Rules and Policies - Protecting PII - Privacy Act
Note: The information on this page is intended to inform the public of GSA's privacy policies and practices as they apply to GSA employees, contractors, and clients.
What is Personally identifiable Information (PII)?
In the appendix of OMB M-10-23 (Guidance for Agency Use of Third-Party Website and Applications) the definition of PII was updated to include the following:
Personally Identifiable Information (PII)
The term “PII,” as defined in OMB Memorandum M-07-1616 refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available - in any medium and from any source - that, when combined with other available information, could be used to identify an individual.
GSA Directive CIO P 2180.2
CIO GSA Rules of Behavior for Handling Personally Identifiable Information (PII)
Outdated on: 10/08/2026
SUBJECT: GSA Rules of Behavior for Handling Personally Identifiable Information (PII)
Purpose: This directive provides GSA’s policy on how to properly handle PII and the consequences and corrective actions that will be taken if a breach occurs.