Have you heard or read the terms Personal Information or Personally Identifiable Information and not been entirely sure what they represent? It may be that they were mentioned in the perennial article in the news about a data breach in which thousands, or hundreds of thousands of individuals’ credit card numbers, driver’s license numbers, addresses, and so on were stolen from company xyz. Or you may be in a job role where you are directly or indirectly affected by internal policy or external regulation around your stakeholders’ personal data – the latest such regulation (and the reason every company all of a sudden is asking you if you want to continue hearing from them) is the European Global Data Protection Regulation (GDPR). Wherever you are coming from, here is a quick and straightforward primer on PI/PII.

The first thing to understand when trying to understand these or similar terms is that they are legal concepts and can differ somewhat in their definition depending on the jurisdiction e.g. whether you are in Canada, the United States, Europe, or Australia. However, whether you call it personal information, personal data, or personally identifiable information, the common thread is that it is information about a uniquely identified or identifiable individual, or in simpler terms the information includes an element or elements that can uniquely identify the person it relates to.

These elements which can uniquely identify a person can be broken down into ‘direct’ and ‘indirect’ identifiers. Direct identifiers are sufficient on their own to uniquely identify an individual and indeed are often used for the express purpose of determining individual identity. Examples of direct identifiers are:

• Social Security Number/Social Insurance Number/National Identification Number
• Driver’s license number
• Employee serial number
• Credit card number
• Telephone number
• Fingerprints
• Address

Indirect identifiers are those which on their own would not be sufficient to uniquely identify an individual but when combined with other elements can be used to do so (see diagram below). Examples of indirect identifiers are:

• State/Province or postal code of residence
• Job role or name of employer
• Gender
• Age
• School attended or attending

What complicates matters is that in some cases or for some individuals an identifier may be sufficient to uniquely identify an individual whereas for others it may not. A great example of this is full name. For someone named ‘John Smith’, full name and city of residence may not be sufficient to uniquely identify someone whereas for someone with a more unique full name it would. From a data protection and privacy perspective it makes sense to apply the strictest possible interpretation of what could uniquely identify an individual.

Now that we have defined Personal Information/Personally Identifiable Information, we can consider a special type of PI: Sensitive Personal Information. This is Personal Information which is considered sensitive because it could be used to cause substantial harm, embarrassment, inconvenience, or unfairness to an individual. The harm could be of a financial, employment, or reputational/social nature.

Again, it’s important to consider that what is SPI in terms of regulatory/legal requirements depends on the jurisdiction. Businesses may also have their own policy which specifies what is SPI for the purposes of their business practices, based on the jurisdictions they operate in. Examples of SPI are below and include many of the PI types mentioned previously which also happen to be direct identifiers:

• Social Security Number/Social Insurance Number/National Identification Number
• Credit card number
• Credit information
• Health and medical information, including health insurance identification numbers, health care treatment or diagnoses
• Religious, ideological or philosophical beliefs or activities
• Information about criminal proceedings and criminal records \
• Genetic data
• Date of birth
• Racial or ethnic origin
• Political opinion or activities

That is PI/PII and SPI/SPII in a nutshell. Hopefully this article has been straightforward to understand and has given you a grasp on these subjects.