IronSights

Compliance & governance

Personally Identifiable InformationPII

Any information that can be used — alone or in combination with other data — to identify a specific individual, including names, email addresses, tax file numbers, health identifiers, and financial account details.

Also known asPIIpersonal informationpersonal data

In plain English

PII is the data that, if exposed, can directly harm the people it belongs to — through identity theft, financial fraud, or discrimination. Under the Australian Privacy Act, organisations that collect PII have legal obligations around how it's stored, used, protected, and disposed of. A breach exposing PII may trigger Notifiable Data Breaches obligations.

Full definition

PII covers more ground than most business owners realise. Names and email addresses are obvious. But tax file numbers, Medicare identifiers, device IDs tied to a person, IP addresses collected through web forms, and even combinations of seemingly innocuous data points all qualify. The Australian Privacy Act 1988 defines it broadly, and the (OAIC) takes that breadth seriously when investigating complaints.

Under the Notifiable Data Breaches () scheme, if your organisation holds PII and suffers a breach likely to cause serious harm to affected individuals, you must notify both the OAIC and those individuals. The notification window is tight. A that encrypts a customer database triggers this obligation even if you pay the ransom and recover the data, because the attacker had access.

What the NDB scheme actually requires

The practical controls matter here. Encrypting PII at rest with BitLocker or means stolen storage is largely useless to an attacker without the decryption keys. Access controls should follow a least-privilege model: the accounts payable officer does not need access to health records, and the marketing team does not need tax file numbers. Retention schedules matter too. Data you do not hold cannot be breached. Organisations that collect PII 'just in case' often find the liability was never worth the storage cost.

Keep learning

More terms in the IronSights Glossary.