Personally Identifiable Information (PII)
What is Personally Identifiable Information (PII)?
According to the National Institutes of Standards and Technology (NIST), Personally Identifiable Information (PII) is defined as “any information about an individual maintained by an agency, including:
(1) any information that can be used to distinguish or trace an individual‘s identity, such as name, Social Security number, date and place of birth, mother‘s maiden name, or biometric records; and
(2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."
What are the federal regulations for PII?
There is not one U.S. law that regulates personally identifiable information. Instead there are laws that protect and/or regulate the use of PII. Notable PII regulations:
- Health Insurance Portability and Accountability Act (HIPAA) - regulates protected health information (PHI).
- Children's Online Privacy Protect Act (COPPA) - regulates data collection from children 13 and younger.
- Gramm-Leach-Bliley Act (GLBA) - regulates how financial institutions handle customer data.
- Privacy Act of 1974: - regulates how US federal agencies handle personal information.
- Family Educational Rights and Privacy Act - regulates the privacy of student education
records and the PII contained within them.
What does a researcher need to do if they want to create or use PII?
- Contact the Office of Research Compliance to ensure that they have the appropriate human subjects approvals for their research.
- Enter into the appropriate agreement - read about Data Use Agreement
- De-identify data wherever possible, read about Honest Broker Services