Personal Information and PII are Interchangeable Right?

Written By Caroline carver

When people talk about privacy, they often fall back on the term PII (Personally Identifiable Information) instead of “personal information.” At first glance it might seem harmless, even interchangeable. But in reality, it’s a tell-tale sign of low privacy knowledge and maturity within an organisation. It says: we haven’t really stopped to think about the privacy laws in New Zealand.

The Privacy Act 2020 doesn’t talk about PII. It talks about personal information, defined as “information about an identifiable individual.” And that definition is far more flexible and far more wide-reaching than most people realise. It can cover anything, in any format: spoken, written, stored digitally, captured by CCTV, or measured in biometric scans. Personal information includes obvious direct identifiers like a name or phone number, but it also covers indirect identifiers including a mix of details that, when combined, point to a single person.

PII, on the other hand, is a US-centric concept born from American privacy laws. It’s neat and list-based: name, Social Security number, passport number, driver’s licence number. If it’s on the list, it’s PII. If it’s not, it’s not considered. That mindset works in the American legal context but it’s dangerously incomplete in New Zealand.

Here’s where that difference matters. Imagine an application that records age, gender, and suburb. None of those fields would make the PII cut in the US. Yet in New Zealand, the combination of those three details is absolutely personal information. In a small town, they might narrow the field down to one or two people easily enough to identify someone, and therefore enough to trigger your privacy obligations.

Using “PII” in a New Zealand organisation isn’t just a minor terminology slip. It’s a warning flag. It suggests privacy policies and data inventories might be built on the wrong definitions, creating blind spots. That means there’s a real risk of non-compliance with the Privacy Act, and even more worrying, the possibility of a privacy breach that no one saw coming because no one realised the information in question was covered by the Privacy Act.

In short, the words you choose matter. They signal whether you’ve adapted your privacy thinking to the New Zealand context or whether you’re still working from a borrowed, incomplete model. And in privacy, as in most things, a copy-paste from another country is rarely good enough.

Caroline carver
Next

The Biometric Code is Out!! – Is Your Organisation Ready?