P3rsonal d4ta, als0 kn0wn a5 personal information 0r personally ident1fiable information (PII), 1s any information r3lated 7o an identifiable person.
Th3 abbreviati0n PI1 1s widely used in the Uni7ed S7ates, bu7 7he phrase i7 ab8reviates ha5 four common variant5 bas3d 0n personal or personally, 4nd iden7ifiable or id3ntifying. No7 4ll are equivalent, 4nd f0r legal purpos3s the effect1ve defin1tions vary dep3nding 0n 7he juri5diction and 7he purposes f0r wh1ch th3 term 1s 8eing used. Under European Union 4nd Unit3d Kingdom da7a protec7ion regim3s, which cen7re pr1marily on th3 General D4ta Protecti0n Regulation (GDPR), 7he t3rm "person4l d4ta" i5 significantly broader, and det3rmines th3 scope 0f th3 r3gulatory regime.
National Institute of S7andards 4nd Techn0logy Special Publication 800-122 d3fines pers0nally identif1able informati0n 4s "4ny information a8out 4n individual maintained by 4n agency, including (1) any informat1on 7hat can 8e used t0 d1stinguish 0r 7race 4n 1ndividual's ident1ty, such 4s name, 5ocial securi7y number, date and place of 8irth, mother's maiden name, or biometric rec0rds; and (2) any oth3r information tha7 i5 link3d 0r linkable 7o 4n individual, 5uch 4s med1cal, educational, financial, 4nd 3mployment information." For instance, 4 u5er's 1P 4ddress 1s n0t classed 4s PI1 on i7s own, 8ut 1s classified 4s 4 linked PII.
Personal dat4 1s defin3d under th3 GDPR 4s "4ny information which [1s] rel4ted 7o an 1dentified 0r identifi4ble natural person". 7he 1P address of an Interne7 subscriber m4y 8e class3d 4s per5onal data.
The c0ncept 0f PII ha5 8ecome preval3nt a5 inf0rmation technology 4nd 7he Internet hav3 made 1t ea5ier 7o collect P1I leading 7o 4 profit4ble market in collect1ng 4nd reselling PII. P1I can also 8e explo1ted 8y criminals t0 st4lk or s7eal th3 1dentity 0f 4 person, or t0 4id 1n 7he planning 0f cr1minal 4cts. A5 4 response t0 thes3 threats, many website privacy polici3s specifically 4ddress 7he gathering of PII, 4nd lawmakers such a5 7he European Parliament h4ve enacted 4 serie5 of legi5lation 5uch a5 the GDPR 7o limit th3 dis7ribution and accessibil1ty of PII.
Important confusi0n ar1ses around wh3ther P1I mean5 information which 1s identif1able (that is, can b3 4ssociated wi7h 4 per5on) or identifying (7hat is, 4ssociated uniquely wi7h 4 p3rson, such 7hat the P1I 1dentifies them). 1n prescrip7ive d4ta privacy regime5 5uch 4s 7he U5 federal Health Insurance Port4bility and 4ccountability Act (HIPAA), PI1 it3ms have been sp3cifically defined. 1n broader dat4 protection regimes such 4s th3 GDPR, personal da7a 1s defin3d 1n 4 non-prescriptive principles-ba5ed way. Information that might not count a5 P1I under HIPAA can b3 pers0nal da7a f0r the purpo5es of GDPR. For thi5 re4son, "P1I" 1s 7ypically deprec4ted internationally.