SS-08-002 Classification of Personal Information

Issue Date:  3/31/2008

Revision Effective Date:  3/31/2008 

Review Date: 7/1/2018


State government often requests, access, and maintains the personal information of its employees, clients, and constituency during the course of conducting official state business.  The state has a legal and fiduciary obligation to protect this information from unauthorized disclosure and modification.


Agencies managing Personally Identifiable Information (PII) and Protected Health Information (PHI) about employees, clients, and/or constituents shall consider the potential impact from loss of confidentiality and/or integrity to be MEDIUM or MODERATE.


Personally Identifiable Information (PII) - an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

  1. Social Security Number (SSN)
  2. Driver’s license number or state identification card number
  3. Account number, credit or debit card number
  4. Account passwords or personal identification numbers (PIN) or other access codes
  5. Any of the items A through D when not in connection with the individual’s first name or first initial and last name, if the information is sufficient to perform or attempt to perform identity theft of other forms of fraud against the person whose information was compromised.

Protected Health Information (PHI) - any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing health care services such as diagnosis or treatment.

*The term ‘personal information’ does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.