Generally, information is "sensitive" to the extent that it can be linked to or identified with the individual, and the person desires to keep the PII confidential or it has a potential for causing harm to that person due to its use or abuse. People are more likely to consider PII sensitive that relates to personal attributes such as racial or ethnic origin, political beliefs, religious or moral beliefs, health status, sexual life, financial status, or other personal interests and activities.
The integrity of PII should be protected against both malicious and inadvertent alteration or disclosure.
PII should be purged when it is no longer necessary for the purpose for which it was originally collected.
I'm a little irritated right now. I've started receiving virus infested email on an account I used only with the A.C.L.U. of Washington. They've let their computers (which do contain donor information) become infected. So now that address and possibly my association with the A.C.L.U. has been sent out to countless people. Probably most of them other A.C.L.U. members. I'm not so squeamish about my membership in the A.C.L.U., but others are.
I haven't heard boo from them after notifying them. I'm hoping they give this as wide a dissemination as they have privacy breaches by other companies out there. Time to step up to the plate and be a man, A.C.L.U. of Washington.