Sensitive Data

Personally Identifiable Information (PII)

Personally identifiable information (PII) is any data that could potentially identify a specific individual. PII can be labeled sensitive or nonsensitive. Nonsensitive PII can be easily gathered from public records, phone books, corporate directories and websites.

Sensitive PII is information that, when disclosed, could result in harm to an individual. This type of sensitive data often has legal, contractual or ethical requirements for restricted disclosure. Examples of sensitive PII include: social security numbers, driver’s license numbers, and passwords.

Family Educational Rights & Privacy Act (FERPA) Data

FERPA classifies protected information into three categories: educational information, personally identifiable information, and directory information. Although personally identifiable and directory information are often similar or related, FERPA provides different levels of protection for each. PII can only be disclosed if the educational institution obtains the signature of the parent or student (if over 18 years of age) on a document specifically identifying the information to be disclosed, the reason for the disclosure, and the parties to whom the disclosure will be made.

Payment Card Industry (PCI) Data

The PCI Security Standards Council (SSC) developed the Payment Card Industry Data Security Standard (PCI DSS) in 2004 to combat credit card fraud. PCI data includes cardholder data such as the cardholder’s name, the primary account number, and the card’s expiration date and security code.

PCI data can also include sensitive authentication data, including magnetic-stripe data, the equivalent data contained on a chip, and PINs.

Protected Health Information (PHI)

Under HIPAA, protected health information is considered to be individually identifiable information relating to the health status of an individual. Health information such as diagnoses, treatment information, medical test results, and prescription information are considered protected health information under HIPAA, as are national identification numbers and demographic information such as birth dates, gender, ethnicity, and contact and emergency contact information.