Is using a Social Security number to track individuals training requirements?

Personally Identifiable Information, or PII, was defined by the Office of Management and Budget (OMB) in May 2007 as:

"Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc."

Examples of PII include, but are not limited to:

• Contact Information
• Student ID
• Date of Birth
• Parent Names
• Social Security Number
• Alien Registration Number
• Biometric Records Bank Account Information
• Medical Information
• Grade/Employment Information

PII is not always considered "sensitive" and that context must be taken into account to determine the sensitivity of specific PII.  PII is considered "sensitive" if - whether alone or in combination with other PII - it can be used to uniquely identify, contact, or locate a single person and expose them to harm. 

Unauthorized access, use, or disclosure of sensitive PII harms affected individuals by exposing them to the possibility of identity theft and/or by publicly revealing information they otherwise would have kept private.  PII breaches can also expose organizations to a variety of financial and non-financial risks such as: investigations, lawsuits, fines, regulatory sanctions, and reputational damage.

Safeguarding PII refers to protecting PII from loss, theft or misuse while simultaneously supporting the university's mission.  Effectively safeguarding PII requires university personnel to be diligent and proactive when processing and protecting this information, but it also significantly enhances the overall privacy posture throughout the university.

Personal Identifiable Information is prohibited under DoD 5400.11R (Department of Defense Privacy Program). Contact information should only be an organization or office symbol, general address, and phone number (personal home/mobile numbers prohibited).

"DL1.14. Personal Information. Information about an individual that identifies, links, relates, or is unique to, or describes him or her, e.g., a social security number; age; military rank; civilian grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical, and financial information, etc. Such information is also known as personally identifiable information (i.e., information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother's maiden name, biometric records, including any other personal information which is linked or linkable to a specified individual)."

PII is any information that can be used to distinguish or trace a person's identity either alone or when combined with other personal or identifying information. PII includes but is not limited to:

• Person's name or initials (e.g., John Doe, John D, JD)
• Date of birth
• Social Security Number (SSN)
• Bank account information
• Home address
• Phone number
• Health records
• Social Security benefit payment data

Sending PII to Social Security or the Ticket Program Manager (TPM)

ENs are prohibited from sending PII by email to Social Security and TPM, even if it is encrypted. The only exception is when ENs submit documentation to the Center for Suitability and Personnel Security (CSPS) as part of the Suitability process.

ENs must use any of the methods noted below to submit PII to Social Security or TPM:

• Email: work case (WC) number to [email protected]
• Fax: 1-703-893-4020
• Mail: P.O. Box 1433, Alexandria, VA 22313
• Call the Payments Help Desk: 1-866-949-9687 (Monday through Friday, 9 a.m. – 5 p.m. EST)
• Government-to-Government Services Online (GSO): for Services and Supports Reviews ONLY

TPM will route all faxes and mail to the correct department. Please allow extra time for processing.

Best practices for faxing or mailing PII to TPM

• Always use a cover sheet.
• Include your EN name and DUNS number on the cover sheet.
• Include the subject and department, for example: "Program Integrity – Services and Supports Review".
• Organize your documents so that all documents pertaining to one SSN are grouped together.
• If faxing, always print a confirmation sheet in case there are faxing issues.

Please contact [email protected] with any questions concerning the use of electronic systems for transmitting PII.

Sending PII to other (non SSA/TPM) email addresses

If EN employees are using the EN's own or any other non-SSA email system (e.g., Yahoo!, Gmail), they may send email messages transmitting PII only if the PII is entirely contained in an encrypted attachment. ENs may not include PII in the body of the email or in an unencrypted attachment. This procedure applies when emailing PII from a non-SSA system to any email address.

• Note: This includes Ticketholder resumes. ENs can submit Ticketholder resumes through an employer website if the employer website is secure and encrypted (https).

ENs text messaging with beneficiaries

ENs are not permitted to send PII to beneficiaries/Ticketholders via text message. SSA does not govern what beneficiaries send to ENs via text message.

Consequences for PII Violations

The following are consequences for ENs who commit violations involving transmission of PII through email to Social Security or TPM.

What is considered personal identifiable information?

What are two examples of personally identifiable information?

Which of the following is not considered personally identifiable information?

What are considered PII answers?