Sometimes it can be difficult to discern if a natural person identified directly or indirectly. It can be difficult to decide which method is better for which situation. If you haven't checked out our post Identification of an individual using personal data we advise you to do so. Reading the blog post about identification using personal data can make you understand this post better and read it faster.

A person is directly identifiable if it’s possible to identify them using nothing but information (identifiers) at hand, controlled and processed, without introducing additional data from external sources (e.g. first and last name).

It is obvious that a person is directly identifiable if the following information (composite identifier yielding unique value response) is available:

• Mr. John STEWART (data types: salutation, first name, last name)
• 190 Rue Palatine (data types: house number, street name)
• 75006 Paris (data type: postal code, city)
• France (data type: country)

The next example of direct identification is using this simple identifier yielding a unique value response:

• john.stewart@acme.com

This identifier is human-readable and as result has disclosure of the first and last name of the individual and his employment at Acme Ltd. The name of the person is indeed the most common result in direct identification. Practically, the idea of "identified person" implies most often a reference to the person's name.

In order to ascertain the identity and to prevent confusion, the name of the person sometimes has to be combined with other pieces of information that include, but are not limited to:

• date of birth
• place/city of birth
• names of the parents
• photograph of the face

Sometimes it is required to confirm the identity of the person so that their face picture is associated with the name or even a photograph of their face with an identification document (ID card, passport, or driver's license) so that the identification document on the "selfie" is readable (both human-readable, not blurry, and machine-readable with AI-powered OCR). The practice of taking selfies with a passport as one of the identification confirmation steps in different web apps related to virtual currency markets (like Bitcoin and similar) is quite usual.

The question remains how do those market players guarantee that they are disposing of the data that they no longer process and is that a time bomb for personal data breaches?

Online banks or FinTech companies have a quite common and adopted step in the direct identity confirmation process that consists of transferring a small sum of money (e.g. 1,00 EUR or 1,00 USD) coupled with a reference code unique to a specific new customer in the remittance order. That small sum confirms to the online banks that a person with first and last name is indeed the owner of the specific bank account. FinTech companies leverage the fact that traditional brick and mortar banks have personally checked the identification documents and the photo of that specific person.

Confirming the full name of a person and bank account number has become the ordinary practice in the proliferating FinTech industry even though online banks and FinTech companies are still burying the privacy policies in the small print that many of their users don't read nor do they have the practice to report back to their users when they dispose of personal data they don't need anymore.

Direct identification uses composite identifiers that are clearly about individuals, and those identifiers:

• • describe the individual by common attributes (first name, last name, street, number, postal code, city name, country, parents names, social security number, email, mobile phone number, profession, work experience, etc.) or
  • distinguish the individual from a group with special, distinguishable, rare, or sensitive attributes (height, weight, eye color, hair color, health-related information, marital status, a politically exposed person, high net worth individual, tattoed, pierced, member of a protected class or a minority, health information, sex-life-related information, sexual orientation, biometric data, physical, physiological, genetic, mental, economic, cultural or social identity, etc.) or
  • describe many aspects of a context (link type: employment, membership in a gym, membership in a political party, a customer of telecom service, a student at university, patient in a clinic, etc...)

This blog post is made available by the author who is a licensed ISO 27001 Internal Auditor and has extensive experience in managing privacy. This blog is intended for educational purposes only as well as to present views of the author on how business understands the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney-client relationship between you and this blog publisher. The blog should not be used as a substitute for competent legal advice from a licensed professional attorney. Views of the author do not necessarily represent views of Infranet (see our incorporation details) nor does it constitute a