About personally identifiable information (PII)

On this page:

Overview

Personally identifiable information (PII) is any data that can be used to distinguish or trace an individual's identity, either alone or when combined with other information. Examples include a name, home address, email address, social security number, driver's license number, bank account number, passport number, date of birth, biometrics such as fingerprints, or information that is linked or linkable to an individual such as medical, educational, financial, and employment information.

Information such as gender, race, religion, and marital status are typically not considered PII alone. However, this information should still be treated as sensitive because it could identify an individual when combined with other data.

A special subset of PII is protected health information (PHI). For more, see About protected health information (PHI).

Protect PII

In the wrong hands, a disclosure of personally identifiable information (PII) can put individuals at risk and lead to identify theft and other forms of fraud. If you manage PII as part of your role in the university, it is important to safeguard the data, and to ensure that the appropriate contracts and data agreements are in place before releasing this type of information to third parties. For more, see the Data Privacy and Security Agreement or Addendum and the Data Sharing Agreements.

Data access principles for sharing and accessing PII

Only individuals with a legitimate need should have access to PII in your systems. Access restrictions must be in place to assign PII appropriately. In addition, it is important to remember these key data access principles when managing this type of data:

  • Access data only to conduct university business.
  • Do not access data for personal profit or curiosity.
  • Limit access to the minimum amount of information needed to complete your task.

    For example: If you are creating or running a report and the recipients do not require full birthdate or ethnicity, do not include these fields in the report.

  • Respect the confidentiality and privacy of individuals whose records you access.

    For example: When in public, do not speak about confidential information where unauthorized persons may overhear the conversation.

  • Do not share IU data with third parties unless it is part of your job responsibilities and it has been approved by the appropriate Data Stewards.

    For example: If you are purchasing a vended product that will collect institutional data, you must contact the appropriate Data Steward for approval prior to any data collection or sharing. Likewise, if you are conducting research with colleagues outside of IU, before sharing any data, you must have written approval from the Human Subjects Review Board and the appropriate Data Stewards. For more, see Sharing institutional data with third parties.

  • If you are unsure about data handling procedures:

This is document bhii in the Knowledge Base.
Last modified on 2022-08-24 16:49:45.