CUI Category: Sensitive Personally Identifiable Information

A subset of PII that, if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.  Some forms of PII are sensitive as stand-alone elements.

a. Examples of stand-alone PII include Social Security Numbers (SSN), driver's license or state identification number; Alien Registration Numbers; financial account number; and biometric identifiers such as fingerprint, voiceprint, or iris scan.

b. Additional examples of SPII include any groupings of information that contain an individual's name or other unique identifier plus one or more of the following elements:

1. Truncated SSN (such as last four digits)
2. Date of birth (month, day, and year)
3. Citizenship or immigration status
4. Ethnic or religious affiliation
5. Sexual orientation
6. Criminal history
7. Medical information
8. System authentication information such as mother's maiden name, account passwords, or personal identification numbers

c. Other PII may be "sensitive" depending on its context, such in as a list of employees and their performance rating(s) or an unlisted home address or phone number.  In contrast, a business card or public telephone directory of agency employees contains PII but is not sensitive.