What is an individuals Personally Identifiable Information PII or Protected Health Information considered?

Overview
Protect PII
Data access principles for sharing and accessing PII

Personally identifiable information (PII) is any data that can be used to distinguish or trace an individual's identity, either alone or when combined with other information. Examples include a name, home address, email address, social security number, driver's license number, bank account number, passport number, date of birth, biometrics such as fingerprints, or information that is linked or linkable to an individual such as medical, educational, financial, and employment information.

Information such as gender, race, religion, and marital status are typically not considered PII alone. However, this information should still be treated as sensitive because it could identify an individual when combined with other data.

A special subset of PII is protected health information (PHI). For more, see About protected health information (PHI).

Protect PII

In the wrong hands, a disclosure of personally identifiable information (PII) can put individuals at risk and lead to identify theft and other forms of fraud. If you manage PII as part of your role in the university, it is important to safeguard the data, and to ensure that the appropriate contracts and data agreements are in place before releasing this type of information to third parties. For more, see the Data Privacy and Security Agreement or Addendum and the Data Sharing Agreements.

Only individuals with a legitimate need should have access to PII in your systems. Access restrictions must be in place to assign PII appropriately. In addition, it is important to remember these key data access principles when managing this type of data:

Access data only to conduct university business.
Do not access data for personal profit or curiosity.
Limit access to the minimum amount of information needed to complete your task.
For example: If you are creating or running a report and the recipients do not require full birthdate or ethnicity, do not include these fields in the report.
Respect the confidentiality and privacy of individuals whose records you access.
For example: When in public, do not speak about confidential information where unauthorized persons may overhear the conversation.
Do not share IU data with third parties unless it is part of your job responsibilities and it has been approved by the appropriate Data Stewards.
For example: If you are purchasing a vended product that will collect institutional data, you must contact the appropriate Data Steward for approval prior to any data collection or sharing. Likewise, if you are conducting research with colleagues outside of IU, before sharing any data, you must have written approval from the Human Subjects Review Board and the appropriate Data Stewards. For more, see Sharing institutional data with third parties.
If you are unsure about data handling procedures:

The video shows some examples of PII.

DHS defines personally identifiable information or PII as any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department.

Transcript:

So what do I mean when I refer to personal information?

At DHS we call personal information “personally identifiable information”, or PII:

DHS defines PII as any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department.

Sensitive PII includes but is not limited to the information pictured here, which includes Social Security Numbers, driver’s license numbers, Alien Registration numbers, financial or medical records, biometrics, or a criminal history. This data requires stricter handling guidelines because of the increased risk to an individual if the data are compromised.

PII and Sensitive PII as privacy incidents are not necessarily cut and dried. In some cases, PII that is not Sensitive would be reported as a privacy incident depending on context. For example, a loss of a contact list with the names of people who attended training would not be considered a privacy incident. However, if it is a list of employees who are being disciplined for not attending training and it is lost or compromised, then that would be considered a privacy incident. In this instance, it is the context of the information that would cause this to be a reportable privacy incident.

Also, the loss of Sensitive PII even in an encrypted or password-protected format could become a privacy incident. For instance, if encrypted or password-protected Sensitive PII, along with the "key" or password to access the information, is sent to a person without a "need to know" or to a personal e-mail address, this would be considered a privacy incident.

If you’re confused, stay with me and in a few minutes I will walk you through specific examples on how you can safeguard Sensitive PII.

Last Updated: 12/08/2021

Personal Identifiable Information (PII) is defined as:

Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.

Department of Labor (DOL) contractors are reminded that safeguarding sensitive information is a critical responsibility that must be taken seriously at all times. DOL internal policy specifies the following security policies for the protection of PII and other sensitive data:

It is the responsibility of the individual user to protect data to which they have access. Users must adhere to the rules of behavior defined in applicable Systems Security Plans, DOL and agency guidance.
DOL contractors having access to personal information shall respect the confidentiality of such information, and refrain from any conduct that would indicate a careless or negligent attitude toward such information. Contract employees also shall avoid office gossip and should not permit any unauthorized viewing of records contained in a DOL system of records. Only individuals who have a "need to know" in their official capacity shall have access to such systems of records.

The loss of PII can result in substantial harm to individuals, including identity theft or other fraudulent use of the information. Because DOL employees and contractors may have access to personal identifiable information concerning individuals and other sensitive data, we have a special responsibility to protect that information from loss and misuse.

With these responsibilities contractors should ensure that their employees:

Safeguard DOL information to which their employees have access at all times.
Obtain DOL management's written approval prior to taking any DOL sensitive information away from the office. The DOL manager's approval must identify the business necessity for removing such information from the DOL facility.
When approval is granted to take sensitive information away from the office, the employee must adhere to the security policies described above.

Contractors should ensure their contract employees are aware of their responsibilities regarding the protection of PII at the Department of Labor. In addition to the forgoing, if contract employees become aware of a theft or loss of PII, they are required to immediately inform their DOL contract manager. In the event their DOL contract manager is not available, they are to immediately report the theft or loss to the DOL Computer Security Incident Response Capability (CSIRC) team at .