Personally identifiable information (PII) is data that can be used to find or identify a real person. Either when used on its own or combined with other details. This includes the really obvious things, like names, email addresses, phone numbers, and national identification numbers. But also the more obscure ones, such as someone's IP addresses, their location, identifiers for their devices, or even account IDs if they can be linked back to an individual.
From a software quality and testing perspective, PII matters because it changes what we test, the environments we create, and could influence our processes. Using real PII in test systems inherently increases risk, even when the intent is good. Data leaks, misuse, or accidental exposure often happen in non-production systems where controls are weaker. Treating test environments as “safe” is a common mistake that could lead to serious issues later.
Good practice is to avoid using real PII wherever possible. Randomising or making parts anonymous are good options. Masking, or using made-up or machine-generated data, allows teams to test behaviour and edge cases without putting people at risk. Clear retention policies also matter. If there is no good reason to keep the data, it should not be there.
Understanding what counts as PII helps testers and Quality Engineers ask better questions.
From a software quality and testing perspective, PII matters because it changes what we test, the environments we create, and could influence our processes. Using real PII in test systems inherently increases risk, even when the intent is good. Data leaks, misuse, or accidental exposure often happen in non-production systems where controls are weaker. Treating test environments as “safe” is a common mistake that could lead to serious issues later.
Good practice is to avoid using real PII wherever possible. Randomising or making parts anonymous are good options. Masking, or using made-up or machine-generated data, allows teams to test behaviour and edge cases without putting people at risk. Clear retention policies also matter. If there is no good reason to keep the data, it should not be there.
Understanding what counts as PII helps testers and Quality Engineers ask better questions.
- What data are we collecting?
- Why do we need it?
- Where does it flow?
- Who can see it?
PII is not just a legal concern. It is a quality concern, because quality includes trust, safety, and how responsibly software handles the people behind the data.
