Very broad question here guys: How do you go about defining Personally Identifiable Information (PII)? We have a new systems security guy who is very stringent in his definition; even going so far as to flag an email where an internal employee sent our outside customer a list of 10 names (with emails and phone numbers for each)....those 10 names were employee and/or outside individuals who were willing to serve on a committee (no information came from a system of records). I was acting under the assumption that the Privacy Act governed PII in terms of working with federal contracts but the new guy is talking a lot about "ISP Standards" and other CMS guidance.

How do you guys handle PII? Any resources you could point me to to help us set some standards and limits on the PII definition?

Thanks for the help!

Look at NIST Pub 800-122. Phone numbers and email addresses fall in that category.

Nebraska, are you with the government or a contractor?

Contractor.

Our contract requirement is flowed down from the agency (Dept of Energy) through CRD O 206.1; which defines PII as: "Personally Identifiable Information (PII). Any information collected or
maintained by the Department about an individual, including but not limited to, education, financial transactions, medical history and criminal or employment history, and information that can be used to distinguish or trace an individual’s identity, such as his/her name, Social Security number, date and place of birth, mother’s maiden name, biometric data, and including any other personal information that is linked or linkable to a specific individual.

My emphasis in bold. Perhaps your contract has a similar specific agency requirement?

From the Department of State Foreign Affairs Manual (FAM); Personally identifiable information (PII): Refers to information which can be used to distinguish or trace an individuals identity, such as their name, Social Security Number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mothers maiden name, etc. Department employees should exercise their best judgment in determining the sensitivity of the PII. Sensitivity of the PII would depend on factors such as whether its unauthorized disclosure may result in any of the following harms to the records subject: fiscal or physical harm, identify theft, personal or professional embarrassment, inconvenience, unfairness, security risks, coercion, and/or other adverse effects.

Very broad question here guys: How do you go about defining Personally Identifiable Information (PII)? We have a new systems security guy who is very stringent in his definition; even going so far as to flag an email where an internal employee sent our outside customer a list of 10 names (with emails and phone numbers for each)....those 10 names were employee and/or outside individuals who were willing to serve on a committee (no information came from a system of records). I was acting under the assumption that the Privacy Act governed PII in terms of working with federal contracts but the new guy is talking a lot about "ISP Standards" and other CMS guidance.

How do you guys handle PII? Any resources you could point me to to help us set some standards and limits on the PII definition?

Thanks for the help!

I'm just going to say that a high percentage of e-mails from Government officials probably include the Name, e-mail address, and contact number for the individual; the compilation of which is ordinary and not particularly personally identifiable. This is all public information, just as your pay grade, salary, and any bonuses would be.

Here's a shocking way to make a compilation of data in less than 2 minutes:

Salary of Civilian Agency employees: http://www.fedsdatacenter.com/federal-pay-rates/index.php

Combined with WA state voter database including address and DOB: http://soundpolitics.com/voterlookup.html

And I won't tell you how to find Service Computation Dates.

Show that to your security guy.