Compliance

What is PII Used For? (Use Cases & Examples)

what is pii used for

Have you ever wondered what PII is used for and what your business can do with it? Well, you’ve come to the right place to find out.

PII is an essential topic because it has to do with important data that could benefit your business if used correctly or destroy it if it gets into the wrong hands.

That’s a very good reason to talk about personally identifiable information and explain what is Personally Identifiable Information (PII) used for in this guide.

Let’s dive right in.

Key Takeaways

  • PII is information that, when used on its own or in combination with other data, identifies a person.
  • PII can be sensitive and non-sensitive. Sensitive data, such as an SSN, financial account records, biometric data, and others, can uniquely identify a person. Non-sensitive data like date and place of birth, name, city of residency, email address etc., have to be used together with other relevant data to identify a person.
  • PII can be used for contractual obligations, legal obligations, protecting public and vital interests, legitimate business interests, and more.

What is PII?

Personally identifiable information, or PII, is information that, used on its own or with other relevant data, can identify an individual.

There are two types of PII:

  1. Sensitive PII

Sensitive PII includes medical records, Social Security Number (SSN), financial information, driver’s license, sexual orientation, political affiliation, biometric data, and more.

This information is considered highly personal and can be used for identity theft, financial fraud, or discrimination.

  1. Non-sensitive PII

Non-sensitive PII includes PII available from public sources, such as a person’s date of birth, email, city of residency, phone number, and employment information.

While this information is not as sensitive, it can still be used to identify an individual when combined with other data.

PII can contain direct and indirect identifiers. Direct identifiers, such as ID or passport information, can identify a person directly, while quasi or indirect identifiers need to be combined with other quasi-identifiers to identify someone.

What is PII Used For?

Although PII can be used for illicit purposes by cybercriminals and fraudsters, there are still plenty of legitimate reasons why a company, vendor, or employer might use this information. Here is what PII can be used for:

Protecting Public and Vital Interests

Government agencies may use PII to serve the public interest, for example, national security. Additionally, PII can be used by healthcare providers to perform tasks of public interest or to protect an individual’s vital interests, like in a medical emergency.

In another aspect, PII is crucial for law enforcement agencies as it helps them investigate crimes more efficiently.

The information can sometimes also be used by government bodies to verify the identity of individuals seeking access to sensitive public services or records in order to reduce fraudulent actions.

Legal Obligations and Proceedings

PII can also be required for companies to comply with anti-fraud and money-laundering laws and tax reporting.

At the same time, organizations may need PII as part of legal proceedings, like in investigations.

Organizations often need to record and retain PII for auditing purposes, as it provides concrete evidence of transactions and interactions. This is pertinent in sectors dealing with significant financial or confidential information where regulatory bodies require stringent record keeping.

Contractual Obligations

PII can also be used to fulfill the contract terms between the customer and the business.

For example, an e-commerce store would need a person’s PII to process their order and ship the goods to the proper address.

Similarly, a lending institution might require your PII to assess whether you're eligible for a loan or not. Airlines and travel companies also use this information during ticket booking processes, where they need personal data such as name, date of birth, passport details, etc., to prepare official documents required for international travel.

Legitimate Business Interest

Provided it doesn’t infringe on the individual’s privacy rights, PII can be used for legitimate business interests, often for verification purposes and to improve their services.

For instance, businesses might use PII to evaluate customer's interests and behaviors in order to provide personalized marketing content.

This not only helps increase the effectiveness of their advertising efforts but also can lead to better customer satisfaction by delivering relevant ads or offers. It is worth noting that such practices are subject to data protection laws designed to ensure personal information remains secure at all times.

Employee Data

PII is critical when dealing with employee data. It's used in nearly every aspect of employment, from the initial job application process to maintaining employee records and payrolls. Recruiters use PII such as name, contact information, and credentials to assess a candidate’s fitness for a role.

Once an individual becomes an employee, their PII, like a Social Security number or tax identification number, is routinely used by HR departments for various internal processes, including payroll setup, Social Security benefits, and more.

One thing in common for all of these PII use cases is that they must comply with the law, whether labor laws (employee data), privacy laws, or other relevant laws.

Examples of PII

The US Office of Privacy and Open Government identifies PII as:

“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

The EU’s GDPR does not use the term “personally identifiable information”, but instead uses “personal data”, which is a broader term (all PII are personal data, but not all personal data is PII).

Article 4 of GDPR defines personal data as:

“Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly…”

So what are some examples of PII?

As we mentioned before, PII can be grouped into two categories - sensitive and non-sensitive.

Sensitive PII includes:

  • Personal home address
  • Social Security Number
  • Personal medical and health records
  • Financial account number
  • Driver’s license information
  • Biometric data

The main reason why these are called “sensitive” is that only one person can “own” this PII, so they can uniquely identify someone.

Non-sensitive PII, on the other hand, can be shared with others (race, gender, location, etc.). These can still be used to identify a person, but only in combination with other non-sensitive PII.

Non-sensitive PII includes:

  • Name
  • Phone number
  • Email address
  • Geographical indicators such as ZIP code
  • Date of birth
  • Place of birth
  • Gender
  • Race
  • Religion

The GDPR also includes other information under “personal data” that does not fall into the category of PII, including:

  • IP address
  • Cookie ID
  • Location data
  • E-commerce order ID
  • Other online identifiers (apps, devices, tools)
  • Pseudonymised or de-identified personal data

Fines for Not Protecting PII

Different data protection regulations impose different penalties and fines for not protecting or mishandling PII or other personal data.

For instance:

  • The GDPR includes fines of up to €20 million or 4% of the global annual turnover of the company (whichever is higher)
  • Brazilian LGPD includes a maximum fine of 50 million reals (€9.3 million or $10 million) or 2% of the business's annual revenue (whichever is higher)
  • The Chinese PIPL has a maximum fine of 50 million yuan ($7 million) or 5% of the business's annual revenue (whichever is higher)
  • Businesses found to be in violation of HIPAA can face civil penalties ranging from $100 to $50,000 per violation, with a maximum penalty of $1.5 million.
  • Finally, for violating CPRA, the fine is $7,500 for each intentional or 2,500 for each non-intentional violation

Also, other penalties for non-compliance and breaching PII may include legal actions, criminal charges, loss of data processing privileges, and more, depending on the specific regulation.

Closing

Businesses use PII for a variety of different reasons, from legal obligations to legitimate business interests. However, businesses must make an effort to secure PII, regardless of whether it is sensitive PII or not.

According to the Identity Theft Resource Center (ITRC) 2022 Data Breach Report, at least 422 million individuals were impacted by identity theft or data compromise in the US alone in 2022.

This highlights the importance of protecting personal information from getting stolen and you from getting fined by regulators.

If you want to avoid fines and your customer’s information getting stolen, get in touch with us for compliance and next-level protection.

FAQs

What is an example of a PII?

PII or personally identifiable information can be sensitive and non-sensitive.

Here are some examples of sensitive PII:

  • Personal home address
  • Social Security Number
  • Personal medical and health records
  • Financial account number
  • Driver’s license information
  • Biometric data

Here are some examples of non-sensitive PII:

  • Name
  • Phone number
  • Email address
  • Geographical indicators such as ZIP code
  • Date of birth
  • Place of birth
  • Gender
  • Race
  • Religion

Here’s our complete guide to protecting personal information.

Why is PII collected?

PII can be collected for different legitimate purposes, including legal obligations, contractual purposes, protecting public and vital interests, legitimate business interests, employee data, and more.

Whatever the reason, collecting PII must be done according to the relevant regulations and laws in that country.

Learn what your obligations are for protecting employee data here.

Is PII for official use only?

Typically, personally identifiable information (PII) is collected and used for official use, provided the organization collecting PII has a legitimate reason for doing so.

However, in some situations, PII can be collected for non-official purposes. This is the case with e-commerce online purchases, using social media platforms, or signing up for newsletters, for example.

Want guidance on protecting PII? Get in touch with us now.

Which is not a PII?

Not all personal data is considered as personal identifiable information (PII). For example, according to GDPR, personal data such as IP address, cookie ID, e-commerce order ID, or pseudonymized data are not PII but are considered personal information.

Find out everything you need to know about GDPR compliance in this guide.

Can public data be PII?

Yes, public data can be PII. This type of PII is called “non-sensitive,” and it includes data that is available from public sources and may not belong to one individual but is typically shared among many.

For example, more than one person can have the same date or place of birth, gender, or race, but no two people can have the same biometric features (fingerprint, eye scan), SSN, or driver's license number, which is why such PII is considered “sensitive.”

Here’s what you need to know about sensitive personal information.