Nokumo logo

02. Sep 20
Direct identification of an individual using personal data

Sometimes it can be difficult to discern if a natural person identified directly or indirectly. It can be difficult to decide which method is better for which situation. If you haven't checked out our post Identification of an individual using personal data we advise you to do so. Reading the blog post about identification using personal data can make you understand this post better and read it faster.

A person is directly identifiable if it’s possible to identify them using nothing but information (identifiers) at hand, controlled and processed, without introducing additional data from external sources (e.g. first and last name).

It is obvious that a person is directly identifiable if the following information (composite identifier yielding unique value response) is available:

  • Mr. John STEWART (data types: salutation, first name, last name)
  • 190 Rue Palatine (data types: house number, street name)
  • 75006 Paris (data type: postal code, city)
  • France (data type: country)

The next example of direct identification is using this simple identifier yielding a unique value response:

  • john.stewart@acme.com

This identifier is human-readable and as result has disclosure of the first and last name of the individual and his employment at Acme Ltd. The name of the person is indeed the most common result in direct identification. Practically, the idea of "identified person" implies most often a reference to the person's name.

In order to ascertain the identity and to prevent confusion, the name of the person sometimes has to be combined with other pieces of information that include, but are not limited to:

  • date of birth
  • place/city of birth
  • names of the parents
  • photograph of the face

Sometimes it is required to confirm the identity of the person so that their face picture is associated with the name or even a photograph of their face with an identification document (ID card, passport, or driver's license) so that the identification document on the "selfie" is readable (both human-readable, not blurry, and machine-readable with AI-powered OCR). The practice of taking selfies with a passport as one of the identification confirmation steps in different web apps related to virtual currency markets (like Bitcoin and similar) is quite usual.

The question remains how do those market players guarantee that they are disposing of the data that they no longer process and is that a time bomb for personal data breaches?

Online banks or FinTech companies have a quite common and adopted step in the direct identity confirmation process that consists of transferring a small sum of money (e.g. 1,00 EUR or 1,00 USD) coupled with a reference code unique to a specific new customer in the remittance order. That small sum confirms to the online banks that a person with first and last name is indeed the owner of the specific bank account. FinTech companies leverage the fact that traditional brick and mortar banks have personally checked the identification documents and the photo of that specific person.

Confirming the full name of a person and bank account number has become the ordinary practice in the proliferating FinTech industry even though online banks and FinTech companies are still burying the privacy policies in the small print that many of their users don't read nor do they have the practice to report back to their users when they dispose of personal data they don't need anymore.

Direct identification uses composite identifiers that are clearly about individuals, and those identifiers:

    • describe the individual by common attributes (first name, last name, street, number, postal code, city name, country, parents names, social security number, email, mobile phone number, profession, work experience, etc.) or
    • distinguish the individual from a group with special, distinguishable, rare, or sensitive attributes (height, weight, eye color, hair color, health-related information, marital status, a politically exposed person, high net worth individual, tattoed, pierced, member of a protected class or a minority, health information, sex-life-related information, sexual orientation, biometric data, physical, physiological, genetic, mental, economic, cultural or social identity, etc.) or
    • describe many aspects of a context (link type: employment, membership in a gym, membership in a political party, a customer of telecom service, a student at university, patient in a clinic, etc...)

This blog post is made available by the author who is a licensed ISO 27001 Internal Auditor and has extensive experience in managing privacy. This blog is intended for educational purposes only as well as to present views of the author on how business understands the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney-client relationship between you and this blog publisher. The blog should not be used as a substitute for competent legal advice from a licensed professional attorney. Views of the author do not necessarily represent views of Infranet (see our incorporation details) nor does it constitute a

Recommended blog posts

  • 11. Sep 20

    Avoiding breach of sensitive personal data

    A personal data breach can occur inadvertently, not because of negligence, but because analysis sometimes shows that certain data is not personal data, whereas, in fact, it is. Our view is that if designating data as personal depends on many factors, mostly on the context of data processing. Handling special categories of data requires extra care.

  • 09. Sep 20

    Indirect identification of an individual using personal data

    GDPR just mentions indirect identification as a method of identifying a person but leaves everyone in the dark about the rest. It's not only about if one wants to identify someone, but it also's about the intrinsic value of data and its inherent ability to facilitate the process of identifying someone, regardless if one intends to do it or not.

  • 02. Sep 20

    Direct identification of an individual using personal data

    What is direct identity confirmation? How to navigate through GDPR, as it broadly reads: "identifiable natural person is one who can be identified, directly or indirectly" without mentioning a word what is direct identification and what does it entail. The authors' views might help you shed some light on it.

  • 30. Aug 20

    Identification of an individual using personal data

    How to confirm the identity of a person? What are the principles of identity confirmation and their relationship with authentification? How to be GDPR compliant, prevent identity theft and personal information data breaches? This blog post summarizes some of the GDPR topics we were tackling at a high level. If you are just embarking on a GDPR ship with a demanding project, hopefully, our views can make your journey faster and more cost-effective.

  • 14. Aug 20

    How to know if data is personal data: avoid rookie GDPR mistakes

    What data should be designated as personal data and what does it mean to directly identify an individual or make identification indirectly? How to recognize personal data when it's not apparent that data actually should be dealt with as if it is personal and enjoy the full protection of GDPR. Why isn't more people discussing the context of data processing? Some of our views in this blog post might make you think twice. 

  • 06. Aug 20

    Cookie consent and GDPR - avoid common mistakes

    What data should be designated as personal data and what does it mean to directly identify an individual or make identification indirectly? How to recognize personal data when it's not apparent that data actually should be dealt with as if it is personal and enjoy the full protection of GDPR. Why isn't more people discussing the context of data processing? Some of our views in this blog post might make you think twice. 

  • 04. Aug 20

    ISO/IEC 27001 - understand our way of thinking

    When it comes to information security our goal is that you understand our way of thinking. We believe if you understand how we think that you'll better understand the real importance of following ISO 27001 standard and all benefits it brings to your business.