Keep Residents' Personally Identifiable Information Secure and Confidential

Remember to redact personally identifiable information (PII) when submitting or transmitting documents to contract administrators. It’s important to protect this information because owners and their employees are subject to penalties for unauthorized disclosure of applicant or resident information. In addition, applicants and residents may initiate civil action against an owner for unauthorized disclosure or improper use of the information they provided [HUD Handbook 4350.3, par. 5-19(B)(1)].

What is PII? Personally identifiable information is defined as “...information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” [OMB M-07-16].

Manage access to PII. According to HUD guidance, one way to protect sensitive PII is to manage access to it. You should share or discuss sensitive PII only with those who have a need to know for work purposes. Otherwise, you shouldn’t distribute or release sensitive PII to others.

Example: In one instance, a former public housing authority employee had improperly released PII outside the department. HUD auditors confirmed allegations in a hotline complaint of improper release of PII. The employee had sent at least seven emails containing a voucher holder's PII, including Social Security numbers and other personal information such as household income, to the employee’s personal email address and the work email address of a friend who worked for one of the department’s contractors [HUD Audit 2014-DE-1002].