Personally identifiable information (PII) is any data that can be used to distinguish or trace an individual's identity, either alone or when combined with other information. Examples include a name, home address, email address, social security number, driver's license number, bank account number, passport number, date of birth, biometrics such as fingerprints, or information that is linked or linkable to an individual such as medical, educational, financial, and employment information. Information such as gender, race, religion, and marital status are typically not considered PII alone. However, this information should still be treated as sensitive because it could identify an individual when combined with other data. A special subset of PII is protected health information (PHI). For more, see About protected health information (PHI). Protect PIIIn the wrong hands, a disclosure of personally identifiable information (PII) can put individuals at risk and lead to identify theft and other forms of fraud. If you manage PII as part of your role in the university, it is important to safeguard the data, and to ensure that the appropriate contracts and data agreements are in place before releasing this type of information to third parties. For more, see the Data Privacy and Security Agreement or Addendum and the Data Sharing Agreements. Only individuals with a legitimate need should have access to PII in your systems. Access restrictions must be in place to assign PII appropriately. In addition, it is important to remember these key data access principles when managing this type of data:
The video shows some examples of PII. DHS defines personally identifiable information or PII as any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department. Transcript:So what do I mean when I refer to personal information? At DHS we call personal information “personally identifiable information”, or PII: DHS defines PII as any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department. Sensitive PII includes but is not limited to the information pictured here, which includes Social Security Numbers, driver’s license numbers, Alien Registration numbers, financial or medical records, biometrics, or a criminal history. This data requires stricter handling guidelines because of the increased risk to an individual if the data are compromised. PII and Sensitive PII as privacy incidents are not necessarily cut and dried. In some cases, PII that is not Sensitive would be reported as a privacy incident depending on context. For example, a loss of a contact list with the names of people who attended training would not be considered a privacy incident. However, if it is a list of employees who are being disciplined for not attending training and it is lost or compromised, then that would be considered a privacy incident. In this instance, it is the context of the information that would cause this to be a reportable privacy incident. Also, the loss of Sensitive PII even in an encrypted or password-protected format could become a privacy incident. For instance, if encrypted or password-protected Sensitive PII, along with the "key" or password to access the information, is sent to a person without a "need to know" or to a personal e-mail address, this would be considered a privacy incident. If you’re confused, stay with me and in a few minutes I will walk you through specific examples on how you can safeguard Sensitive PII. Last Updated: 12/08/2021
Personal Identifiable Information (PII) is defined as:
Department of Labor (DOL) contractors are reminded that safeguarding sensitive information is a critical responsibility that must be taken seriously at all times. DOL internal policy specifies the following security policies for the protection of PII and other sensitive data:
The loss of PII can result in substantial harm to individuals, including identity theft or other fraudulent use of the information. Because DOL employees and contractors may have access to personal identifiable information concerning individuals and other sensitive data, we have a special responsibility to protect that information from loss and misuse. With these responsibilities contractors should ensure that their employees:
Contractors should ensure their contract employees are aware of their responsibilities regarding the protection of PII at the Department of Labor. In addition to the forgoing, if contract employees become aware of a theft or loss of PII, they are required to immediately inform their DOL contract manager. In the event their DOL contract manager is not available, they are to immediately report the theft or loss to the DOL Computer Security Incident Response Capability (CSIRC) team at . |