If you receive a request under your state or local government’s Sunshine Law, do you know how to identify what personally identifiable information (aka, PII), information must be protected?
Why does this matter?
Every State government addresses individual privacy in some way, and this is generally reflected on State webpages, so that the public can see what protections are provided for their personal information. Most States agree on basic protections that should be provided. For example, Social Security numbers and patient health information are always protected. However, beyond that point, many states define “privacy” differently. Some states simply indicate, in their laws or regulations, that an individual’s right to privacy should be observed, but the nature of that protection might not be well defined, or defined at all.
Other states define the data elements, or categories, which must be protected. For example, the State of North Carolina website contains the following guidance:
“Personally Identifiable Information (PII) refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual.”
Read More