Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

McCallister, Erika; Grance, Tim; Scarfone, Karen

doi:https://doi.org/10.6028/NIST.SP.800-122

SP 800-122

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

Documentation Topics

Date Published: April 2010

Author(s)

Erika McCallister (NIST), Tim Grance (NIST), Karen Scarfone (NIST)

Abstract

The purpose of this document is to assist Federal agencies in protecting the confidentiality of personally identifiable information (PII) in information systems. The document explains the importance of protecting the confidentiality of PII in the context of information security and explains its relationship to privacy using the the Fair Information Practices, which are the principles underlying most privacy laws and privacy best practices. PII should be protected from inappropriate access, use, and disclosure. This document provides practical, context-based guidance for identifying PII and determining what level of protection is appropriate for each instance of PII. The document also suggests safeguards that may offer appropriate levels of protection for PII and provides recommendations for developing response plans for incidents involving PII. Organizations are encouraged to tailor the recommendations to meet their specific requirements.

Keywords

PII; confidentiality; privacy; PII confidentiality impact level; FIPS 199; personally identifiable information

Control Families

Access Control; Audit and Accountability; Identification and Authentication; Media Protection; Planning; Risk Assessment; System and Communications Protection

Documentation

Publication:
SP 800-122 (DOI)
Local Download

Supplemental Material:
SP 800-122 (EPUB) (txt)

Document History:
04/06/10: SP 800-122 (Final)

Topics

Security and Privacy
planning; privacy; risk assessment

Laws and Regulations
Federal Information Security Modernization Act; OMB Circular A-130