Sensitive PII
From The IT Law Wiki
Sensitive PII is personally identifiable information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Some categories of PII are sensitive as stand-alone data elements. Examples of such Sensitive PII include: Social Security number (SSN), alien registration number (A-Number), or biometric identifier. Other data elements such as driver's license number, financial account number, citizenship or immigration status, or medical information, in conjunction with the identity of an individual (directly or indirectly inferred), are also Sensitive PII. In addition, the context of the PII may determine whether the PII is sensitive, such as a list of employee names with poor performance ratings.
Not all PII is sensitive. For example, information on a business card or in a public phone directory is PII, but in most cases not Sensitive PII, because it is usually widely available public information.
PII that is available to the public or that resides on test and development environments is still considered Sensitive PII in certain circumstances. For example, an individual’s SSN might be available in a public record maintained by a local court; however, an individual’s SSN to be Sensitive PII because SSNs are a key identifier used in identity theft and therefore are inherently sensitive. As another example, an employee might maintain a public website identifying herself as having a certain medical condition; however, that same medical information in that employee’s personnel file would still be considered Sensitive PII.
