Definitions[edit | edit source]
Sensitive personally identifiable information (PII) is
|“||personally identifiable information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.||”|
|“||PII that requires stricter handling guidelines because of the nature of the data and the increased risk to an individual if compromised, and if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.||”|
|“||an individual's Social Security number alone; or an individual's name or address or phone number in combination with one or more of the following: date of birth, Social Security number, driver's license number or other state identification number, or a foreign country equivalent, passport number, financial account number, credit card number, or debit card number.||”|
Overview[edit | edit source]
Not all PII is sensitive. For example, information on a business card or in a public phone directory is PII, but in most cases not Sensitive PII, because it is usually widely available public information.
PII that is available to the public or that resides on test and development environments is still considered Sensitive PII in certain circumstances. For example, an individual's SSN might be available in a public record maintained by a local court; however, an individual's SSN can be Sensitive PII because SSNs are a key identifier used in identity theft and therefore are inherently sensitive. As another example, an employee might maintain a public website identifying herself as having a certain medical condition; however, that same medical information in that employee's personnel file would still be considered Sensitive PII.
Examples[edit | edit source]
Some categories of PII are sensitive as stand-alone data elements. Examples of such Sensitive PII include: Social Security number (SSN), alien registration number (A-Number), or biometric identifier. Other data elements such as driver's license number, financial account number, citizenship or immigration status, or medical information, in conjunction with the identity of an individual (directly or indirectly inferred), are also Sensitive PII. In addition, the context of the PII may determine whether the PII is sensitive, such as a list of employee names with poor performance ratings.