What is confidential and sensitive data?

Data containing personally identifiable information and other confidential/sensitive data protected by state (e.g. Iowa Code Section 22.7 or other applicable Iowa Code section) or federal law (e.g. Health Insurance Portability and Accountability Act (Privacy Rule and Security Rule), Privacy Act, Patient Safety and Quality Improvement Act (Patient Safety Rule), Social Security Number Protection Act, and Family Educational Rights and Privacy Act) must have adequate safeguards in place to mitigate potential privacy or security risks, and ensure such data is not unintentionally disclosed or compromised

Personally Identifiable Information

The U.S. Government Accountability Office has provided a comprehensive definition for personally identifiable information (or personal information):

any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.[1]

Personally identifiable information could also include home street addresses and emails, photographic images, etc.  Personally identifiable information will be the most common type of confidential/sensitive data you will likely encounter when working to publish your data.

Other Confidential Information

While this is by no means an exhaustive list, besides personally identifiable information, the following may also be considered confidential or sensitive:

  • Information that has commercial value and upon release could give advantage to the information provider’s competitors (e.g. trade secrets, sales and marketing plans, blue prints, process designs, financial data, etc.)
  • Information related to electronic signature, internet protocol numbers, security of electronic transactions
  • Records relating to charitable giving
  • Investigative and autopsy files and reports
  • Work products related to litigation
  • Preliminary, draft work and research materials that are not in final form
  • Location of sensitive ecological sites or archeological resources
  • Information security and  emergency preparedness procedures
  • Information on critical assets


Before automatically assuming data is confidential or sensitive, review any applicable laws to see if disclosure is authorized or if exceptions exist.  Even if an item is generally thought of as confidential or sensitive, there may be instances where law makes exceptions or where code specifically requires the information to be made available.

[1] GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008, http://www.gao.gov/new.items/d08536.pdf.

Program Area
Open Data, Privacy, Confidentiality, Personally Identifiable Information, PII

Printed from the Iowa Department of Management website on March 20, 2018 at 10:42am.