The ultimate guide to Personal Data, Personal Information, Personally Identifiable Information and Sensitive information

Organizations need to embed privacy into their systems and processes to gain an advantage and gain customer trust. But first, they need to understand the sensitive data they have, and how to classify it. This means they need to learn to separate their PI from their PII. This guide explains the differences between each of these terms.

Belinda Walsh

Written by

Belinda Walsh

Reviewed by

Share on Social Media
February 10, 2023
The ultimate guide to Personal Data, Personal Information, Personally Identifiable Information and Sensitive information

Finding it hard to keep up with this fast-paced industry?

Subscribe to FILED Newsletter.  
Your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

In the case of a data breach, organizations who have mishandled or improperly retained their customers' personal information can find themselves in a precarious position. If they have failed to identify the personal information they hold on their customers, they may lack visibility into the scale of the damage. If they haven't had data minimization strategies in place, a greater number of current and former customers can be affected. 

When organizations have poor data management practices, their customers' data privacy is often an afterthought, rather than adopting a proactive framework where privacy is built into systems, technologies, policies, and processes. Such an approach is often referred to as Privacy by Design.

A key part of such an approach is to understand the sensitive data you have, so a level of knowledge about the types of data and the terminology used is a must. This post will help build that baseline knowledge, by outlining what the terms mean both in general and for specific legislation. 

Before we do that, let's take a quick look at Privacy by Design.

Benefits of Privacy by Design

Implementing a Privacy by Design approach has many benefits, including allowing for early identification and remediation of potential privacy risks, far better than learning about these risks only once they have been exploited. By adopting this approach you can feel more confident in meeting your privacy compliance requirements.  

Having a continuous data inventory with data classification and data minimization policies is an essential part of a proactive Privacy by Design approach. This is where monitoring Personally Identifiable Information (PII) across your systems can help you locate and classify data with PII and ensure it is not retained longer than required.

Now we understand the importance of Privacy by Design and data inventories, we need to understand the terminology.

Let's first take a look at some of the specific privacy terms used that are often used interchangeably: Personal Data, Personal Information, Personally Identifiable Information and Sensitive information.  

There is a lot of overlap in the terms across jurisdictions and they all cover common ground, but let's start by looking at the high-level differences.

Personal Data (PD) Personal Information (PI) Personally Identifiable Information (PII) Sensitive Personal Information (SPI)
Term defined by the General Data Protection Regulation (GDPR). It is broad in scope and is any information that is clearly about a particular person. Term that is also broad in scope and defined in various legislation across the globe including the California Consumer Privacy Act (CCPA) and the Australian Privacy Act. PI refers to information that identifies, relates to, or could reasonably be linked with a person or household. Commonly used in business and defined by some legislation and privacy standards such as National Institute of Standards and Technology (NIST). PII is more specific in nature and is any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. All PII is PI but not all PI is PII. Sensitive information is a subset of these. Unlike some general PI, sensitive information may result in discrimination or harm if it is mishandled. Most jurisdictions believe it should be treated with a higher standard of care.

Personal Data (PD)

When referring to Personal Data, many privacy professionals will be referring to the processing of information as related to the EU’s General Data Protection Regulation (GDPR). Personal Data is broad in scope and means any information that is clearly about a particular person.

GDPR Article 4, gives the following definition for “personal data”:

'Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

GDPR sets out special categories of personal data that includes:  

  • Race
  • Ethnicity
  • Political views
  • Religion, spiritual or philosophical beliefs
  • Biometric data for ID purposes
  • Health data
  • Sex life data
  • Sexual orientation
  • Genetic data

Personal Information (PI)

Many different jurisdictions refer to Personal Information rather than Personal Data, such as the Australian Privacy Act and the California Consumer Privacy Act (CCPA). Although PI and PD are more alike than not, there are subtle differences between these definitions in different jurisdictions. For example, the GDPR specifies online identifiers such as IP addresses and cookie identifiers are personal data. The Australian Privacy Act does not specifically address IP addresses and cookie identifiers in personal information.  

The Australian Privacy Act defines 'personal information' as:  

Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in a material form or not.’

The term ‘personal information’ in the Australian Privacy Act context encompasses a broad range of information and the Act does specify types of PI:

  • Sensitive information - (includes information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record, provided the information or opinion otherwise meets the definition of personal information.
  • Health information - which is also ‘sensitive information’
  • Credit information
  • Employee record information (subject to exemptions), and
  • Tax file number information

The more recent California Consumer Privacy Act maintains a broad definition of “personal information”, defining personal information as a broad category of all kinds of data:

“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

CCPA includes the following categories of personal information:  

  • Identifiers: Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Customer records information: Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit or debit card number, other financial information, medical information, health insurance information
  • Characteristics of protected classifications under California or federal law: Race, religion, sexual orientation, gender identity, gender expression, age
  • Commercial information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  • Biometric information: Hair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric data
  • Internet or other electronic network activity information: Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Education information: Information that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
  • Inferences: Inferences that could be used to create a profile reflecting a consumer’s Preferences, Characteristics, abilities to name a few.  

For a full rundown of the privacy legislation landscape across the United States, check out this informative infographic from the International Association of Privacy Professionals (IAPP).  

Personally Identifiable Information (PII)

Personally Identifiable Information (PII) terminology is used by both government and corporations and generally speaking, it is information that can be used on its own or combined with other information to identify, contact, or locate a single person, or to identify an individual in context.  

A term more commonly used in the United States, the US Office of Privacy and Open Government, defines PII as:

“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

The National Institute of Standards and Technology (NIST) Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), lists the following examples of PII data.  

  • Name, such as full name, maiden name, mother‘s maiden name, or alias  
  • Personal identification number, such as social security number (SSN), passport number, driver license number, taxpayer identification number, patient identification number, and financial account or credit card number
  • Address information, such as street address or email address
  • Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people.
  • Telephone numbers, including mobile, business, and personal numbers  
  • Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry)  
  • Information identifying personally owned property, such as vehicle registration number or title number and related information  
  • Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).
Personally Identifiable Information

While not limited to these, the following table contains some specific pieces of PII that can be scanned for in the RecordPoint Data Trust Platform.

PII Type Description
Payment Card Industry (PCI)- Credit card number A credit card number is between 12 to 19 digits
Crypto wallet number A Crypto wallet number i.e. Bitcoin address
Email address An email address identifies an email box to which email messages are delivered
International Bank Account Number (IBAN) The International Bank Account Number (IBAN) is an internationally agreed system of identifying bank accounts across national borders to facilitate the communication and processing of cross-border transactions with a reduced risk of transcription errors
Full name A full person name, which can include first names, middle names or initials, and last names
Phone number A telephone number
US Social Security Number (SSN) A US Social Security Number (SSN) with 9 digits
US Bank Number A US bank account number is between 8 to 17 digits
US Drivers License A US driver license according to State Driver's License Format - National Traffic Safety Institute
US Individual Taxpayer Identification Number US Individual Taxpayer Identification Number (ITIN). Nine digits that start with a "9" and contain a "7" or "8" as the 4 digit
US Passport A US passport number with 9 digits
UK National Health Service (NHS) number A UK National Health Service number is 10 digits
Australian Business Number (ABN) The Australian Business Number (ABN) is a unique 11 digit identifier issued to all entities registered in the Australian Business Register (ABR)
Australian Company Number (ACN) An Australian Company Number is a unique nine-digit number issued by the Australian Securities and Investments Commission to every company registered under the Commonwealth Corporations Act 2001 as an identifier
Australian Tax File Number The tax file number (TFN) is a unique identifier issued by the Australian Taxation Office to each taxpaying entity
Australian Medicare number Medicare number is a unique identifier issued by Australian Government that enables the cardholder to receive a rebate of medical expenses under Australia's Medicare system

Across all jurisdictions, it is key to note that PD, PI and PII can range from sensitive and confidential information to information that is widely publicly available.

Sensitive Personal Information and sensitive data

Sensitive information is a subset of Personal Information. Most jurisdictions' definitions of sensitive information align, but they each have slight differences in language.  

The GDPR classifies certain types of information as sensitive data, which is subject to specifically defined processing conditions. Sensitive data includes information that could cause harm to an individual if used for identification and malicious purposes.

Some examples of sensitive data under GDPR:

  • Racial or ethnic origin,
  • Political opinions,
  • Religious beliefs,
  • Genetic data,
  • Sexual orientation or activities.

The Australia Privacy Act

This regulation defines Sensitive Personal Information to mean information or an opinion about an individual’s:

  • Racial or ethnic origin,
  • Political opinions,
  • Membership of a political association,
  • Religious beliefs or affiliations,
  • Philosophical beliefs,
  • Membership of a professional or trade association,
  • Membership of a trade union,
  • Sexual preferences or practices; or
  • Criminal record.

The California Privacy Rights Act (CPRA)

Often referred to as CCPA 2.0 and an amendment of the CCPA, this regulation defines Sensitive Personal Information to include:  

  • Government identifiers, such as Social Security Numbers and drivers license numbers,
  • Account log-in information (e.g., financial account or credit card numbers in combination with any required access codes or passwords),
  • Precise geolocation information,
  • Racial or ethnic origin, religious or philosophical beliefs, or union membership,
  • Content of postal mail, email, and text messages, unless the business is the intended recipient of the subject communications,
  • Genetic data, and
  • Biometric information that uniquely identifies a consumer or information concerning a consumer's health, sex life, or sexual orientation.

Understanding all these terms and how they may intersect or differ is a key part of a Privacy by Design approach. Organizations who embed privacy into their systems and processes will have a strategic competitive advantage, as well as generating trust among their customer base.

Discover Connectors

View our expanded range of available Connectors, including popular SaaS platforms, such as Salesforce, Workday, Zendesk, SAP, and many more.

Explore the platform

Discover Intelligence Signaling

Get scalable identification of PII, PCI, duplicate records, and ROT across all your data

Learn More
Share on Social Media
bg
bg

Assure your customers their data is safe with you

Protect your customers and your business with
the Data Trust Platform.