Frequently Asked Questions (FAQ)
Privacy and security leadership and staff, as well as others, may have questions about identifying,
handling, and protecting the confidentiality of personally identifiable information (PII). This appendix
contains frequently asked questions (FAQ) related to PII. Organizations are encouraged to customize this
FAQ and make it available to their user community.
1. What is personally identifiable information (PII)?
any information about an individual maintained by an agency, including (1) any information
an be used to distinguish or trace an individual‘s identity, such as name, social security number,
date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information
that is linked or linkable to an individual, such as medical, educational, financial, and employment
2. What are examples of PII?
The following examples are meant to offer a cross-section of the types of information that could be
considered PII, either singly or collectively, and is not an exhaustive list of all possibilities. Examples
of PII include financial transactions, medical history, criminal history, employment history,
individual‘s name, social security number, passport number, driver‘s license number, credit card
number, vehicle registration, x-ray, patient ID number, and biometric data (e.g., retina scan, voice
signature, facial geometry).
3. Does the definition of individual apply to foreign nationals?
OMB defined the term individual, as used in the definition of PII,
to mean a citizen of the United
States or an alien lawfully admitted for permanent residence, which is based on the Privacy Act
For the purpose of protecting the confidentiality of PII, organizations may choose to
administratively expand the scope of application to foreign nationals without creating new legal
rights. Expanding the scope may reduce administrative burdens and improve operational efficiencies
in the protection of data by eliminating the need to maintain separate systems or otherwise separate
data. Additionally, the status of citizen, alien, or legal permanent resident can change over time,
which makes it difficult to accurately identify and separate the data of foreign nationals. Expanding
the scope may also serve additional organizational interests, such as providing reciprocity for data
sharing agreements with other organizations.
Agencies may also, consistent with individual practice, choose to extend the protections of the
Privacy Act to foreign nationals without creating new judicially enforceable legal rights. For
example, DHS has chosen to extend Privacy Act protections (e.g., access, correction) to foreign
GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally
Identifiable Information, May 2008, http://www.gao.gov/new.items/d08536.pdf
Organizations may want to consider how PII relating to deceased individuals should be handled, such as continuing to
protect its confidentiality or properly destroying the information. Organizations may want to base their considerations on
any obligations to protect, organizational policies, or evaluation of organization-specific risk factors. With respect to
organization-specific risk factors, there is a balancing act because PII relating to deceased individuals can both promote and
prevent identity theft. For example, making available lists of deceased individuals can prevent some types of fraud, such as
voter fraud. In contrast, PII of a deceased individual also could be used to open a credit card account or to set up a false
cover for criminals. Organizations should consult with their legal counsel and privacy officer.
OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002,