nebraska Posted October 28, 2014 Report Share Posted October 28, 2014 Very broad question here guys: How do you go about defining Personally Identifiable Information (PII)? We have a new systems security guy who is very stringent in his definition; even going so far as to flag an email where an internal employee sent our outside customer a list of 10 names (with emails and phone numbers for each)....those 10 names were employee and/or outside individuals who were willing to serve on a committee (no information came from a system of records). I was acting under the assumption that the Privacy Act governed PII in terms of working with federal contracts but the new guy is talking a lot about "ISP Standards" and other CMS guidance. How do you guys handle PII? Any resources you could point me to to help us set some standards and limits on the PII definition? Thanks for the help! Link to comment Share on other sites More sharing options...
formerfed Posted October 28, 2014 Report Share Posted October 28, 2014 Look at NIST Pub 800-122. Phone numbers and email addresses fall in that category. Link to comment Share on other sites More sharing options...
Retreadfed Posted October 28, 2014 Report Share Posted October 28, 2014 Nebraska, are you with the government or a contractor? Link to comment Share on other sites More sharing options...
nebraska Posted October 28, 2014 Author Report Share Posted October 28, 2014 Contractor. Link to comment Share on other sites More sharing options...
poisonivvy Posted November 4, 2014 Report Share Posted November 4, 2014 Our contract requirement is flowed down from the agency (Dept of Energy) through CRD O 206.1; which defines PII as: "Personally Identifiable Information (PII). Any information collected ormaintained by the Department about an individual, including but not limited to, education, financial transactions, medical history and criminal or employment history, and information that can be used to distinguish or trace an individual’s identity, such as his/her name, Social Security number, date and place of birth, mother’s maiden name, biometric data, and including any other personal information that is linked or linkable to a specific individual. My emphasis in bold. Perhaps your contract has a similar specific agency requirement? Link to comment Share on other sites More sharing options...
Boof Posted November 4, 2014 Report Share Posted November 4, 2014 From the Department of State Foreign Affairs Manual (FAM); Personally identifiable information (PII): Refers to information which can be used to distinguish or trace an individuals identity, such as their name, Social Security Number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mothers maiden name, etc. Department employees should exercise their best judgment in determining the sensitivity of the PII. Sensitivity of the PII would depend on factors such as whether its unauthorized disclosure may result in any of the following harms to the records subject: fiscal or physical harm, identify theft, personal or professional embarrassment, inconvenience, unfairness, security risks, coercion, and/or other adverse effects. Link to comment Share on other sites More sharing options...
DingoesAteMyBaby Posted December 1, 2014 Report Share Posted December 1, 2014 Very broad question here guys: How do you go about defining Personally Identifiable Information (PII)? We have a new systems security guy who is very stringent in his definition; even going so far as to flag an email where an internal employee sent our outside customer a list of 10 names (with emails and phone numbers for each)....those 10 names were employee and/or outside individuals who were willing to serve on a committee (no information came from a system of records). I was acting under the assumption that the Privacy Act governed PII in terms of working with federal contracts but the new guy is talking a lot about "ISP Standards" and other CMS guidance. How do you guys handle PII? Any resources you could point me to to help us set some standards and limits on the PII definition? Thanks for the help! I'm just going to say that a high percentage of e-mails from Government officials probably include the Name, e-mail address, and contact number for the individual; the compilation of which is ordinary and not particularly personally identifiable. This is all public information, just as your pay grade, salary, and any bonuses would be. Here's a shocking way to make a compilation of data in less than 2 minutes: Salary of Civilian Agency employees: http://www.fedsdatacenter.com/federal-pay-rates/index.php Combined with WA state voter database including address and DOB: http://soundpolitics.com/voterlookup.html And I won't tell you how to find Service Computation Dates. Show that to your security guy. Link to comment Share on other sites More sharing options...
Recommended Posts