Personal tools

Personally Identifiable Information (PII)


Any information collected or maintained by the Department about an individual, including but not limited to, education, financial transactions, medical history and criminal or employment history, and information that can be used to distinguish or trace an individual’s identity, such as his/her name, Social Security number, date and place of birth, mother’s maiden name, biometric data, and including any other personal information that is linked or linkable to a specific individual.

Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. PII can include unique individual identifiers or combinations of identifiers, such as an individual’s name, Social Security number, date and place of birth, mother’s maiden name, biometric data, etc. (as defined by OMB Circular A-130).


PII is determined by the ability of the information or data element to be used to identify an individual. Context can change whether a data element should be labeled as PII. Some PII may present a higher risk to an individual because of its use in other business or financial processes.


At DOE, for the purposes of privacy compliance documentation (i.e., PTAs and PIAs), PII will be assessed in terms of “Non-Sensitive” and “Sensitive” PII.


Sensitive PII is defined for compliance purposes as “Personally Identifiable Information, which if lost, compromised, or disclosed with or without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. SPII requires stricter handling guidelines because of the increased risk to an individual if the data is inappropriately accessed or compromised.” This includes circumstances in which a minimal amount of PII is provided in a context that increases the sensitivity and/or risk of harm to an individual. For example, a list of names of employees with whistleblower status would be considered more sensitive than a simple roster of employee names.

Non-Sensitive PII is “Personally Identifiable Information that represents manageable risk of harm to individuals and is not being used in a context that raises the level of sensitivity.” Non-Sensitive PII would include PII that is used for the administration of Systems, such as work email address, username, passwords, or security verification questions. Some Non-Sensitive PII may warrant additional protections regardless of its Non-Sensitive status. For example, Personal PII should always be treated with greater sensitivity than work-related PII to retain the trust of the individual.


PII definitions related to Breaches, Data Breaches, and Incidents involving PII should follow the definitions for “Breach or Data Breaches” and “Incident” included in this Attachment in terms of defining the circumstances and sensitivity of PII involved for the purposes of reporting and responding to suspected or confirmed incidents or breaches involving PII.

Any information collected or maintained about an individual, including but not limited to, education, financial transactions, medical history and criminal or employment history, and information that can be used to distinguish or trace an individual’s identity, such as his/her name, Social Security number, date and place of birth, mother’s maiden name, biometric data, and any other personal information that is linked or linkable to a specific individual.

  • Human Resources
  • Information and Analysis
  • Security

Document Actions