Identifying Personally Identifiable Information (PII)

Overview

This guide provides Trinity College purchasers with guidance on identifying personally identifiable information (PII) when negotiating service agreements or issuing purchase orders for work to be performed by outside vendors. If a vendor will handle, process, store, transmit, or otherwise have the ability to access PII, purchasers must take the following steps:

Minimize the vendor’s use, collection, and retention of PII to what is strictly necessary to accomplish the business purpose and scope of work. Where feasible, consider de-identifying or anonymizing the information.
Require appropriate insurance by ensuring the vendor obtains additional Information Security and/or Cyber Liability insurance in amounts recommended by Trinity College Risk Management.
Complete due diligence by requiring the vendor to complete a Vendor Security Risk Assessment prior to contract execution.

What is Personally Identifiable Information (PII)?

Personally Identifiable Information (PII) includes:

“(1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

Examples of PII

PII includes, but is not limited to, the following categories:

Names: full name, maiden name, mother’s maiden name, or alias
Personal identification numbers: Social Security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number
Personal address information: home street address or personal email address
Personal telephone numbers
Personal characteristics: photographic images (particularly of the face or other identifying characteristics), fingerprints, or handwriting
Biometric data: retina scans, voice signatures, or facial geometry
Information identifying personally owned property: vehicle identification number (VIN) or title number
Asset or device identifiers: Internet Protocol (IP) addresses or Media Access Control (MAC) addresses that consistently link to a particular individual

Data Elements That May Become PII When Combined

On their own, the following data elements may not constitute PII because more than one person could share these traits. However, when linked or linkable to PII, they may be used to identify a specific individual:

Date of birth
Place of birth
Business telephone number
Business mailing or email address
Race or ethnicity
Religion
Geographic indicators
Employment information
Medical information
Education information
Financial information

When Would a Vendor Have Access to PII?

Vendors may have access to PII in a variety of common scenarios, including but not limited to:

Fundraising and advancement systems: A contractor is hired to develop or support software used for institutional advancement or alumni relations. The contractor may have access to PII such as names, home mailing addresses, personal telephone numbers, or financial account information of alumni and donors.
Cloud-based research or survey tools: A license is obtained for a cloud-based survey or research platform. Depending on survey content, the service provider may host or access PII such as respondent names, email addresses, demographic data, medical information, or educational background.
Physical access control systems: A contractor is hired to develop, maintain, or upgrade access control systems (e.g., card swipe or badge readers). The contractor may have access to PII collected through these systems, such as names, institutional ID numbers, or other identifiers.

Related Information

Resources and Additional Questions

If you have questions about this guide or whether a vendor engagement involves PII, contact Trinity College’s Office of Procurement, Information Security, or College Counsel, as appropriate.