Personally identifiable information (PII) is any information that can be used to identify a specific individual — on its own or combined with other data. It’s a deceptively broad concept, and getting it right is central to where records management meets privacy.
What counts as PII
PII ranges from the obvious to the subtle:
- Direct identifiers — full name, Social Security or national ID number, passport or driver’s license number, email address, phone number.
- Indirect identifiers — data that identifies someone in combination, such as date of birth + ZIP code + gender.
- Sensitive categories — information whose exposure is especially harmful: health, financial, biometric, and similar data, often carrying the strictest legal protections.
A key insight from NIST’s guidance: whether something is PII can be context-dependent. Data that seems harmless can become identifying when linked with other available data.
Why it matters
Every record containing PII is also a liability. If it’s breached, lost, or improperly disclosed, the organization faces legal, financial, and reputational harm. The more PII you hold, and the longer you hold it, the greater the exposure. That’s why PII drives specific recordkeeping choices:
- Stronger access controls limiting who can view it.
- Careful retention — keeping PII only as long as necessary, aligning the retention schedule with privacy law’s storage-limitation principle.
- Secure disposition when the retention period ends.
PII and recordkeeping go together
You can only protect and properly dispose of PII if you know what personal data you hold and where it lives — which is exactly what a records inventory provides. The same inventory that underpins retention also underpins privacy compliance and the ability to honor individual rights to access or delete data.
In the federal context, much PII is also Controlled Unclassified Information, with its own handling rules. Across the board, the guiding discipline is data minimization: keep only what you need, only as long as you need it. See the privacy, PII and data protection hub for more.
Sources & further reading
Authoritative government and non-profit references.
- NIST SP 800-122 — Protecting the Confidentiality of PII — National Institute of Standards and Technology
How to cite this page
APA
RM University Editorial Team. (2026). Understanding PII: What Counts and Why It Matters. Records Management University. https://www.recordsmgmt.org/articles/understanding-pii/
MLA
RM University Editorial Team. "Understanding PII: What Counts and Why It Matters." Records Management University, 15 June 2026, www.recordsmgmt.org/articles/understanding-pii/.