What Is PII? A Plain English Guide to Personal Identifiable Information
PII stands for Personally Identifiable Information. It's any piece of data — or combination of data — that can be used to identify a specific living person. Understanding what counts as PII is essential for anyone handling data at work, building software, or using AI tools.
What Counts as PII?
Direct identifiers
These identify someone on their own, without needing additional information:
- Full name
- National Insurance number
- Passport number
- Driving licence number
- Email address
- Phone number
- Bank account or credit card number
- NHS number
- Biometric data (fingerprints, facial recognition data)
- IP address (in most jurisdictions)
Indirect identifiers
These can identify someone when combined with other information:
- Date of birth
- Postcode or partial address
- Job title at a small organisation
- Physical description
- Location data
- Device IDs or cookies
Special category data
Under UK and EU GDPR, certain categories of PII receive stronger protection because of the sensitivity of the information:
- Health and medical data
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Sexual orientation or sex life data
Key point: Data doesn't have to identify someone by name to be PII. A dataset containing someone's postcode, date of birth, and employer can identify them uniquely even without a name attached.
Why PII Matters
Organisations that handle PII have legal obligations under data protection law — in the UK under UK GDPR and the Data Protection Act 2018, and in the EU under EU GDPR. These laws require organisations to:
- Process personal data lawfully, fairly, and transparently
- Collect only the data they need (data minimisation)
- Keep data accurate and up to date
- Store data securely and for no longer than necessary
- Respect individual rights (access, deletion, correction)
Failures can result in fines (up to £17.5 million or 4% of global annual turnover under UK GDPR), regulatory enforcement, and reputational damage.
PII and AI Tools
One of the fastest-growing sources of PII exposure is AI tool usage. When staff paste documents, emails, or records into ChatGPT, Copilot, or Claude, they often include personal data without realising it. Under GDPR, this constitutes sharing personal data with a third party — and requires a legal basis and often a Data Processing Agreement to be lawful.
The safest approach is to scan and redact PII before it enters any AI tool. Mutant Data Safety Layer does this automatically — it identifies PII in pasted text and replaces it with typed placeholders before you copy the content into an AI prompt. The scan runs entirely in your browser, with no data sent anywhere.
→ Scan for PII — FreeFrequently Asked Questions
Is an email address PII?
Yes. An email address is a direct identifier — it can identify a specific person on its own and is classified as personal data under GDPR.
Is a company name PII?
No, a company name is not PII on its own. However, information about a specific person at a company — their name, role, email, or direct phone number — is PII.
What is the difference between PII and personal data?
PII is the US-centric term used in frameworks like CCPA and HIPAA. Personal data is the equivalent term used in GDPR. The definitions are similar but not identical — GDPR's definition of personal data is broader and includes any information that relates to an identifiable person, including online identifiers.
How do I check if a document contains PII?
Mutant Data Safety Layer scans pasted text for over 12 categories of PII including emails, phone numbers, NI numbers, bank details, NHS numbers, and postcodes — all locally in your browser with no upload required.