Defining Personally Identifiable Information (PII)

If you receive a request under your state or local government’s Sunshine Law, do you know how to identify what personally identifiable information (aka, PII), information must be protected?

Why it Matters

Every State government addresses individual privacy in some way, and this is generally reflected on State webpages, so that the public can see what protections are provided for their personal information. Most States agree on basic protections that should be provided. For example, Social Security numbers and patient health information are always protected. However, beyond that point, many states define “privacy” differently. Some states simply indicate, in their laws or regulations, that an individual’s right to privacy should be observed, but the nature of that protection might not be well defined, or defined at all. [florida-sunshine-law]

Other states define the data elements, or categories, which must be protected. For example, the State of North Carolina website contains the following guidance:

“Personally Identifiable Information (PII) refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual.”

What to Withhold

There are a number of issues to consider when preparing a record for public release. What’s considered “reasonable,” or how do you determine what can be linked to already public information when the combination of data elements would result in identifying a person and invading their privacy? What does “personal” actually mean?

State legislatures appear to be addressing privacy issues through individual laws or regulations which only apply to a single state or municipality. And, as technology advances, states are addressing specific issues relating to privacy, but not necessarily privacy in total. For example, some states have laws or regulations prohibiting release of what an individual checks out of the library, information on student loans, or motor vehicle registration data.

Other states addressed social media, and health records, but not other PII categories. The lack of specificity can make it difficult for state and local government employees, working to comply with their state sunshine laws, to consistently identify the categories of records that must be protected.

Solutions for Offices Without a PII Definition

There are multiple options for a Sunshine officer to use, when making release determinations, if your offices don’t already have a detailed definition of what’s subject to protection as PII. For example, check the data against the internet. If the information that you are considering protecting is already available on the internet, you can safely assume that the information is public. One caution however – make sure that the information is in context. For example if you are considering whether to withhold the name and address of a constituent who submitted a complaint, it’s probable that you can locate that person’s name and address on line (if only via on-line telephone books). What you wouldn’t be able to find, however, is a link between that person and the specific complaint (unless litigation was filed, in which case most – but not all - identities become a matter of public record). If you can’t locate that information in question after a simple internet search, there’s a strong probability that the information should be protected.

Another option is to use the federal government definition of PII, when making release decisions. The “feds” have very specific guidelines on what PII is, and are strictly prohibited from release.   The list of such data fields are found in the National Institute of Standards and Technology (NIST) publication Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).  You may wish to consult your general counsel before adopting the NIST definition of PII, but there is a strong probability that they would agree that the federal PII definition is a good standard for local government use, and would be supportable in court, if a lawsuit was filed by a person claiming that their privacy was illegally invaded.

Issues In the Future When Defining PII

As technology evolves, and increasingly becomes part of our daily lives, those of us working with privacy issues will continue to struggle with complex issues such as internet use, cell phone tracking, ID theft, social media access, health records, cop cams (police cameras worn in the line of duty), unwanted telephone solicitation, motor vehicle records, student loans, whether there are limits on the right to privacy, and whether there should be limits on how long information should be available, among other issues.

How a Sunshine Officer Can Help You Protect Privacy

Stay involved in the decision making process. Participate in creating, or revising policy that impacts release of an individual’s data, and build privacy into every data base. In a future blog, we’ll consider how to build privacy into every new database, how that impacts records management, and how this input will result in making your organization stronger and more effective.

About the Author: Fred Sadler

Fred served 40 years with the U.S. Food & Drug Administration as the Freedom of Information Act (FOIA) Officer and the Senior Official for Privacy. In that role, he testified before the House of Representatives’ Sub-committee on Oversight and Reform and was a frequent speaker for the Department of Justice’s Office of Information Policy. Fred is a Certified Information Privacy Professional through the International Association of Privacy Professionals (IAPP) and also holds its accreditation as a Certified Information Privacy Manager. He is a three-time recipient of the Commissioner’s Commendable Service Award and has also received the Health and Human Services Secretary’s Award for Distinguished Service. A former two-term president of the American Society of Access Professionals, Fred is an expert in the theory, process and application of privacy laws.