What is Personal Identity Information (PII)?
Personal Identity Information
PII stands for personal identity information, or specific kinds of information that can be used to identify you. If it’s not stored securely, and if identity thieves find it, they can get into accounts, take money, impersonate you, or impersonate someone you work with. Many bad outcomes are possible. Individuals should scan for it, then delete it or store it offline. Campus units need to take specific steps; you can read more about it on this page. Improving the protection of PII is part of the UC Davis central security initiative that began in 2012.
PII: an expanded definition
Personal Identity Information (PII) is a specific type of particularly sensitive data. It is unencrypted electronic information that includes an individual’s first name or initial, last name, and at least one of these:
- Social Security number (SSN)
- Driver’s license or state ID card number
- Financial account, credit card*, or debit card number, combined with any security code, access code, password or related data, such as an account expiration date or mother’s maiden name, that could permit access to an individual’s financial account
- Medical information
- Health insurance information
California State Law (Civil Code 1798.29) mandates appropriate protections for PII, and requires individuals to be notified of any reasonable suspicion that the protection of their PII has been compromised. The University of California must meet these legal requirements and inform its employees about requirements and responsibilities relating to PII.
*Credit card information is also regulated by the Payment Card Industry (PCI) Data Security Standard
How do I find it?
University-related PII is likely to be found in files and email containing the following kinds of information. (This list is not complete. Use it as a guide to locate PII you might not know about. Remember to check old and archival files and email.)
- Student records, including old class lists, student rosters, financial aid and grade records
- Personnel- or academic-related spreadsheets, databases, and files
- Old reimbursement forms, such as for travel expenses
- Health, medical, or insurance records
- Downloads from Banner/KFS, PPS, or similar campus services
- Financial spreadsheets
- Old applications (job or student), performance evaluations, or reference letters
- Credit card sale records
- Credit and collections records
- Research proposals or databases, research grant applications, or other intellectual property (IP)
- Data related to DMV pull notices
Examples of electronic devices on which personal or sensitive data might be stored:
- Desktop and laptop computers
- Personal or home computers used for university business
- Smartphones and other mobile devices
- Removable media, such as CDs/DVDs, flash drives, disks, and backup tapes
How do I protect PII?
- First, follow the basics. Use sturdy passphrases, install software updates, don’t leave your devices untended in public, and install a timeout on your smartphone.
- Scan your personal computers for PII.
- Delete all PII you don’t need to keep. If you must keep it, encrypt your computer.
Am I vulnerable?
- Anyone who uses PII as part of their work is vulnerable if they don't take steps to secure the data.
Campus unit requirements
- Units must scan computing systems each year to ensure their PII is protected from unauthorized access.
- As appropriate, units may use whole-disk encryption to protect PII that must be kept on computers or portable devices; or they may remove the PII.
Where can I get help?