A question frequently asked by members of the Department of the Navy (DON) is: Is my name PII? The answer is yes. Your name is PII. The definition of PII taken from the Office of Management and Budget (OMB) Circular A-130, “Managing Information as a Strategic Resource” is: ‘Personally identifiable information’ means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.
By this definition, in addition to name, there are many, many elements, such as date of birth (DOB), Social Security number (SSN), Department of Defense Identification number (DoD ID), passport number, fingerprints, iris scan, email address, and the list goes on, that fit under the definition of PII.
Many times the questioner wants to know is the release of my name a PII breach? More broadly asked: What PII is it OK to share without causing a breach? There are two blanket cases recognized by the DON privacy office where disclosure of PII is not a reportable breach.
First, if it is your PII, or that of your spouse or children, you are of course free to share with anyone you would like, without taking any precautions to prevent further dissemination of your PII. Though this is fraught with risk and most definitely neither recommended nor encouraged by the DON privacy office, it is, in fact, strongly discouraged. Properly protecting one’s own PII and of those who rely upon you to protect their PII, such as your spouse and children, is critical to thwarting identity theft.
Second, there are PII elements which are generally releasable under the Freedom of Information Act, aka FOIA, or authorized by DoD policy. These PII elements are typically referred to as “rolodex PII, business PII, office PII or non-sensitive PII.” They include full name, DoD ID, DoD benefits number, pay grade or rank, office phone number, office address, and office email address. Considering the above, a digital signature, which includes your name and DoD ID, though PII by definition, when released does not constitute a breach, nor would the typical email signature block.
The release of rolodex PII can of course become a breach; it depends upon the circumstances and context of the release. If in doubt as to whether or not the release of any PII elements alone or in combination is a breach, report it. The DON standard is to report a breach or suspected breach of PII within one hour. It is always easier to mitigate the impact of a breach the sooner it is reported and able to be addressed.
For more information on responding to a PII breach within the DON see the PII Breach Reporting Resources page on the DON CIO website: http://www.doncio.navy.mil/.