What is Personally Identifiable Information? | Homeland Security

Transcript:

So what do I mean when I refer to personal information?

At DHS we call personal information “personally identifiable information”, or PII:

DHS defines PII as any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department.

Sensitive PII includes but is not limited to the information pictured here, which includes Social Security Numbers, driver’s license numbers, Alien Registration numbers, financial or medical records, biometrics, or a criminal history. This data requires stricter handling guidelines because of the increased risk to an individual if the data are compromised.

PII and Sensitive PII as privacy incidents are not necessarily cut and dried. In some cases, PII that is not Sensitive would be reported as a privacy incident depending on context. For example, a loss of a contact list with the names of people who attended training would not be considered a privacy incident. However, if it is a list of employees who are being disciplined for not attending training and it is lost or compromised, then that would be considered a privacy incident. In this instance, it is the context of the information that would cause this to be a reportable privacy incident.

Also, the loss of Sensitive PII even in an encrypted or password-protected format could become a privacy incident. For instance, if encrypted or password-protected Sensitive PII, along with the "key" or password to access the information, is sent to a person without a "need to know" or to a personal e-mail address, this would be considered a privacy incident.

If you’re confused, stay with me and in a few minutes I will walk you through specific examples on how you can safeguard Sensitive PII.