{"id":11207,"date":"2026-02-19T13:59:08","date_gmt":"2026-02-19T18:59:08","guid":{"rendered":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/identifying-personally-identifiable-information-pii\/"},"modified":"2026-02-19T14:14:54","modified_gmt":"2026-02-19T19:14:54","slug":"identifying-personally-identifiable-information-pii","status":"publish","type":"page","link":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/identifying-personally-identifiable-information-pii\/","title":{"rendered":"Identifying Personally Identifiable Information (PII)"},"content":{"rendered":"<p><!--ScriptorStartFragment--><\/p>\n<h2>Overview<\/h2>\n<div class=\"scriptor-paragraph\">This guide provides Trinity College purchasers with guidance on identifying personally identifiable information (PII) when negotiating service agreements or issuing purchase orders for work to be performed by outside vendors. If a vendor will handle, process, store, transmit, or otherwise have the ability to access PII, purchasers must take the following steps:<\/div>\n<ul class=\"\">\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8050\">Minimize the vendor\u2019s use, collection, and retention of PII to what is strictly necessary to accomplish the business purpose and scope of work. Where feasible, consider de-identifying or anonymizing the information.<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8050\">Require appropriate insurance by ensuring the vendor obtains additional Information Security and\/or Cyber Liability insurance in amounts recommended by Trinity College Risk Management.<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8050\">Complete due diligence by requiring the vendor to complete a Vendor Security Risk Assessment prior to contract execution.<\/li>\n<\/ul>\n<h3>What is Personally Identifiable Information (PII)?<\/h3>\n<div class=\"scriptor-paragraph\">Personally Identifiable Information (PII) includes:<\/div>\n<blockquote>\n<div><span lang=\"en-us\">\u201c(1) any information that can be used to distinguish or trace an individual\u2019s identity, such as name, social security number, date and place of birth, mother\u2019s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.\u201d<\/span><\/div>\n<\/blockquote>\n<h3>Examples of PII<\/h3>\n<div class=\"scriptor-paragraph\">PII includes, but is not limited to, the following categories:<\/div>\n<ul class=\"\">\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8051\">Names: full name, maiden name, mother\u2019s maiden name, or alias<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8051\">Personal identification numbers: Social Security number (SSN), passport number, driver\u2019s license number, taxpayer identification number, patient identification number, financial account number, or credit card number<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8051\">Personal address information: home street address or personal email address<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8051\">Personal telephone numbers<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8051\">Personal characteristics: photographic images (particularly of the face or other identifying characteristics), fingerprints, or handwriting<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8051\">Biometric data: retina scans, voice signatures, or facial geometry<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8051\">Information identifying personally owned property: vehicle identification number (VIN) or title number<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8051\">Asset or device identifiers: Internet Protocol (IP) addresses or Media Access Control (MAC) addresses that consistently link to a particular individual<\/li>\n<\/ul>\n<h3>Data Elements That May Become PII When Combined<\/h3>\n<div class=\"scriptor-paragraph\">On their own, the following data elements may not constitute PII because more than one person could share these traits. However, when linked or linkable to PII, they may be used to identify a specific individual:<\/div>\n<ul class=\"\">\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8052\">Date of birth<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8052\">Place of birth<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8052\">Business telephone number<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8052\">Business mailing or email address<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8052\">Race or ethnicity<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8052\">Religion<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8052\">Geographic indicators<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8052\">Employment information<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8052\">Medical information<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8052\">Education information<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8052\">Financial information<\/li>\n<\/ul>\n<h2>When Would a Vendor Have Access to PII?<\/h2>\n<div class=\"scriptor-paragraph\">Vendors may have access to PII in a variety of common scenarios, including but not limited to:<\/div>\n<ul class=\"\">\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8053\"><strong>Fundraising and advancement systems<\/strong>: A contractor is hired to develop or support software used for institutional advancement or alumni relations. The contractor may have access to PII such as names, home mailing addresses, personal telephone numbers, or financial account information of alumni and donors.<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8053\"><strong>Cloud-based research or survey tools<\/strong>: A license is obtained for a cloud-based survey or research platform. Depending on survey content, the service provider may host or access PII such as respondent names, email addresses, demographic data, medical information, or educational background.<\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8053\"><strong>Physical access control systems<\/strong>: A contractor is hired to develop, maintain, or upgrade access control systems (e.g., card swipe or badge readers). The contractor may have access to PII collected through these systems, such as names, institutional ID numbers, or other identifiers.<\/li>\n<\/ul>\n<h2>Related Information<\/h2>\n<h3>Resources and Additional Questions<\/h3>\n<div class=\"scriptor-paragraph\">If you have questions about this guide or whether a vendor engagement involves PII, contact Trinity College\u2019s Office of <a href=\"https:\/\/www.trincoll.edu\/facilities\/purchasing\/\">Procurement<\/a>, <a href=\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/\">Information Security<\/a>, or College Counsel, as appropriate.<\/div>\n<h3>Additional References<\/h3>\n<ul class=\"\">\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8054\"><a href=\"https:\/\/georgewbush-whitehouse.archives.gov\/omb\/memoranda\/fy2007\/m07-16.pdf\">OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information<\/a><\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8054\"><a href=\"https:\/\/studentprivacy.ed.gov\/faq\/what-ferpa\">Family Educational Rights and Privacy Act (FERPA)<\/a><\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8054\"><a href=\"https:\/\/portal.ct.gov\/ag\/sections\/privacy\/reporting-a-data-breach\">Applicable state breach notification and privacy laws<\/a><\/li>\n<li class=\"scriptor-listItemlist!list-8d83575a-391f-4d7b-90fe-c8c3ba9ea8054\"><a href=\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/information-technology-policies-procedures\/\">Trinity College policies and standards related to information security, privacy, and data protection<\/a><\/li>\n<\/ul>\n<p><!--ScriptorEndFragment--><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview This guide provides Trinity College purchasers with guidance on identifying personally identifiable information (PII) when negotiating service agreements or issuing purchase orders for work to be performed by outside vendors. If a vendor will handle, process, store, transmit, or otherwise have the ability to access PII, purchasers must take the following steps: Minimize the [&hellip;]<\/p>\n","protected":false},"author":336,"featured_media":0,"parent":5011,"menu_order":1,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-11207","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v24.5 (Yoast SEO v25.8) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Identifying Personally Identifiable Information (PII) - Library &amp; Information Technology Services<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/identifying-personally-identifiable-information-pii\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Identifying Personally Identifiable Information (PII)\" \/>\n<meta property=\"og:description\" content=\"Overview This guide provides Trinity College purchasers with guidance on identifying personally identifiable information (PII) when negotiating service agreements or issuing purchase orders for work to be performed by outside vendors. If a vendor will handle, process, store, transmit, or otherwise have the ability to access PII, purchasers must take the following steps: Minimize the [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/identifying-personally-identifiable-information-pii\/\" \/>\n<meta property=\"og:site_name\" content=\"Library &amp; Information Technology Services\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-19T19:14:54+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/identifying-personally-identifiable-information-pii\/\",\"url\":\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/identifying-personally-identifiable-information-pii\/\",\"name\":\"Identifying Personally Identifiable Information (PII) - Library &amp; Information Technology Services\",\"isPartOf\":{\"@id\":\"https:\/\/www.trincoll.edu\/lits\/#website\"},\"datePublished\":\"2026-02-19T18:59:08+00:00\",\"dateModified\":\"2026-02-19T19:14:54+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/identifying-personally-identifiable-information-pii\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/identifying-personally-identifiable-information-pii\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/identifying-personally-identifiable-information-pii\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.trincoll.edu\/lits\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Technology\",\"item\":\"https:\/\/www.trincoll.edu\/lits\/technology\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Information Security\",\"item\":\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Governance Risk and Compliance\",\"item\":\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"Architecture and Security Risk Review\",\"item\":\"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/\"},{\"@type\":\"ListItem\",\"position\":6,\"name\":\"Identifying Personally Identifiable Information (PII)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.trincoll.edu\/lits\/#website\",\"url\":\"https:\/\/www.trincoll.edu\/lits\/\",\"name\":\"Library &amp; Information Technology Services\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.trincoll.edu\/lits\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Identifying Personally Identifiable Information (PII) - Library &amp; Information Technology Services","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/identifying-personally-identifiable-information-pii\/","og_locale":"en_US","og_type":"article","og_title":"Identifying Personally Identifiable Information (PII)","og_description":"Overview This guide provides Trinity College purchasers with guidance on identifying personally identifiable information (PII) when negotiating service agreements or issuing purchase orders for work to be performed by outside vendors. If a vendor will handle, process, store, transmit, or otherwise have the ability to access PII, purchasers must take the following steps: Minimize the [&hellip;]","og_url":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/identifying-personally-identifiable-information-pii\/","og_site_name":"Library &amp; Information Technology Services","article_modified_time":"2026-02-19T19:14:54+00:00","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/identifying-personally-identifiable-information-pii\/","url":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/identifying-personally-identifiable-information-pii\/","name":"Identifying Personally Identifiable Information (PII) - Library &amp; Information Technology Services","isPartOf":{"@id":"https:\/\/www.trincoll.edu\/lits\/#website"},"datePublished":"2026-02-19T18:59:08+00:00","dateModified":"2026-02-19T19:14:54+00:00","breadcrumb":{"@id":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/identifying-personally-identifiable-information-pii\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/identifying-personally-identifiable-information-pii\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/identifying-personally-identifiable-information-pii\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.trincoll.edu\/lits\/"},{"@type":"ListItem","position":2,"name":"Technology","item":"https:\/\/www.trincoll.edu\/lits\/technology\/"},{"@type":"ListItem","position":3,"name":"Information Security","item":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/"},{"@type":"ListItem","position":4,"name":"Governance Risk and Compliance","item":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/"},{"@type":"ListItem","position":5,"name":"Architecture and Security Risk Review","item":"https:\/\/www.trincoll.edu\/lits\/technology\/security\/governance-risk-and-compliance\/third-party-vendor-risk-assessments\/"},{"@type":"ListItem","position":6,"name":"Identifying Personally Identifiable Information (PII)"}]},{"@type":"WebSite","@id":"https:\/\/www.trincoll.edu\/lits\/#website","url":"https:\/\/www.trincoll.edu\/lits\/","name":"Library &amp; Information Technology Services","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.trincoll.edu\/lits\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/pages\/11207","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/users\/336"}],"replies":[{"embeddable":true,"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/comments?post=11207"}],"version-history":[{"count":4,"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/pages\/11207\/revisions"}],"predecessor-version":[{"id":11217,"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/pages\/11207\/revisions\/11217"}],"up":[{"embeddable":true,"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/pages\/5011"}],"wp:attachment":[{"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/media?parent=11207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}