The definition of PII is broad. PII includes any information collected or maintained by the Bonneville Power Administration about any individual. This includes:
- Information that can be used to distinguish or trace an individual, such as name, Social Security number, and biometric data, and
- Information about a person's past or present status or activities, such as education, medical history, criminal history, or employment history.
Sensitive PII is PII that must be protected against loss because improper disclosure could result in substantial harm, embarrassment, inconvenience or unfairness to an individual. Improper disclosure includes loss, theft, and unauthorized release or sharing.
Sensitive PII: Examples
- Social Security number or last four digits
- Medical history and conditions
- Credit card and financial account numbers (personal and government)
- Driver's license, state ID and passport number
- Height and weight
- Workplace performance and disciplinary history
- Employment history and information
Non-sensitive PII is information that is often publicly available, and its dissemination is unlikely to lead to harm. Keep in mind that you should exercise care when handling any kind of PII.
Non-sensitive PII: Examples
- E-mail address
- Home address
- Phone number
- HRMIS ID
- BUD login
Can PII be sensitive in some cases and not in others?
Context matters. Some kinds of PII are always considered sensitive, including Social Security numbers, birth dates, and biometric identifiers like fingerprints. Other categories of PII are sensitive in certain contexts. For example:
- A list of employee names attending a meeting would be non-sensitive. A list of employee names facing disciplinary action would be sensitive because it is potentially harmful or embarrassing.
- Identifiable photographs are PII, but the sensitivity cannot be predicted because it depends on both content and context.
What other kinds of things are PII?
Many other things may be PII; the charts above are not exhaustive and only contain examples. Remember, PII includes any information that meets the definition above, and sensitivity always depends on context.