over three-quarters of U.S. consumers report they would stop engaging online with a brand that had experienced a data breach. A third of consumers would stop engaging entirely.
Given consumers' risk aversion, your company will want to take proactive steps to safeguard consumer PII.
Creating a data privacy framework
How should you shoulder your portion of the responsibility to protect consumer data? And how can you give your customers valuable peace of mind about their PII security? One of the best ways is to develop a robust data privacy framework.
This conceptual framework gives your business a way to protect PII, along with other sensitive transactions like payments. A data privacy framework achieves goals like these:
- Defines PII in the context of your business
- Enables you to analyze risks to PII
- Provides a path toward implementing the most effective protection for your PII
Some jurisdictions and industries already have comprehensive, established data privacy frameworks. The EU's GDPR is one of the most famous, rigorous, and extensive examples.
An example of an industry-specific data privacy framework in the United States is the set of Payment Card Industry Data Security Standards (PCI DSS). These standards establish the technical and operational requirements for companies that handle credit card transactions. They also set rules for the equipment manufacturers and software developers who produce platforms or devices for those transactions.
However, your location or industry may not have an overarching data privacy framework to follow. Even if you do, you may feel your company would benefit from a more tailored framework. You can benefit from developing a custom framework in these cases, which helps with tasks like:
- Identifying your most sensitive or vulnerable data
- Designing the most effective safeguards for your organizational structure
- Tailoring your PI protections to your industry regulations and budget requirements
Let's take a closer look at some of the critical steps of creating a data privacy framework for your company.
1. Classifying your PII
The first step in developing a data privacy framework is to evaluate and classify the data you handle. Under the NIST's guidelines, every piece of data has a confidentiality impact level, or the level of harm its improper disclosure could cause. Assess whether each piece of information has a PII confidentiality impact level that is low, moderate, or high.
The potential impact is low if the loss of confidentiality could cause minor harm, including minor financial losses. It's moderate if the loss of confidentiality could cause serious but non-life-threatening harm, including significant financial losses. It's high if the loss of confidentiality could cause severe or catastrophic harm, including catastrophic financial losses, life-threatening injuries, or loss of life.
For each type of PII, you'll also want to make determinations like:
- The level of security it requires
- How severe the ramifications would be if the data became corrupted or lost
- How critical the constant availability of the data will be
- What level of consent individuals have provided about the use of their data
2. Assessing your PII
The next step is to assess each type of PII. That way, you can figure out its essential characteristics and security requirements. You'll want to evaluate your data to determine critical factors like:
- How you collect it
- Where you store it
- How you dispose of it
- What security risks are most applicable to it
Once you've assessed your PII in this way, you'll have more concrete information to guide the development of your privacy framework.
3. Developing a compliance environment
The next step after assessment is to develop the right compliance environment for your company and its PII. The right compliance environment will depend on your PII, your industry and the laws governing it, and your business locations. Be sure to consider factors like:
- The laws about PII compliance in all jurisdictions — different states or countries, for example — in which you do business
- The voluntary industry standards, like the PCI DSS, that you should comply with
- Your responsibilities in terms of third-party services, like cloud storage platforms, and their PII protections
The protocols you develop for your PII can help you avoid penalties and breaches and help you retain consumer trust.
4. Implementing security controls
Once you've made your assessments and facilitated the right compliance environment, start putting robust security controls in place. Doing sufficient research ahead of time helps you ensure you have the proper controls for effective, comprehensive PII protection.
Your data privacy framework will instruct you in what controls you put in place. You may want to consider standard controls in areas of PII protection like:
- Data loss prevention: Be sure to implement safeguards that track your sensitive data and identify activity that might indicate a security breach
- Change management: These controls help you monitor changes that might indicate a breach, like user account additions or deletions
- Access constraints: You'll want to implement systems that act as barriers to prevent PII access by unauthorized users or users who might have a conflict of interest
- Data masking: Data masking allows you to provide only the essential details of your PII for each use, with extraneous details omitted to thwart personal identification
- Sensitive access tracking: These controls let you monitor all access to your sensitive data, receive alerts about unusual activity, and deter potential breaches
- Privileged access tracking: Like sensitive access tracking controls, these controls let you monitor privileged access to PII — especially newly authorized access — receive alerts about unusual activity, and deter potential breaches
- Secure audit trail archives: Your company may want a system for retaining records of any PII access for several years in case investigations of security incidents become necessary
- User tracking capabilities: These controls help distinguish between activities performed by different users so you can identify noncompliant use of PII, user account compromise, or malicious behavior
- User rights management: You may also need a system for evaluating and modifying user rights — for example, by revoking PII access on unused accounts
Organizations like the NIST also advise that you protect PII by collecting, using, and storing only what is necessary. You should also protect your PII by reviewing your stored data periodically to determine what you still need and what you can safely purge.
How Box helps with data privacy
Figuring out how to develop and implement an adequate data privacy framework may seem like a challenge. That's where Box steps in to help.
The Box Content Cloud provides secure, effective, intuitive cloud content management (CCM) capabilities. It works for just about every line of business, across a wide range of industries. Whether you need collaboration support for data rooms in finance or clinical trials in medicine, Box gives you the tools you need to enhance teamwork, cut costs, and boost efficiency, all while safeguarding your PII.
Data security is one of the advantages that distinguishes the Content Cloud as a CCM solution. We offer enterprise-grade security and compliance management, so you'll know your sensitive data is safe and protected. Our cloud-native approach to security and collaboration means you'll get robust data privacy protections tailored specifically for cloud platforms like ours.
We provide these protections through the Box Shield platform, which complements your existing security by offering some of the most sophisticated, intelligent cloud security possible to protect your data at scale. Box Shield automatically classifies your content according to your data protection policies, and it enables manual classification, as well. It offers robust controls that let you configure access policies easily to prevent leaks, all while powering an intuitive, enjoyable user experience.
Here are some of the specific features and functionalities Box Shield provides:
- Assistance with defining and managing your security classifications
- Sophisticated malware detection
- Automatic restriction of downloads and file sharing
- Immediate detection of suspicious downloading behavior
- Access to an easy-to-use Admin Console for viewing alerts and further details
- Ability to enforce rigorous classification-based controls across Box and throughout third-party integrations
- Immediate detection of content access from anomalous locations or sessions
- Option to forward any alerts to your security information and event management (SIEM) team or cloud access security broker (CASB) for more comprehensive review
Box Shield also deploys advanced machine learning to help your teams detect and respond to data leaks, compromised accounts, and malicious attacks in real time. View up-to-the-minute alerts in the Box Shield platform, or integrate Box Shield easily with your existing systems for additional analysis.
Box Shield gives you valuable peace of mind about your PII security. It lets you assure your clients of your compliance with data privacy laws and the comprehensive protection of their personal data, making them feel more confident in working with you.
Frictionless, intelligent data privacy from Box
Collaboration is easier in the Content Cloud. For an unparalleled CCM platform with robust information privacy protection, choose Box.
Our powerful, secure, user-friendly platform enables you to manage the entire content lifecycle in the cloud, from file creation to editing, classification, and storage. We provide a centralized place to speed up work and protect your information with cloud-native security. Our solution also offers full GDPR compliance to protect your clients in the EU and beyond.
Safeguard your content, bring people together, and empower your teams. Contact us today to learn more about the Content Cloud.
Get one centralized place to speed up work and protect your information with cloud-native security
**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.