What determines sensitive data from non-sensitive data?
Answer (1)
Personally Identifiable Information (PII)
Personally Identifiable Information (PII) can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Examples include name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
The following data, often used for the express purpose of distinguishing individual identity, clearly classify as PII under the definition used by the National Institute of Standards and Technology:[11]
- Full name (if not common)
- Home address
- Email address (if private from an association/club membership, etc.)
- National identification number (social security number)
- Passport number
- IP address (when linked, but not PII by itself in US)
- Vehicle registration plate number
- Driver's license number
- Face, fingerprints, or handwriting
- Credit card numbers
- Digital identity
- Date of birth
- Birthplace
- Genetic information
- Telephone number
- Login name, screen name, nickname, or handle
The following are less often used to distinguish individual identity, because they are traits shared by many people. However, they are potentially PII, because they may be combined with other personal information to identify an individual.
- First or last name, if common
- Country, state, postcode or city of residence
- Age, especially if non-specific
- Gender or race
- Name of the school they attend or workplace
- Grades, salary, or job position
- Criminal record
- Web cookie[12]
Credit card numbers and social security numbers are automatically considered sensitive data and should be stored securely (X-drive). If a significant combination of PII are stored within a file, the file may be considered sensitive.
For more information, refer to this Wikipedia article on PII: https://en.wikipedia.org/wiki/Personally_identifiable_information
TWU IRB Guidance on Data Management and Integrity in Human Research may be helpful for anyone at TWU who stores data with personally identifiable information, FERPA-related data, and/or HIPAA-related information.