This guide is intended to provide University buyers guidance on how to identify personally identifiable information (PII) when negotiating service agreements or issuing purchase orders for work to be performed by outside vendors. If the vendor will handle, process or have the ability to access PII, then buyers must take the following steps:
- Minimize the vendor’s use, collection and retention of PII to what is strictly necessary to accomplish their business purpose and scope of work – consider the feasibility of de-identifying or anonymizing the information.
- Require the vendor to obtain additional Information Security/Cyber Liability insurance in the amounts recommended by Risk Management.
- Require the vendor to execute a Personal Data Protection Addendum (in addition to the applicable services agreement or purchase order).
What is Personally Identifiable Information (PII)?
Personally Identifiable Information (PII) includes:
“(1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”1
Examples of PII include, but are not limited to:
- Name: full name, maiden name, mother’s maiden name or alias
- Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number or credit card number
- Personal address information: street address or email address
- Personal telephone numbers
- Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
Biometric data: retina scans, voice signatures, or facial geometry
Information identifying personally owned property: VIN number or title number
- Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person
The following examples on their own do not constitute PII as more than one person could share these traits. However, when linked or linkable to one of the above examples, the following could be used to identify a specific person:
- Date of birth
- Place of birth
- Business telephone number
- Business mailing or email address
- Geographical indicators
- Employment information
- Medical information2
- Education information3
- Financial information
When Would a Vendor Have Access to PII?
Examples of services or work involving vendor access to PII include:
- Contractor hired to develop software to assist Institutional Advancement in fundraising activities . . . the potential exists for the contractor to have access to PII of alumni/donors such as names, home mailing addresses, personal telephone numbers and financial account information.
- License obtained for cloud based survey tool to be used by University researchers . . . depending on the nature of the survey, the Licensor of the cloud based service may have access to or host PII such as names of the survey respondents, email addresses, demographic data (e.g., age, income level, medical information, or educational background).
- Contractor hired to develop or upgrade physical access control systems (e.g., card swipe entry readers) . . . the potential exists for the contractor to have access to any PII collected via the card swipe such as names, social security numbers, and university ID numbers.
Resources and Additional Questions
If you have any questions about this guide, please contact the University of Pittsburgh’s Office of General Counsel: http://www.ogc.pitt.edu/
- OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information: http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf
- University of Pittsburgh HIPAA Polices: http://www.pitt.edu/hipaa/
- Family Educational Rights and Privacy Act (FERPA): http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
- Pennsylvania Breach of Personal Information Notification Act: http://www.palrb.us/pamphletlaws/20002099/2005/0/act/0094.pdf
- Pennsylvania Privacy of Social Security Numbers Act: http://www.legis.state.pa.us/CFDOCS/Legis/PN/Public/btCheck.cfm?txtType=HTM&sessYr=2005&sessInd=0&billBody=S&billTyp=B&billNbr=0601&pn=1791
1 OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.
2 Medical information may be subject to additional HIPAA requirements
3 Education information may be subject to additional FERPA requirements