3.1 Understanding PII

Hackers and other cyber-threat actors regard personal identifiable information (PII) as extremely valuable and financially lucrative. Personal identifiable information includes information that can be utilised to profile a particular target in exploiting them for financial, ideological or sadistic gain and include, amongst others, the following:

  • An individual’s religious or philosophical beliefs or ideology
  • Political persuasion or allegiance
  • State of health
  • Sexual orientation
  • Criminal history or behaviour
  • Biometric information
  • Name, Surname and ID


The POPI Act defines PII as the following:

  1. Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the individual,
  2. Information relating to the education or the medical, financial or employment history of the person,
  3. Any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person,
  4. The blood type or any biometric information of the person,
  5. The personal opinions, views or preferences of the person,
  6. Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence,
  7. The views or opinions of another individual about the person, and
  8. The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.


Accordingly, public, or private organisations that request and keep personal information on existing or potential clientele will be personally responsible for ensuring that it is kept up to date. Moreover, an obligation has been vested on the holder of the information expected to take reasonable and proactive measures to ensure information security, in line with contemporary industry standards and to secure the information from the moment it is captured until it is destroyed. When the information is no longer deemed necessary, it must be destroyed, in line with prescribed industry standards.

Post a comment

Leave a Comment