| ▲ | imiric 3 hours ago | |
You're being deceptively dense. PII has a very clear definition. Posts on a public forum are not part of it. | ||
| ▲ | mpyne 2 hours ago | parent [-] | |
> PII has a very clear definition. It doesn't, actually, as many would-be DoD IT system owners are surprised to find that simply generating a 32-bit random UUID as a user ID is, per the regs, PII, and therefore makes your proposed IT system IL4 with a Privacy Overlay (and a requirement to go into GovCloud with a cloud access point) instead of IL2 and hostable on a public cloud. Oh and now you need to file a System of Records Notice into the Federal Register (which is updated only by DoD, and only infrequently) before you can accept production workloads. There is a separate concept of "sensitive PII" (now Moderate or High Confidentiality impact under NIST 800-122) which replaces what people used to call the "Rolodex Business Exemption" to PII/privacy rules. But PII is very clear: "Personally Identifiable Information". Any information that identifies a specific individual, like for example, your HN username. Unless a collective is posting on your handle's behalf? | ||