Personally Identifiable Information (PII)
On This Page:
What Is PII?
Personally identifiable information (PII), also known as P4 data, is a specific category of particularly sensitive data defined as unencrypted electronic information that includes an individual’s first name or initial and last name in combination with any one or more of the following:
- Social Security number (SSN).
- Drivers license number or state-issued identification card number.
- Financial account number, credit card number,* or debit card number in combination with any required security code, access code, or password such as expiration date or mother’s maiden name that could permit access to an individual’s financial account.
- Medical information (any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional).
- Health insurance information (an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records).
PII is sometimes called "notice-triggering data" because the State of California Information Practices Act of 1977 requires that personally identifiable information (PII) is appropriately protected and that affected individuals must be notified of any reasonable suspicion of a compromise of that protection. UC Santa Cruz is responsible for complying with these legal requirements and for providing employees with information about requirements and responsibilities relating to PII.
*Credit card information is also regulated by the Payment Card Industry (PCI) Data Security Standard.
Personal Information (PI) vs. Personally Identifiable Information (PII)
Personal information (PI) generally refers to any details about an individual, while personally identifiable information (PII) specifically includes data that can be used to identify, locate, or contact a person, such as their full name, address, or Social Security number. Essentially, all PII is personal information, but not all personal information is necessarily PII.
For example, a research subject's age can be considered personal information, but without more information, such as a name or social security number, this research subject cannot be identified.
PI and PII Data Security
All PII is classified at Data Protection Level P4. In general, the best way to protect PII is not to have it in the first place. If you must handle PII, make sure you know how to best protect it.
In some cases, PI is also classified at Data Protection Level P4. For example, large sets of personal data, even when de-identified (stripped of all identifying information), is classified at P4 and may also be subject to further security controls required by contractual obligations and federal, state, and international laws and regulations.
Where PII May Be Found
University-related PII is likely to be found in files and email containing the following types of information. While this is not an all-inclusive list, you can use it as a guide to locate PII you may not be aware of so you can remove or protect it. Remember to check old and archival files and email, too.
- Student records, including old class lists, student rosters, financial aid and grade records.
- Personnel-related spreadsheets, databases, and files.
- Old Lx/Rx forms, UPAY forms, Travel Reimbursements and pro-card forms.
- Health, medical, or insurance records.
- Downloads from Banner/FIS, PPS, AIS, DivData, or Data Warehouse/InfoView.
- Financial spreadsheets.
- Old job or student applications, performance evaluations, and letters of reference.
- Credit card sale records.
- Credit and collections records.
- Research proposals, protocols/studies or databases, research grant applications, or other Intellectual Property (IP).
- Data related to DMV pull notices.
Examples of electronic devices on which PII may be stored include:
- Desktop and laptop computers.
- Servers.
- Personal or home computers used for university business.
- Portable electronic devices, such as phones, tablets, and other mobile devices.
- Removable media, such as CDs/DVDs, flash drives, external hard drives, and backup tapes and disks.
PII Resources at UCSC
For questions about PII, including protecting or securely deleting PII, contact:
- The ITS Support Center
- Your ITS Divisional Liaison
Other PII resources include:
- UCSC PII Inventory and Security Breach Procedures
- Personally identifiable information (PII) Training
- Practices for Protecting Electronic P3-P4 Data
- Encryption Information
- Security Breach Examples and Practices to Avoid Them
Report a PII Incident
To report a suspected security breach or compromise involving PII, including the theft or loss of computing equipment that contains PII, see Report a Security Incident.