What Counts as Personal Data - and What to Do About It

The legal definitions

The term personally identifiable information (PII) is used broadly, but different regulations define it differently.

Under GDPR (which applies across the EU and UK via the UK GDPR), the term used is personal data: any information relating to an identified or identifiable natural person. Article 4(1) defines an identifiable person as one who can be identified, directly or indirectly, by reference to identifiers such as a name, identification number, location data, or factors specific to their physical, genetic, mental, economic, cultural, or social identity.

That's broad. A name is personal data. So is an email address, a phone number, or a National Insurance number. But under GDPR, personal data also includes less obvious identifiers - an IP address, a cookie ID, a vehicle registration plate, even a combination of seemingly anonymous data points that together could identify someone.

Under CCPA (California Consumer Privacy Act), the definition of personal information is similarly wide. It covers identifiers, commercial information, biometric data, internet activity, geolocation, employment information, and education records, among others.

The practical takeaway: if information could be used to identify a specific person, either on its own or combined with other available data, it's likely to qualify as personal data or PII under one or more regulations.

Categories that catch people out

The obvious ones - names, addresses, phone numbers, email addresses - are rarely missed. Organisations know these are personal data.

The categories that cause problems tend to be contextual or indirect.

Job title plus department can be identifying in a small organisation. "Head of Finance at [Company]" narrows to one person. In a multinational with 500 people in finance, it doesn't. Context determines whether it's personal data.

Dates are frequently overlooked. Dates of birth are clearly personal data, but appointment dates, absence dates, and transaction dates can be identifying when combined with other information in the same document.

Reference numbers. Employee IDs, case reference numbers, patient NHS numbers, student IDs - these are designed to identify individuals. They're personal data.

Location data. A home address is obvious. But GPS coordinates in a photograph's EXIF data, or a site visit log that records where someone was and when, are also personal data.

Financial information. Bank account numbers, salary figures, pension details, mortgage applications. A sole trader estate agent processing a property sale sees personal financial data from both buyer and seller.

Health and medical data. Under GDPR Article 9, this is "special category data" with extra protections. Absence records mentioning illness, occupational health referrals, prescription details - all qualify.

Why identification matters for redaction

When your organisation holds documents containing PII and needs to share those documents externally - through disclosure, FOI responses, SARs, or simply sending files to a third party - the PII that shouldn't be shared needs removing.

That's what redaction is for. The quality of your redaction depends directly on how well you identify PII in the first place. If you don't recognise a vehicle registration plate as personal data, you won't redact it. If you don't realise that a combination of job title and department name identifies someone, you'll leave it in.

Automated PII detection tools help with this. RedactProof's AI detection identifies 40+ categories of personal information, including less obvious types like medical record numbers, SWIFT/BIC codes, and address fragments. It's not a substitute for understanding what PII is - but it catches things that a manual reviewer scanning a long document at 4pm on a Friday will miss.

Practical steps for your organisation

If you're the person responsible for data handling in your team - whether that's your main job or something that landed on your desk - a few concrete steps help.

Map the document types your team handles regularly. For each type, list the categories of personal data they typically contain. An employment contract contains different PII to a property listing, which contains different PII to a medical referral letter. Knowing what to expect in each document type makes identification faster.

Train the team on non-obvious PII. Most people know that names and addresses qualify. Fewer realise that a staff rota showing who was absent on specific dates, or a project timeline naming individual contributors, contains personal data.

Use detection tools as a safety net, not a replacement for understanding. Automated detection catches most standard PII types reliably. It's less reliable with contextual identification - where data is only personal because of its relationship to other data in the same document. Human review remains part of the process.