Personally Identifiable Information (PII)
What is PII?
Any information maintained by the University that can be used to distinguish or trace an individual’s identity, including, but not limited to, Social Security Numbers (SSNs), credit card numbers, bank account numbers, Driver’s License numbers, state ID cards, passport numbers, military ID numbers, tribal ID numbers, dates of birth, biometric data (including fingerprints, retina images, and DNA profile), digital signatures, usernames or email addresses combined with passwords or security questions and answers or protected health information.
What is Notifiable PII?
The Pennsylvania Data Security Breach Notification Laws applies to the data elements below when there is an associated name (first initial or first name and last name) in combination with any of the following:
- Social Security number
- Driver’s license number or a State identification card number issued in lieu of a driver’s license
- Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account
(If the Privacy Office has determined a security breach to be notifiable, they will provide guidance on next steps, including reporting obligations for other applicable state breach laws.)
P-cards are not considered to be notifiable; however the department should notify their local financial officer about the detected P-card(s) so they can close the account(s).
Financial account numbers may be handled differently per Penn State practice. This is very dependent on other data components which may accompany the bank account number. Please check with the Privacy Office if bank account numbers are detected to determine whether the data is notifiable.
Corporate bank account numbers do not require notification.