Will the parties be entering into a separate contract governing treatment of any personally identifiable information that the disclosing party discloses to the recipient?

“Personally identifiable information” (PII) is a label commonly used for information such as medical records and social security numbers. It’s subject to various statutory regimes, such as the Gramm-Leach-Bliley Act and HIPAA in the U.S., PIPEDA in Canada, and the EU Data Privacy Directive in Europe.

Addressing in any detail how the parties are to handle PII would require a separate contract, as procedures for handling PII are often quite different from those found in a typical confidentiality agreement, as are the applicable standards of care and remedies. If you won’t be providing for such a contract, PII would nevertheless fall within this contract’s definition of confidential information.

In particular, this contract would carve PII out from the exclusion for public information—otherwise PII might fall within that exclusion, because elements of much PII are generally by definition publicly known to some extent. See William A. Tanenbaum, IP License Agreements Require Updating of “Boilerplate” Contract Provisions, in 14th Annual Institute on Intellectual Property Law (PLI Patents, Copyrights, Trademarks, and Literary Property Course Handbook Series No. 14967).