Properly safeguarding personally identifiable information (PII) and business identifiable information (BII).


Personally Identifiable Information

The term personally identifiable information refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

Sensitive PII is PII which if lost, compromised, or disclosed without authorization, could result in harm, embarrassment, inconvenience, or unfairness to an individual. The following types of PII are considered sensitive when associated with an individual:  Social Security Number (including truncated form), place of birth, date of birth, mother’s maiden name, biometric information, medical information (excluding brief references to absences from work), personal financial information, credit card or purchase card account numbers, passport numbers, potentially sensitive employment information (e.g., performance ratings, disciplinary actions, and results of background investigations), criminal history, and any information that may stigmatize or adversely affect an individual.

Context of information is important. The same types of information can be sensitive or non-sensitive depending upon the context. For example, a list of names and phone numbers for the Department’s softball roster is very different from a list of names and phone numbers for individuals being treated for an infectious disease.

If sensitive PII is electronically transmitted, it must be protected by secure methodologies, such as encryption, Public Key Infrastructure, or secure sockets layer. When in doubt, treat PII as sensitive.

Back to Top

Business Identifiable Information

Business Identifiable Information is information that is defined in the Freedom of Information Act (FOIA) as “trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential.” (5 U.S.C.552(b)(4)). This information is exempt from automatic release under the (b)(4) FOIA exemption. “Commercial” is not confined to records that reveal “basic commercial operations” but includes any records [or information] in which the submitter has a “commercial interest” and can include information submitted by a nonprofit entity. Or (b) commercial or other information that, although it may not be exempt from release under FOIA, is exempt from disclosure by law (e.g., 13 U.S.C. 9).

Commercial or financial information is considered confidential if disclosure is likely to cause substantial harm to the competitive position of the person from whom the information was obtained. Examples of BII include financial information provided in response to requests for economic census data, business plans and marketing data provided to participate in trade development events, commercial and financial information collected as part of export enforcement actions, proprietary information provided in support of a grant application or related to a federal acquisition action, and financial records collected as part of an investigation.

BII received by the Department must be similarly protected as PII, in accordance with applicable laws.

Back to Top

Employee/Contractor Responsibilities

A Department of Commerce employee/contractor is responsible and accountable for:

  • Knowing what constitutes PII and BII
  • Handling and protecting PII and BII
  • Following Federal laws, rules, regulations, and Departmental privacy policy regarding PII and BII
  • Recognizing a PII breach incident and immediately reporting it upon discovery/detection.
  • Successfully completing training relative to safeguarding PII.

Back to Top

Ways to Protect PII

  • Use secure methodologies, such as encryption, to electronically transmit sensitive PII information.

  • Encrypt sensitive PII on mobile computers, media and other devices

  • Lock or log off of unattended computer systems.

  • Destroy sensitive paper PII by shredding or using burn bags.

  • Delete sensitive PII by emptying electronic “recycle bin”.

  • Store sensitive PII on Federal Government systems only.

  • Secure PII data properly while away from your desk or at the end of the day.

  • Back to Top

Reporting PII Incidents

  • Upon discovery/detection, immediately report a suspected or confirmed PII breach incident to your supervisor/Contract Officer’s Representative (COR) and Bureau/Operating Unit (BOU) Computer Incident Response Team (CIRT).

  • Provide details of the PII breach incident.

  • Maintain or document information and/or actions relevant to the PII breach incident.

  • Complete corrective/remedial actions, if appropriate.

  • Chief Privacy Officer (CPO) and BOU CIRT Reporting Offices

    Back to Top


PII Breach Incident Reporting Brochure

Breach Notification Plan

Privacy Act (PA), PII and BII Breach Notification Plan

Back to Top

Questions and Comments

Send Questions, Comments or Complaints on the Commerce Privacy program to


Office of Privacy and Open Government
Office of the Chief Financial Officer and Assistant Secretary for Administration
U.S. Department of Commerce

Page last updated: October 1, 2021