Frequently Asked Questions


Open Government
Freedom of Information Act (FOIA)

Privacy Act (PA)
Federal Advisory Committee Act (FACA)  


Directives Management  

What is personally identifiable information (PII)?

Personally identifiable information (PII) is any information that can be used to distinguish or trace a person's identity.

Return to top

What are examples of personally identifiable information (PII)?

Examples of personally identifiable information (PII) include :

      • Social Security Number (SSN), passport number, driver's license number, taxpayer identification number, patient identification number, and financial account or credit card number;
      • Personal address and phone number;
      • Biometric records such as photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, retina scan, voice signature, facial geometry; and
      • Information that when combined with other information like that listed above which can then be used collaboratively to identify a specific individual. For example, date of birth, place of birth, race, religion, geographical indicators, employment information, medical information, education information, financial information.

Return to top

What are the risks if personally identifiable information (PII) is misused?

Both the individual whose personally identifiable information (PII) was the subject of the misuse and the organization that maintained the PII may experience some degree of adverse effects. Depending on the type of information involved, an individual may suffer social, economic, or physical harm resulting in potential loss of life, loss of livelihood, or inappropriate physical detention. If the information lost is sufficient to be exploited by an identity thief, for example, the person may suffer from a loss of money, damage to credit, a compromise of medical records, threats, and/or harassment. The individual may also suffer tremendous losses of time and money to address the damage. Other potential harms which may result from the compromise of an individual's PII include embarrassment, improper denial of government benefits, blackmail, and discrimination.

Likewise, organizations may experience harm as a result of a loss of PII maintained by the organization. Harm may include administrative burden, remediation costs, financial losses, loss of public reputation and public trust, and legal liability.

Return to top

Why should I be interested in the Privacy Act?

The Privacy Act of 1974 as amended at 5 U.S.C. 552a, is a code of fair information practices which mandates how Federal agencies, like the Department of Defense, maintain personally identifiable information (PII), i.e., records that uniquely identify you. The basic provisions of the Act require government agencies to:

      • collect only information that is relevant and necessary to carry out an agency function;
      • maintain no secret records on you;
      • explain, at the time the information is being collected, why it is needed and how it will be used;
      • ensure that the records are used only for the reasons given, or seek your permission when another purpose for their use is considered necessary or desirable;
      • provide adequate safeguards to protect the records from unauthorized access and disclosure;
      • allow you to see the records kept about you and provide you with the opportunity to correct inaccuracies in your records; and
      • allow you to find out about disclosures of your records to other agencies and persons.

The Privacy Act prohibits disclosure of these records without the written consent of the individual(s) to whom the records pertain unless one of the twelve disclosure exceptions enumerated in the Act applies. These records are held in Privacy Act 'systems of records.' A notice for each such system of records is published in the Federal Register. These notices identify the legal authority for collecting and storing the records, individuals about whom records will be collected, what kinds of information will be collected, and how the records will be used.

The Privacy Act binds only Federal agencies, and covers only records in the possession and control of Federal agencies.

Return to top

What information is covered under the Privacy Act?

Only information held within a Federal agency's systems of records is protected under the Privacy Act.

Return to top

What is a System of Records?

A system of records (SOR) is a group of records under the control of a Federal government agency from which personal information about an individual is retrieved by the name of the individual, or by some other identifying number, symbol, or other unique identifier.

Return to top

What is a System of Records Notice (SORN)?

A system of records notice (SORN) is a description of any Privacy Act system of records. SORNs generally describe the 'who, what, where, and why' of a system and describe the processes for individuals to access or contest the information being held on them in that system. SORNs are required to be published in the Federal Register for a period of public comment before the system data collection (paper based or electronic) is started.

Return to top

Questions and Comments

Send Questions or Comments on the Commerce Office of Privacy and Open Government programs to

Office of Privacy and Open Government
Office of the Chief Financial Officer and Assistant Secretary for Administration
U.S. Department of Commerce


Page last updated:October 28, 2016