76. What is Personally Identifiable Information (PII) and why are information security policies so important?

What exactly is PII - according to the National Institute of Standards and Technology (NIST) publication SP 800-122, "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), it is the following:

"Any information about an individual, including (1). any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information". More specifically, it consists of the following:

  • Full name, with all middle names (especially if the name is not common).
  • Any part of an individual's name that is stored or displayed in conjunction with any of the subsequent listings of data and information deemed PII.
  • National Identification information, such as passports, visas, permanent residence cards, voting information, social security number (United States), or any other type of unique identifier used on a national level.
  • Local and/or state, provincial, etc. information, such as drivers licenses, vehicle registration and permit documents, or any other type of unique identifier used on a local and/or state, provincial level.
  • Digital Identifiers, such as IP addresses, usernames, passwords, etc.
  • Facial, fingerprint, iris and all other associated biometric information.
  • Date of Birth
  • Place of Birth
  • Medical records (i.e. protected health information (PHI) and electronically protected health information (ePHI), and all associated data and information contained (electronically or hard-copy) with the medical records. Also, genetic information, if applicable.
  • Criminal records
  • Financial and Accounting records, such as banking, mortgage, revolving debt and tax information, along with credit and debit cards.
  • Educational information, such as classes taken, schedule, grades received, degrees confirmed, disciplinary actions, financial aid, student loans, etc.
  • Professional and occupational information, such as salary, tenure, etc.
  • Professional licenses, certifications, designations, etc.
  • Any other information deemed PII, but not listed above

In summary, PII consists of both the data and information that is unique to an individual and the source of the applicable data and information. For example, a social security number is the "data and information" of PII and the social security card or anywhere the number is found, imprinted, stored, or kept is the "source" of PII.

Information Security Policies are Critical for PII Compliance | Download Today

What’s needed for protecting PII – and other forms of highly sensitive and privileged information – are industry leading information security policies and procedures, such as the hundreds of documents available for immediate download from FLANK. The all-inclusive set of documents – available for immediate download, contains hundreds of high-quality operational, business specific, and information security policies, procedures, forms, checklists, templates – and so much more – including an actual PII policy. View sample documents to learn more about the quality and depth of the all-inclusive set of information security policies, procedures, and more.