78
G
UIDE TO
P
ROTECTING THE
C
ONFIDENTIALITY OF
P
ERSONALLY
I
DENTIFIABLE
I
NFORMATION
(PII)
B-5
The E-Government Act requires publication of PIAs,
88
which must analyze and describe the
following information:
What information is to be collected
Why the information is being collected
The intended use of the information
With whom the information will be shared
What opportunities individuals have to decline to provide information (i.e., where providing
information is voluntary) or to consent to particular uses of the information (other than required
or authorized uses), and how individuals can grant consent
How the information will be secured
Whether a system of records is being created under the Privacy Act, 5 U.S.C. 552a
What choices the agency made regarding an information system or collection of information as a
result of performing the PIA.
7. What is the Paperwork Reduction Act?
The Paperwork Reduction Act (PRA) gives OMB and other Federal agencies responsibilities for the
management of information resources.
89
The PRA is relevant to PII protection for two major reasons.
First, it places privacy among the responsibilities of agency CIOs. However, the extent to which
agency CIOs are responsible for privacy depends on a number of factors, including whether the
agency is covered by any other statutory mandate for the designation of a chief privacy officer
(CPO).
90
Second, the PRA created a process for OMB review and approval of Federal agency
information collections from the public. This process is relevant to PII protection because it provides
a mechanism for agencies to limit the collection of PII, as mandated by the Fair Information Practice
of Collection Limitation. It is also relevant to PII protection because its terms partly define the scope
of E-Government Act PIAs. The purpose of the PRA information collection review process is to
minimize the burdens of paperwork on the public, minimize the cost of information collections, and
increase the quality of Federal information.
91
The PRA requires Federal agencies to get clearance
from OMB when an agency plans to collect information from ten or more persons using identical
reporting, recordkeeping, or disclosure requirements. The term persons is defined broadly to include
people, organizations, local government, etc., but it does not include Federal agencies or employees
of Federal agencies when acting in their official capacities. Agencies must also provide notice of the
collection in the Federal Register before submitting the information collection to OMB for clearance.
88
An agency may exempt itself from this requirement if publication of the PIA would raise national security concerns or
reveal classified or sensitive information.
89
The PRA is codified at 44 U.S.C. § 3501, et seq. First enacted into law in 1980 (Pub. L. 96-511, Dec. 11, 1980), the PRA
was significantly amended in 1995 (Pub. L. 104-13, May 22, 1995). The Clinger-Cohen Act of 1996 amended the PRA to
make agency Chief Information Officers (CIO) responsible for carrying out agency responsibilities under the Act (sec.
5125(a), Pub. L. 104-106, 110 Stat. 684, Feb. 10, 1996).
90
For example, chief (or senior) privacy officers are required by the Transportation, Treasury, Independent Agencies, and
General Government Appropriations Act of 2005, for the agencies covered by that Act (sec. 522, Div. H, Pub. L. 108-447,
Dec. 8, 2004), for the Department of Homeland Security by sec. 222, Homeland Security Act, Pub. L. 107-296, Nov. 25,
2002 (6 U.S.C. § 142), and for the Department of Justice by sec. 1174, Violence Against Women and Dept. of Justice
Reauthorization Act of 2005, Pub. L. 109-162, Jan. 5, 2006 (28 U.S.C. § 509).
91
For additional information, see: http://ocio.os.doc.gov/ITPolicyandPrograms/Information_Collection/dev01_003742
.
59
G
UIDE TO
P
ROTECTING THE
C
ONFIDENTIALITY OF
P
ERSONALLY
I
DENTIFIABLE
I
NFORMATION
(PII)
B-6
OMB reviews the proposed information collection and assigns a control number to the collection,
which must be displayed on the collection form.
8. What are the general risks to individuals and the organization if PII is misused?
Depending on the type of information lost, an individual may suffer social, economic, or physical
harm. If the information lost is sufficient to be exploited by an identity thief, the person can suffer,
for example, from a loss of money, damage to credit, a compromise of medical records, threats,
and/or harassment. The individual may suffer tremendous losses of time and money to address the
damage. Other types of harm that may occur to individuals include denial of government benefits,
blackmail, discrimination, and physical harm.
Organizations also face risks to their finances and reputation. If PII is misused, organizations may
suffer financial losses in compensating the individuals, assisting them in monitoring their credit
ratings, and addressing administrative concerns. In addition, recovering from a major breach is costly
to many organizations in terms of time spent by key staff in coordinating and executing appropriate
responses. If a loss of PII constitutes a violation of relevant law, the organization and/or its staff may
be subject to criminal or civil penalties, or it may have to agree to receive close government scrutiny
and oversight. Another major risk to organizations is that their public reputation and public
confidence may be lost, potentially jeopardizing the organizations‘ ability to achieve their missions
.
9. What should I consider when reviewing restrictions on collecting PII?
Key considerations to review are any legal requirements that could impact PII collections. One
should ask what laws, regulations, and guidance are applicable to the organization considering the
type of PII that is collected (e.g., Privacy Act, Paperwork Reduction Act, and the E-Government Act
for general PII; HIPAA
for health PII; GLBA for financial PII; COPPA for children‘s PII
). An
organization‘s legal counsel and privacy officer should always be consulted to determine whether
there are restrictions on collecting PII.
Consistent with the Fair Information Practices of Collection Limitation and Use Limitation, one could
more specifically ask if the collected PII is absolutely necessary to do business (i.e., does it support
the business purpose of the system or the organization‘s mission
?). If it does not serve a viable
business purpose, then Federal agencies may not collect that PII. If the collection of PII does serve a
business purpose, then it should be collected, used, shared, and disseminated appropriately.
10. What is different about protecting PII compared to any other data, and how should PII be
protected?
In many cases, protection of PII is similar to protection of other data and includes protecting the
confidentiality, integrity, and availability of the information. Most security controls used for other
types of data are also applicable to the protection of PII. For PII, there are several privacy-specific
safeguards, such as anonymization, minimization of PII collection, and de-identification.
In addition to protection requirements for PII, there are other requirements for the handling of PII.
The Fair Information Practices provide best practice guidelines, such as Purpose Specification, Use
Limitation, Accountability, and Data Quality. Moreover, the factors for assigning a confidentiality
impact level to PII are different than other types of data. Breaches to the confidentiality of PII harm
both the organization and the individual. Harm to individuals should be factored in strongly because
of the magnitude of the potential harm, such as identity theft, embarrassment, and denial of benefits.
105
G
UIDE TO
P
ROTECTING THE
C
ONFIDENTIALITY OF
P
ERSONALLY
I
DENTIFIABLE
I
NFORMATION
(PII)
C-1
Appendix C
—
Other Terms and Definitions for Personal Information
Laws, regulations, and guidance documents provide various terms and definitions used to describe
personal information, such as information in identifiable form (IIF), system of records (SOR), and
protected health information (PHI). Some of these are similar to the definition of PII used in this
document. However, organizations should not use the term PII (as defined in this document)
interchangeably with these terms and definitions because they are specific to their particular context. The
table below provides examples of these other terms and definitions, and it is not intended to be
comprehensive.
Defining Authority
Term
Definition
Comments
E-Government Act of
2002, Pub. L.107-
347, 116 Stat. 2899,
see § 208(d).
Information in
Identifiable
Form (IIF)
Any representation of information that
permits the identity of an individual to
whom the information applies to be
reasonably inferred by either direct or
indirect means.
Often considered to have
been replaced by the
term PII.
OMB Memorandum
03-22
Information in
Identifiable
Form (IIF)
Information in an IT system or online
collection: (i) that directly identifies an
individual (e.g., name, address, social
security number or other identifying
number or code, telephone number,
email address) or (ii) by which an agency
intends to identify specific individuals in
conjunction with other data elements,
i.e., indirect identification. (These data
elements may include a combination of
gender, race, birth date, geographic
indicator, and other descriptors.)
Often considered to have
been replaced by the
term PII.
OMB Memorandum
03-22
Individual
A citizen of the United States or an alien
lawfully admitted for permanent
residence.
This definition mirrors the
Privacy Act definition.
OMB Memorandum
06-19
Personally
Identifiable
Information
(PII)
Any information about an individual
maintained by an agency, including, but
not limited to, education, financial
transactions, medical history, and
criminal or employment history and
information which can be used to
distinguish or trace an individual’s
identity, such as their name, social
security number, date and place of birth,
mother’s maiden name, biometric
records, etc., including any other
personal information which is linked or
linkable to an individual.
OMB Memorandum
07-16
Personally
Identifiable
Information
(PII)
Information which can be used to
distinguish or trace an individual’s
identity, such as their name, social
security number, biometric records, etc.
alone, or when combined with other
personal or identifying information which
is linked or linkable to a specific
individual, such as date and place of
birth, mother’s maiden name, etc.
107
G
UIDE TO
P
ROTECTING THE
C
ONFIDENTIALITY OF
P
ERSONALLY
I
DENTIFIABLE
I
NFORMATION
(PII)
C-2
Defining Authority
Term
Definition
Comments
Health Insurance
Portability and
Accountability Act of
1996 (HIPAA),
ADMINISTRATIVE
DATA STANDARDS
AND RELATED
REQUIREMENTS, 45
C.F.R. § 160.103.
Individually
Identifiable
Health
Information
(IIHI)
Information that is a subset of health
information, including demographic
information collected from an individual,
and:
- Is created or received by a health care
provider, health plan, employer, or health
care clearinghouse; and
- Relates to the past, present, or future
physical or mental health or condition of
an individual; the provision of health care
to an individual; or the past, present, or
future payment for the provision of health
care to an individual; and
- That identifies the individual; or with
respect to which there is a reasonable
basis to believe the information can be
used to identify the individual.
Applicable only to the
HIPAA; subject to a
number of exemptions
not made for PII.
Health Insurance
Portability and
Accountability Act of
1996 (HIPAA),
ADMINISTRATIVE
DATA STANDARDS
AND RELATED
REQUIREMENTS, 45
C.F.R. § 160.103.
Protected
Health
Information
(PHI)
Individually identifiable health information
(IIHI) that is:
- Transmitted by electronic media;
- Maintained in electronic media; or
- Transmitted or maintained in any other
form or medium.
Protected health information excludes
individually identifiable health information
in:
- Education records covered by the
Family Educational Rights and Privacy
Act, as amended, 20 U.S.C. 1232g;
- Records described at 20 U.S.C.
1232g(a)(4)(B)(iv); and
- Employment records held by a covered
entity in its role as employer.
Applicable only to the
HIPAA; subject to a
number of exemptions
not made for PII.
Privacy Act of 1974, 5
U.S.C. § 552a(a)(5).
System of
Records
(SOR)
A group of any records under the control
of any agency from which information is
retrieved by the name of the individual or
by some identifying number, symbol, or
other identifying particular assigned to
the individual.
Applies only to Federal
agencies. Provides
some exemptions for
certain types of records.
Privacy Act of 1974, 5
U.S.C. § 552a(a)(2).
Individual
A citizen of the United States or an alien
lawfully admitted for permanent
residence.
31
G
UIDE TO
P
ROTECTING THE
C
ONFIDENTIALITY OF
P
ERSONALLY
I
DENTIFIABLE
I
NFORMATION
(PII)
C-3
Defining Authority
Term
Definition
Comments
Privacy Act of 1974, 5
U.S.C. § 552a(a)(4).
Record
Any item, collection, or grouping of
information about an individual that is
maintained by an agency, including, but
not limited to, his education, financial
transactions, medical history, and
criminal or employment history and that
contains his name, or the identifying
number, symbol, or other identifying
particular assigned to the individual, such
as a finger or voice print or a photograph.
76
G
UIDE TO
P
ROTECTING THE
C
ONFIDENTIALITY OF
P
ERSONALLY
I
DENTIFIABLE
I
NFORMATION
(PII)
C-4
Defining Authority
Term
Definition
Comments
Family Educational
Rights and Privacy
Act, 20 U.S.C. §
1232g (a)(4).
Education
Records
Records, files, documents, and other
materials which:
- contain information directly related to a
student; and
- are maintained by an educational
agency or institution or by a person
acting for such agency or institution,
subject to some exceptions.
Exceptions include:
- records of instructional, supervisory,
and administrative personnel and
educational personnel ancillary thereto
which are in the sole possession of the
maker thereof and which are not
accessible or revealed to any other
person except a substitute;
- records maintained by a law
enforcement unit of the educational
agency or institution that were created by
that law enforcement unit for the purpose
of law enforcement;
- in the case of persons who are
employed by an educational agency or
institution but who are not in attendance
at such agency or institution, records
made and maintained in the normal
course of business which relate
exclusively to such person in that
person’s capacity as an employee and
are not available for use for any other
purpose; or
- records on a student who is eighteen
years of age or older, or is attending an
institution of postsecondary education,
which are made or maintained by a
physician, psychiatrist, psychologist, or
other recognized professional or
paraprofessional acting in his
professional or paraprofessional
capacity, or assisting in that capacity,
and which are made, maintained, or used
only in connection with the provision of
treatment to the student, and are not
available to anyone other than persons
providing such treatment, except that
such records can be personally reviewed
by a physician or other appropriate
professional of the student’s choice.
Applies only to
educational institutions
receiving funds from the
Federal government.
83
G
UIDE TO
P
ROTECTING THE
C
ONFIDENTIALITY OF
P
ERSONALLY
I
DENTIFIABLE
I
NFORMATION
(PII)
D-1
Appendix D
—
Fair Information Practices
The Fair Information Practices, also known as Privacy Principles, are the framework for most modern
privacy laws around the world. Several versions of the Fair Information Practices have been developed
through government studies, Federal agencies, and international organizations. These different versions
share common elements, but the elements are divided and expressed differently. The most commonly
used versions are discussed in this appendix.
92
In 1973, the U.S. Department of Health, Education, and Welfare (HEW) (now the Department of Health
and Human Services) issued a report entitled Records, Computers, and the Rights of Citizens (commonly
referred to as the HEW Report). The report was the culmination of an extensive study into data
processing in the public and private sectors. The HEW Report recommended that Congress enact
legislation adopting a ―Code of Fair Information Practices‖ for automated personal data systems. The
recommended Fair Information Practices became the foundation for the Privacy Act of 1974. The HEW
Report Fair Information Practices included the following:
There must be no personal data record-keeping systems whose very existence is secret.
There must be a way for an individual to find out what information is in his or her file and how the
information is being used.
There must be a way for an individual to correct information in his or her records.
Any organization creating, maintaining, using, or disseminating records of personally identifiable
information must assure the reliability of the data for its intended use and must take precautions to
prevent misuse.
There must be a way for an individual to prevent personal information obtained for one purpose from
being used for another purpose without his or her consent.
In 1980, the Organisation for Economic Co-operation and Development (OECD)
93
adopted Guidelines on
the Protection of Privacy and Transborder Flows of Personal Data, which provide a framework for
privacy that has been referenced in U.S. Federal guidance and internationally. The OECD Guidelines,
along with the Council of Europe Convention,
94
became the foundation for the European Union‘s Data
Protection Directive.
95
The OECD Guidelines include the following Privacy Principles:
Collection Limitation
—
There should be limits to the collection of personal data and any such data
should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent
of the data subject.
Data Quality
—
Personal data should be relevant to the purposes for which they are to be used, and, to
the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
92
Portions of this appendix were contributed to and published in the Executive Office of the President, National Science and
Technology Council‘s
Identity Management Task Force Report 2008, see
http://www.ostp.gov/galleries/NSTC%20Reports/IdMReport%20Final.pdf
.
93
The U.S. is an OECD member country and participated in the development of the OECD Privacy Guidelines, see
http://www.ftc.gov/speeches/thompson/thomtacdremarks.shtm
.
94
In 1981, the Council of Europe enacted the Convention for the Protection of Individuals with Regard to Automatic
Processing of Personal Data, which also recognized the Fair Information Practices.
95
In 1995, the European Union enacted the Data Protection Directive, Directive 95/46/EC, which required member states to
harmonize their national legislation with the terms of the Directive, including the Fair Information Practices. For additional
information, see Jody R. Westby, International Guide to Privacy, American Bar Association Publishing, 2004.
92
G
UIDE TO
P
ROTECTING THE
C
ONFIDENTIALITY OF
P
ERSONALLY
I
DENTIFIABLE
I
NFORMATION
(PII)
D-2
Purpose Specification
—
The purposes for which personal data are collected should be specified not
later than at the time of data collection and the subsequent use limited to the fulfillment of those
purposes or such others as are not incompatible with those purposes and as are specified on each
occasion of change of purpose.
Use Limitation
—
Personal data should not be disclosed, made available or otherwise used for
purposes other than those specified, except with the consent of the data subject or by the authority of
law.
Security Safeguards
—
Personal data should be protected by reasonable security safeguards against
such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
Openness
—
There should be a general policy of openness about developments, practices and policies
with respect to personal data. Means should be readily available of establishing the existence and
nature of personal data and the main purposes of their use, as well as the identity and usual residence
of the data controller.
Individual Participation
—
An individual should have the right: (a) to obtain from a data controller,
or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have
communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not
excessive; in a reasonable manner; and in a form that is readily intelligible to him; (c) to be given
reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such
denial; and (d) to challenge data relating to him and, if the challenge is successful, to have the data
erased, rectified, completed, or amended.
Accountability
—
A data controller should be accountable for complying with measures which give
effect to the principles stated above.
In 2004, the Federal CIO Council published the Federal Enterprise Architecture Security and Privacy
Profile (FEA-SPP).
96
It included a set of privacy control families based on Fair Information Practices.
The privacy control families were intended to provide guidance for integrating privacy requirements into
the Federal Enterprise Architecture. In 2009, the CIO Council drafted a revised set of privacy control
families.
97
The revised set contains the following privacy control families:
Transparency
—
Providing notice to the individual regarding the collection, use, dissemination, and
maintenance of PII.
Individual Participation and Redress
—
Involving the individual in the process of using PII and
seeking individual consent for the collection, use, dissemination, and maintenance of PII. Providing
mechanisms for appropriate access, correction, and redress regarding the use of PII.
Purpose Specification
—
Specifically articulating the authority that permits the collection of PII and
specifically articulating the purpose or purposes for which the PII is intended to be used.
Data Minimization and Retention
—
Only collecting PII that is directly relevant and necessary to
accomplish the specified purpose(s). Only retaining PII for as long as is necessary to fulfill the
specified purpose(s) and in accordance with the National Archives and Records Administration
(NARA) approved record retention schedule.
96
FEA-SPP, Version 2, http://cio.gov/documents/Security_and_Privacy_Profile_v2.pdf
.
97
This set of privacy control families is based on the working draft of Version 3 of FEA-SPP, August 28, 2009. It is expected
to be finalized and published in 2010.
Documents you may be interested
Documents you may be interested