Protecting Personally Identifiable Information (PII) and other sensitive data is crucial for maintaining privacy, security, and legal compliance. These guidelines will help you identify what constitutes PII and sensitive data, and how to handle it appropriately.
What is PII?
Personally Identifiable Information (PII) is any information that can be used to identify an individual, either directly or indirectly.
Examples of PII
Direct Identifiers:
- Full Name
- Social Security Number (SSN)
- Driver's License Number
- Passport Number
- Email Address
- Phone Number
- Home Address
- Biometric Data (e.g., fingerprints, facial recognition data)
Indirect Identifiers:
- Date of Birth
- Place of Birth
- Vehicle Registration Number
- IP Address
- Device ID
- Location Data
- Job Title
- Educational Records
- Financial Information
Note: Combining indirect identifiers can sometimes lead to the identification of an individual.
What is Sensitive Data?
Sensitive data is information that, if disclosed, could cause substantial harm, embarrassment, inconvenience, or unfairness to an individual. Sensitive data often overlaps with PII, but it may also include non-PII.
Examples of Sensitive Data:
- Financial Information: Credit card numbers, bank account details
- Medical Information: Health records, diagnoses
- Login Credentials: Passwords, usernames
- Authentication Data: Security questions and answers
- Employee Records: Performance reviews, disciplinary actions
- Legal Information: Criminal records, court documents
- Wake Forest Employee ID
- Student Records: Grades, transcripts
- Proprietary Business Information: Trade secrets, confidential documents
Identifying PII and Sensitive Data
Here’s a process to help you identify PII and sensitive data:
-
Consider the Context:
- How was the data collected?
- What is the purpose of the data?
- Who has access to the data?
- What are the potential risks if the data is disclosed?
-
Look for Direct Identifiers:
- Does the data contain any of the direct identifiers listed above?
- Are there any fields that explicitly identify an individual?
-
Analyze Indirect Identifiers:
- Does the data contain any indirect identifiers?
- Can these indirect identifiers be combined to identify an individual?
- Could the data be linked to other datasets to reveal an individual's identity?
-
Determine Sensitivity:
- Would the disclosure of this data cause harm to an individual or organization?
- Is the data protected by any laws or regulations (e.g., HIPAA, GDPR, CCPA)?
- Does the data involve financial, medical, or other sensitive information?
Conclusion
By following these guidelines, you can effectively identify PII and sensitive data and take the necessary steps to protect it. Protecting this information is not only a legal requirement but our shared ethical responsibility.
Was this answer helpful? Yes No