Protecting the Confidentiality of Personally Identifiable Information (SP 800-122)

SP 800-122, a special publication released in April 2010 by the US National Institute of Standards and Technology (NIST), is a resource for those responsible for assessing privacy and designing and implementing privacy controls within information systems and business processes. This article offers a brief introduction to the key concepts and important elements of this publication.

Major Recommendations

The SP 800-122 aims to provide usable guidelines for a risk-based approach to protecting personally identifiable information (PII), particularly in US federal government agencies and their business associates. To this end, the publication makes the following recommendations:

  • Organizations should identify all PII that resides in their environment
  • Organizations should minimize the use, collection and retention of PII to what is strictly necessary to accomplish their business purpose and mission
  • Organizations should categorize their PII by the PII confidentiality impact level
  • Organizations should apply the appropriate safeguards for PII, based on the PII confidentiality impact level
  • Organizations should develop an incident response plan to handle breaches involving PII
  • Organizations should encourage close coordination among their chief privacy officers, senior agency officials for privacy, chief information officers, chief information security officers and legal counsel when addressing issues related to PII

PII Confidentiality Impact Levels

The publication encourages organizations to protect PII from confidentiality breaches. According to US law, the security objective of confidentiality is defined as, “preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” As such, organizations should protect PII based on its impact level. In order to determine the PII confidentiality impact level, organizations should take into account additional PII considerations in order to determine if additional protections should be implemented.

PII confidentiality impact levels range from low, to moderate or high and indicate the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used or disclosed. The PII confidentiality impact level is then used to supplement the provisional confidentiality impact level (as described in the Federal Information Processing Standards Publication 199, Standards for Security Categorization for Federal Information and Information Systems).

The following factors are used to determine PII confidentiality impact levels:

  • Identifiability – How easily can PII be used to identify specific individuals? PII that is uniquely and directly identifiable may require a higher impact level than PII that is not directly identifiable when used on its own.
  • Quantity of PII – How many individuals are identified in the information? A higher impact level may be required for particularly large PII datasets than would otherwise be set. It’s also important to consider that a lower impact level should not automatically be set for a PII dataset, simply because it contains a small number of records.
  • Data Field Sensitivity – What is the organization’s evaluation process for each individual PII data field, as well as the sensitivity of the PII data fields together? The PII confidentiality impact level is often set at ‘moderate’ if a certain data field (e.g. SSN, medical history, financial account information, etc.) is present. Data fields may also be considered more sensitive if there is greater potential harm when used for purposes other than their intended use.
  • Context of Use – This factor is related to the Fair Information Practices of “purpose specification and use limitation.” Context of use refers to the purpose for which PII is originally collected, stored, used, processed, disclosed or disseminated. Organizations need to assess the context of use, as it is important in understanding how the disclosure of data elements can potentially harm individuals and the organization.
  • Obligation to Protect Confidentiality – Organizations subject to obligations of protecting PII must consider their responsibilities when determining impact levels. For instance, certain organizations may be subject to the Privacy Act, OMB memoranda, the HIPAA (Health Insurance Portability and Accountability Act), or other laws, regulations or mandates.
  • Access to and Location of PII – Organizations should consider the nature of authorized access to PII. There is a higher likelihood of compromised confidentiality of PII is accessed more often, or by more people and systems. Normally, PII that is stored or regularly transported off-site by employees ought to be assigned a higher PII confidentiality impact level.


This article takes a look at the NIST Special Publication 800-122, otherwise entitled the Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). This publication offers guidelines for a risk-based approach to protecting the confidentiality of PII and makes recommendations on best practices for US federal government agencies, as well as those entities that conduct business on behalf of the agencies.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/US Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:

  • SP 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (I.C.f.ii.2.a.)

No comments yet to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122)

  • Urvashi Saxena

    Once the sensitive information is discovered, it needs to be protected with specific functions that comply with data privacy laws, and follow business rules that render that data safe but effective for ongoing use. Data masking tools like IRI FieldShield are purpose-built for securing PII in databases and file files.

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>