Personally Identifiable Information

The Pennsylvania Data Security Breach Notification Laws applies to specific data elements. Information maintained by the University that can be used to distinguish or trace an individual’s identity that specifically includes Social Security Numbers (SSNs), credit card numbers, bank account numbers, Driver’s License numbers, state ID numbers, passport numbers, biometric data (including fingerprints, retina/facial images, and DNA profile), or protected health information. These data elements are defined by the University as personally identifiable information. For more information refer to University Policy, AD53, Privacy Policy.

Notifiable PII

The Pennsylvania Breach of Personal Information Notification Act applies to the data elements below when there is an associated name (first initial or first name and last name) in combination with any of the following:

  • Social Security number
  • Driver’s license number or a state identification card number issued in lieu of a driver’s license
  • Financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
  • Passport numbers
  • Biometric data (including fingerprints, retina/facial images, and DNA profile)
  • Individually identifiable health information
  • Health insurance information
  • Username or email address, in combination with a password or security question and answer that would permit access to an online account

If the Privacy Office has determined a security breach to be notifiable, it will provide guidance on next steps, including reporting obligations for other applicable state breach laws.


P-cards are not considered to be notifiable; however the department should notify its local financial officer about the detected P-card(s) so they can close the account(s).

Financial account numbers may be handled differently per Penn State practice. This is very dependent on other data components which may accompany the bank account number. Please check with the Privacy Office if bank account numbers are detected to determine whether the data is notifiable.

Corporate bank account numbers do not require notification.