Frequently Asked Questions : Privacy

What is personally identifiable information (PII)?

Personally identifiable information (PII) is any information that can be used to identify, contact, or locate an individual, either alone or combined with other easily accessible sources. It includes information that is linked or linkable to an individual, such as medical, educational, financial and employment information. Examples of data elements that can identify an individual include name, fingerprints or other biometric (including genetic) data, email address, telephone number or social security number.  Safeguarding university-held PII (and other sensitive information) is the responsibility of each and every member of the University’s workforce. Regardless of your role, you should know what PII is and your responsibility in ensuring its protection.

Although society has always relied on personal identifiers, defining and protecting PII has recently become much more important as a component of personal privacy, now that advances in computing and communications technology, including the internet, has made it easier to collect and process vast amounts of information. The protection of PII and the overall privacy of information are concerns both for individuals whose personal information is at stake and for organizations that may be liable or have their reputations damaged should such PII be inappropriately accessed, used, or disclosed.  Examples of laws related to different types of PII are listed below:

  • HIPAA/HITECH - Health related information
  • GLBA - Financial information
  • Privacy Act - Fair Information Practices for PII held by Federal Agencies
  • COPPA - Protects children’s privacy by allowing parents to control what information is collected
  • FERPA - Student’s personal information
  • FCRA - Collection and use of consumer information

Such laws attempt to restrict corporations from inappropriately sharing PII and impose requirements for appropriately protecting such information.

Legally collecting and selling PII has become profitable, but PII can also be exploited by criminals to steal a person’s identity or commit other crimes. According to FBI statistics, identity theft continues to be one of the nation’s fastest growing crimes and can cause both financial and emotional damage to its victims. Due to this threat, many governments have enacted legislation to limit the distribution of personal information.

The following list contains examples of information that may be considered PII.

  • Name, such as full name, maiden name, mother‘s maiden name, or alias
  • Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, patient identification number, and financial account or credit card number
  • Address information, such as street address or email address
  • Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people
  • Telephone numbers, including mobile, business, and personal numbers
  • Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry)
  • Information identifying personally owned property, such as vehicle registration number or title number and related information
  • Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).

Sometimes, one or two pieces of information can be combined with other information to compromise someone’s identity, even if the individual pieces of information seem harmless.

For more information
What is Protected Health Information (PHI)?
Protecting Sensitive Data is Everyone’s Responsibility
De-identified health information
UM Data Classification Policy
NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
DHS Handbook for Safeguarding Sensitive Personally Identifiable Information