What is Personally Identifiable Information (PII)?
Personally Identifiable Information (PII) refers to any data that can be used to identify a specific individual. Due to the sensitivity of this type of information, multiple prominent data privacy regulations worldwide require organizations to disclose whether or not they collect this type of information, whether they share or sell it to others, how it's stored and protected, and users' data rights. In the wrong hands, the possession of such sensitive information could lead to identity theft, fraud, defamation, and more.
PII initially focused on somewhat straightforward (direct) identifiers like:
- Names (first and last)
- Physical addresses
- Email addresses
- Phone numbers
- Social Security numbers
- ID and Passport numbers
However, PII now also encompasses indirect identifiers. These pieces of information might not identify someone on their own but can do so when combined with other data. Examples include:
- IP addresses
- Login credentials
- Location data
- Device identifiers
- Date of birth
- Gender or sexual identity
- Biometric data
PII is fundamental for various operations in businesses and services, such as verifying identities, providing personalized experiences, and ensuring communication. This means that protecting PII is crucial for all parties involved.
What is Sensitive Personal Information (SPI)?
Sensitive Personal Information (SPI) includes data that reveals more specific information about an individual’s intrinsic or sensitive attributes, often having a bit of overlap with indirect PII identifiers. Similar to PII, data privacy regulations that explicitly define SPI often have distinct definitions, and in the case of the GDPR, SPI is known as "special category data." While SPI isn't necessarily more sensitive than PII in and of itself (with some exceptions), this kind of data can be particularly damaging in combination with other direct PII identifiers. Thus, handling SPI often requires higher security due to its potential to cause significant harm if exposed.
Examples of SPI include:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data used for identification (e.g., fingerprints, facial recognition)
- Health information
- Data concerning a person’s sex life or sexual orientation
- Criminal history
- Contents of users' communications (e.g., physical mail, emails, text messages, etc.)
The sensitivity of SPI lies in the potential for discrimination, stigmatization, or other adverse effects if such information is mishandled or exposed.
What's the Difference Between PII and SPI?
The primary difference between PII and SPI lies in the level of sensitivity and the potential impact of data breaches. While PII can identify an individual, SPI can lead to significant harm or discrimination if mishandled. PII can be thought of as an umbrella term that covers just about any information that can reveal a person's identity. SPI is generally considered a highly sensitive subset of PII, particularly when combined with direct PII identifiers, and is often treated with extra security.
What Does Not Constitute SPI?
Not all personal data qualifies as SPI. Understanding what does not constitute SPI is crucial for organizations to appropriately allocate resources and protections.
Non-SPI data includes:
- Business contact details (e.g., company email addresses and phone numbers)
- Publicly available information (e.g., information in public directories)
- Anonymized or pseudonymized data (where the individual cannot be identified without additional information)
For example, a company's general email address or a publicly listed phone number does not require the same level of protection as an individual's health records or biometric data.
Regulatory Definitions of SPI and Its Protections
Various data protection regulations define and mandate the protection of SPI differently. Two of the most notable definitions include:
General Data Protection Regulation (GDPR)
The EU’s General Data Protection Regulation (GDPR) refers to personal information as Special Categories of Personal Data, requiring organizations to obtain explicit consent for its processing and imposing strict handling requirements. According to the Article 9(1), the GDPR considers the following personal data as sensitive information:
- Fingerprint, DNA, and other biometric information.
- Data concerning a person’s ethnic or racial origin.
- Information on how a person thinks (politically, religiously, or philosophically).
- Data that concern someone’s sex life or sexual orientation.
- Health information.
- Trade-union memberships.
California Privacy Rights Act (CPRA)
The California Privacy Rights Act (CPRA), which expanded the California Consumer Privacy Act (CCPA), defines Sensitive Personal Information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”. According to the section 1798.140(ae)(1), CPRA considers the following personal data as sensitive information:
Personal information that reveals...
- A consumer’s social security, driver’s license, state identification card, or passport number.
- A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
- A consumer’s precise geolocation.
- A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership.
- The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication.
- A consumer’s genetic data.
... along with...
- The processing of biometric information for the purpose of uniquely identifying a consumer.
- Personal information collected and analyzed concerning a consumer’s health.
- Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
Along with the CPRA and the GDPR, the Australian Privacy Act 1988 and the Virginia Consumer Data Protection Act (VCDPA) also both explicitly define sensitive data as a category of personal data.
Fortra’s Data Classification Can Keep Your PII and SPI in the Right Hands
As global demands for personal data protection intensify and governments enact stricter compliance regulations, businesses must adapt rapidly to these evolving standards. Effective compliance requires comprehensive visibility into what data organizations hold and where it is stored, a task that can be daunting without a robust data protection strategy.
Personally Identifiable Information (PII) and Sensitive Personal Information (SPI) are especially critical in this landscape, given their heightened levels of protection under many regulations. Fortra’s Data Classification solutions for compliance empower organizations to achieve and maintain compliance by providing the necessary tools to identify, classify, and protect both PII and SPI. Explore Fortra’s Data Protection solutions to ensure your organization not only meets regulatory requirements but also operates efficiently and securely.
