-
Notifications
You must be signed in to change notification settings - Fork 4
Research: What is the simplest way to get PII from the list of Categories of Records? #7
Comments
@nikzei and @peterrowland to pair on tightening up AC. |
Two examples of previous projects that used natural language processing to categorize text data into consistent categories. https://github.com/GSA/calc/pull/997 https://github.com/18F/10x-ssp-parse-prototype |
Marcela referred me to the Commodity Futures Trading Commission as an example of plain-language terms for PII. |
The question surfaced: Do SORN Categories of Records == PII? Privacy Act defines a record as: and a System of Record as:
https://www.law.cornell.edu/uscode/text/5/552a If Privacy Act 'records' are personal information, should we consider personal information PII? GAO report (08-536) uses the 'Personal Information' and 'Personally Identifiable Information' interchangeably, and uses this definition:
NIST's guidance on protecting PII (800-22) references this definition and goes into detail on what information can be used to We should ask Richard or Marcela to confirm if GSA also uses this definition. |
@peterrowland Thank you for this research. I was wrong in my assumption that Categories or Record meant something different enough from PII that we should treat them different. Based on what you found above, I'm going to start talking about them both as pretty much the same thing, and will use the terms interchangeably. Is there anything else you want to do before we close this issue? |
What:
Research: What is the simplest way to get PII from the list of Categories of Records?
Depends on:
#5 and #6
Why:
If our assumptions about OMB A130 are correct, then we need a repeatable way to turn categories of records from PIAs and SORNs into an inventory of PII. Something we can turn into code would be best. Instructions on how to do it by hand work too, just less enticing for a new agency wanting to use our service.
What:
Just an example of one way: Find some official NIST or GSA list of PII. We compare that official list against the categories of records, keeping only the matching PII. If no official list exists, make your own list. Using your expertise, choose what is PII and what isn’t. The GSA privacy office would probably love to help. They could maybe even do it for you?!?
Try to avoid anything complicated, like combinations of records that become PII.
Acceptance:
We will have an understanding of the suggested approach. The partners have agreed to this approach.
The text was updated successfully, but these errors were encountered: