What is personally identifiable information (PII)?
Personally identifiable information (PII) is any information that can be used to identify a specific individual — either on its own or when combined with other available data. It is a central concept where records management meets privacy, because records containing PII carry heightened obligations.
What counts as PII
PII ranges from the obvious to the subtle:
- Direct identifiers — full name, Social Security or national ID number, passport number, driver’s license, email address, phone number.
- Indirect identifiers — data that identifies someone in combination, such as date of birth plus ZIP code plus gender.
- Sensitive categories — information whose exposure is especially harmful: health and medical data, financial account data, biometric data, and similar. These often carry the strictest legal protections (for example, health data under HIPAA).
NIST’s guidance notes that whether a piece of data is PII can be context-dependent — information that seems harmless may become identifying when linked with other data.
Why it matters for records
Every record that contains PII is also a potential liability. If it is breached, lost, or improperly disclosed, the organization faces legal, financial, and reputational harm. This shapes how such records must be handled:
- Stronger access controls limiting who can view them.
- Careful retention — keeping PII only as long as necessary, aligning the retention schedule with privacy law’s storage-limitation principle.
- Secure disposition when the retention period ends.
The connection to records management
You can only protect and properly dispose of PII if you know what personal data you hold and where — which is exactly what a records inventory provides. The same inventory that underpins retention also underpins privacy compliance and the ability to honor individual rights to access or delete data. In short, managing PII well is records management and privacy working together. See the privacy, PII and data protection hub for more.
Sources & further reading
Authoritative government and non-profit references.
- NIST guidance on protecting PII (SP 800-122) — National Institute of Standards and Technology
How to cite this page
APA
RM University Editorial. (2026). What is personally identifiable information (PII)?. Records Management University. https://www.recordsmgmt.org/questions/what-is-personally-identifiable-information/
MLA
RM University Editorial. "What is personally identifiable information (PII)?." Records Management University, 28 April 2026, www.recordsmgmt.org/questions/what-is-personally-identifiable-information/.
Related questions
- What is data minimization?
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?