What is Personally Identifiable Information?
Personally Identifiable Information, or PII, was defined by the Office of Management and Budget (OMB) in May 2007 as:
"Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc."
Examples of PII include, but are not limited to:
- Contact Information
- Student ID
- Date of Birth
- Parent Names
- Social Security Number
- Alien Registration Number
- Biometric Records Bank Account Information
- Medical Information
- Grade/Employment Information
PII is not always considered "sensitive" and that context must be taken into account to determine the sensitivity of specific PII. PII is considered "sensitive" if - whether alone or in combination with other PII - it can be used to uniquely identify, contact, or locate a single person and expose them to harm.
Unauthorized access, use, or disclosure of sensitive PII harms affected individuals by exposing them to the possibility of identity theft and/or by publicly revealing information they otherwise would have kept private. PII breaches can also expose organizations to a variety of financial and non-financial risks such as: investigations, lawsuits, fines, regulatory sanctions, and reputational damage.
Safeguarding PII refers to protecting PII from loss, theft or misuse while simultaneously supporting the university's mission. Effectively safeguarding PII requires university personnel to be diligent and proactive when processing and protecting this information, but it also significantly enhances the overall privacy posture throughout the university.