Stay Informed

What is Personally Identifiable Information (PII) and how do I protect it?

Two Rules of Thumb:

  1. PII can distinguish or trace a person’s identity (e.g., a Social Security Number, information that would impact a person if given to a person without approval and need to know) or otherwise present an opportunity to cause harm to a specific person should unauthorized individual(s) have access to the information
  2. Label documents/material with PII as CUI and protect the documents/material from unauthorized disclosure
    1. Mark emails as CUI in Outlook
    2. Encrypt email when ending to .gov and .mil email addressees with the DoD Common Access Card

More Information:

The Army defines PII, with a further citation of an OMB memorandum, as “Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. (OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information).”

For Army and USMA organizations, National Institute of Standards and Technology (NIST) 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) and Army Regulation 25-22 The Army Privacy Program make clear that not all PII is equal nor does Army and USMA apply the same protections to all PII. When dealing with systems like the Academy Management System (AMS) (aka Cadet Information System (CSI), USMA submits to Army a Privacy Impact Assessment (PIA) and System of Record Notice (SORN) describing the command’s protections of PII.  Military Academy Directorates (MADs) that build, sustain, and defend information collections that include PII have the same duty to submit PIAs and SORNs.  Organizations below the MADs must work through their Chain of Command to gain permission for such information collections and complete the appropriate documentation of protections of the PII.

Individual DoD, Army, and USMA users have a bit more complicated life.

  • Individuals are free to pass their own PII around for whatever reason(s) they see fit with as much protection as they see fit—a rule of thumb is to not do so without a good reason, and then only to trustworthy custodians of the PII.
  • Individuals are NOT free to pass around other people’s PII.  DoD and Army policies have, for years, required DoD and Army personnel protect other peoples PII.
    • Within @westpoint.edu (e.g., Exchange Online/Outlook 365, OneDrive, SharePoint Online, Blackboard, ODIAs Student Performance system), USMA has used technical protections are nearly invisible.
      • USMA has and is now using a capability to allow users to label PII emails, and eventually other materials they create, as Controlled Unclassified Information (of which PII is one type).
      • At present, users should label moderate and high impact PII as CUI (e.g., SSN, Graded assignments, Educational Records, PII that would result in significant to serious financial harm to an individual and significant harm up to and including loss of life or serious life threatening injuries).  See also the figure below.
      • Reminder: USMA and Army do not consider some data fields (e.g., email address, DoD ID Number (aka EDIPI)) as protected PII.
    • Users always have the responsibility to self-control the distribution of other people’s PII to those who have a need to know the PII. Failure to do so causes what the US  Government calls a PII Breach. Individuals can be held responsible under criminal and civil law for PII breaches according to Army Regulation and policy.
    • Users sending documents/email to and from .gov and .mil users must encrypt PII with their DoD Common Access Card (CAC) in accordance with DoD and Army Regulations and policies.
Mail this page!

Was this helpful?

Leave A Comment