What is PII?
The term PII originates in the United States and typically describes data points that, when combined, can identify an individual. This might include names, social security numbers, or driver’s licence numbers. However, the Australian Privacy Act 1988 uses the term 'personal information', which has a broader scope. It encompasses any information from which an individual can be reasonably identified, directly or indirectly. This includes opinions, intentions, and even inferred characteristics.
PII Handling in Microsoft 365, Australian Context
Australian organisations using Microsoft 365 must treat data with the sensitivity appropriate to its classification, aligning with the OAIC’s reasonable steps guidance. Microsoft Purview’s sensitive information types can help identify and classify personal information. Data Loss Prevention (DLP) policies and Information Protection labels provide controls to prevent unauthorised access and disclosure. Insider Risk Management capabilities can help detect and mitigate risks related to data exfiltration. Compliance with the Privacy Act 2024 and the Notifiable Data Breach scheme requires robust data handling practices, which are increasingly important given APRA CPS 234 and CPS 230 expectations around cyber resilience.