Compliance, Data Privacy, Personally Identifiable Information

What is Personal Information?

Personal information, personally identifiable information (PII), or personal data is any information relating to an identifiable person. The legal definition of PII may change depending on jurisdiction and purposes for which the term is being used (e.g. under GDPR, Gramm-Leach-Bliley, etc.). The PII concept has become a hot topic in recent years due to significant uptick in identify theft, bank breaches, and the collection/resale of data by third-party vendors in the alternative data space.

The National Institute of Standards and Technology defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” Notice that an end-user’s IP address is not classified as PII on its own under this definition but, in the EU under the GDPR, the IP address of an internet user may be classified as personal data. This topic is examined in the following post: What is the GDPR?

Traditionally, PII has included information like:

  • first name
  • last name
  • social security number
  • driver’s license number
  • bank account
  • credit card number
  • email address
  • date of birth

There are also pieces of information that on their own may not be able to pinpoint an identity, can be combined with several other data points to identify or trace an individual. Some examples include: first or last name (if common), country, state, city, postal code, gender, race, non-specific age range, job position and/or employer, etc.

Both data vendors and hedge funds should stay as far away as possible from both traditional PII and linkable data points.

Share this:

Leave a Reply