Identifying Personally Identifiable Information

By Megan Mohrmann posted 04-04-2017 11:50



Data breaches are an everyday occurrence that demonstrate no enterprise or individual is impervious to vulnerabilities. In 2015, there were 781 known data breaches in the U.S., the second highest year since the Identity Theft Resource Center began tracking them in 2005.[1] Between this influx of breaches and rapidly evolving and emerging privacy laws, it is no wonder enterprises are struggling to protect and effectively manage personally identifiable information (PII).

The sources of PII maintained by enterprises range from internal employee information to customers and vendors, and are pervasive because PII likely impacts a significant part of the enterprise’s records retention schedule (RRS). Identifying what records are subject to PII laws is fundamental to any strategy for effectively managing PII. While this task seems simple enough, making such a determination is ultimately dependent upon the jurisdiction(s) that are relevant to the PII. For enterprises that operate in various U.S. states and/or internationally, it becomes increasingly complex to reconcile requirements across different jurisdictions.

To provide initial guidance on identification and management of PII through an RRS, I’ve provided a few examples of U.S. privacy laws that may impact a company, followed by a checklist to help with this process.

U.S. State Laws

Within the U.S., there is no uniform definition for PII, but rather it is defined by various federal and state laws and agencies. On one end of the spectrum, California takes the lead with an aggressive privacy approach. In California, personal information includes an individual’s first name or initial combined with one or more other elements “when the name or data elements are not encrypted”, including social security number, driver’s license number, medical or health insurance information, along with an extensive list of other companion elements.[2] Several other states adopt a similar multi-factor approach but limit the definitional scope to fewer components that constitute PII when combined, thus imposing less restrictive standards.

U.S. Federal Laws

In contrast to the state approach, U.S. Federal laws take a broader approach in defining personal information. An example of this can be found in the Gramm-Leach-Bliley Act of 1999, which defines personally identifiable personal information as “nonpublic personal information.”[3] The General Services Administration, in its privacy policy applicable to contractors, defines PII at a minimum to include “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc.”[4]

Initial Checklist

By first understanding and identifying the various types of PII mandated per jurisdiction, records and information management professionals can confidently devise an RRS strategy during their efforts to initiate and maintain a program that effectively manages this information. An initial checklist to help with this process may include some of the following:

  • Identify the relevant jurisdictions and regulators. For purposes of PII, this should consider not only the enterprise’s places of operation, but also the jurisdictions from which the PII is collected.
  • Identify privacy laws which may be applicable to the enterprise. These should include those that are broadly applicable to the enterprise’s business as well as those that are specific to its industry.
  • Survey and summarize the privacy laws applicable to the enterprise.
  • Where multiple jurisdictions are involved, consider focusing on the most stringent PII standards you identified when evaluating the RRS to facilitate a strategy that can be uniformly implemented and followed.
  • Identify examples and record series within the RRS that meet the criteria required by the identified PII laws. Identifying the particular records and business processes that involve PII and mapping those requirements to the schedule will be helpful for the initial and ongoing efforts.


[2] CAL. CIV. CODE § 1798.82(h)

[3] 15 U.S.C. § 6809(4)(A) (2006)


About the Author:
Ms. Jennifer Chadband is a Senior Analyst in the Consulting Division at Zasio Enterprises. Jennifer possesses an extensive international legal research background as well as broad knowledge and experience in a variety of industries with emphasis on the financial services and pharmaceutical industries. She analyzes the applicability of discovered research, addresses ad hoc queries related to client records and information management programs, and develops enterprise records retention schedules with an eye towards legal compliance and risk minimization. Jennifer is licensed to practice law in the state of Idaho and is a certified Enterprise Content Management Professional. She is also proficient in Spanish.

#PersonallyIdentifiableInformation #RRS #PII #recordsretentionschedules