Sensitive personally identifiable information (PII) is
|“||personally identifiable information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.||”|
|“||PII that requires stricter handling guidelines because of the nature of the data and the increased risk to an individual if compromised, and if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.||”|
|“||an individual's Social Security number alone; or an individual's name or address or phone number in combination with one or more of the following: date of birth, Social Security number, driver's license number or other state identification number, or a foreign country equivalent, passport number, financial account number, credit card number, or debit card number.||”|
Not all PII is sensitive. For example, information on a business card or in a public phone directory is PII, but in most cases not Sensitive PII, because it is usually widely available public information.
PII that is available to the public or that resides on test and development environments is still considered Sensitive PII in certain circumstances. For example, an individual's SSN might be available in a public record maintained by a local court; however, an individual's SSN can be Sensitive PII because SSNs are a key identifier used in identity theft and therefore are inherently sensitive. As another example, an employee might maintain a public website identifying herself as having a certain medical condition; however, that same medical information in that employee's personnel file would still be considered Sensitive PII.
Some categories of PII are sensitive as stand-alone data elements. Examples of such Sensitive PII include: Social Security number (SSN), alien registration number (A-Number), or biometric identifier. Other data elements such as driver's license number, financial account number, citizenship or immigration status, or medical information, in conjunction with the identity of an individual (directly or indirectly inferred), are also Sensitive PII. In addition, the context of the PII may determine whether the PII is sensitive, such as a list of employee names with poor performance ratings.
- ↑ Handbook for Safeguarding Sensitive Personally Identifiable Information at the Department of Homeland Security, at 4.
- ↑ DHS Sensitive Systems Policy Directive 4300A, Glossary, at 104.
- ↑ Order to File Special Report, at 15.