Existing Citations

  • mosaic effect (p. 4): The mosaic effect occurs when the information in an individual dataset, in isolation, may not pose a risk of identifying an individual (or threatening some other important interest such as security), but when combined with other available information, could pose such risk. Before disclosing potential PII or other potentially sensitive information, agencies must consider other publicly available data – in any medium and from any source – to determine whether some combination of existing data and the data intended to be' publicly released could allow for the identification of an individual or pose another security concern. (†1565)
  • mosaic effect (p. 9): As agencies consider whether or not information may be disclosed, they must also account for the "mosaic effect" of data aggregation. Agencies should note that the mosaic effect demands a risk-based analysis, often utilizing statistical methods whose parameters can change over time, depending on the nature of the information, the availability of other information, and the technology in place that could facilitate the process of identification. (†1568)
  • open data (p. 5): [Abridged, with discussion of principles omitted due to length] Publicly available data structured in a way that enables the data to be fully discoverable and usable by end users. In general, open data will be consistent with the following principles: public, accessible, described, reusable, complete, timely, and managed post-release. (†1567)
  • personally identifiable information (p. 4): As defined in OMB Memorandum M-10-23 [Guidance for Agency Use of Third-Party Websites and Applications (June 25, 2010)], "personally identifiable information" (PIT) refers to information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available (in any medium and from any source) that, when combined with other available information, could be used to identify an individual. (†1566)