Indirect identification of an individual using personal data

Author: Dario Alfirević
Published on: 09.09.2020.

Most often the indirect identification is quite intuitive, but sometimes it can get counterintuitive, especially in the beginnings of managing personal data. Blog post Identification of an individual using personal data will make you think about the basics of identification of a private person using personal data and lay all topics you need to think about when you're managing identifiability or identification.

A person is indirectly identified by an alphanumeric simple identifier, usually assigned by an entity of high authority (government bodies, banks, telecoms), and identifiers they issue are social security numbers, telephone numbers, bank account numbers, and similar identifiers. Those simple identifiers can identify or make identifiable a natural person by narrowing down the group to which the person belongs. However, data from those kinds of sources is not perfect and not always reliable - it is a common thing that a parent registers a mobile phone for their children, that siblings do that between them, that person uses more than one bank, that children use their parent's credit cards, that spouses use each other debit cards. Those situations listed before are making noise in the data and make it less reliable than social security number (or any other government-issued personal identification numbers, codes, or designations)

if the information at hand is not enough to identify them, but available data has to be used in conjunction with other information that one is able and is allowed to reasonably and legally access from a third party or a different source by providing available personal data to get additional personal data that identifies a specific individual.

The examples of simple identifiers are listed in bullet points below:

  • car registration number - police has a registry of registration numbers linked to car owners, so the Police can identify a specific person (car owner), but will not do without a proper legal basis (purpose of data processing, e.g. car accident)
  • social security number is unique for every individual in the country and is issued by tax or other authorities - one can request the issuing authority and other personal data of a specific person referenced by a social security number
  • passport number, ID card number, drivers license number, or any other identification issued by the government -  police has a registry of identification documents and their holders
  • bank account number in IBAN format issued by the bank - one can request the bank and other personal data of a specific person referenced by IBAN
  • telephone number issued by a telecommunication service provider - one can request from the telephone company personal data of a specific person referenced by a specific unique phone number
  • entering and alphanumeric code delivered to the person by SMS by the data controller that requires the individual to confirm their identity, where the expires fast (in minutes)
  • using bank mobile tokens (used for signing bank transactions on desktop computers), mobile apps that generate key-value pairs for authentication where the key is a constant identifying the device and indirectly the user and a random number (verifiable key-value) is generated just after the correct PIN is entered, or a 2D barcode is scanned following by entering correct PIN number on the web app or even security question is asked. Those m-tokens are integrated with an application requiring a high level of trust in indirect identity confirmation by a third party practically granting that if the authentication process is successful that it was the expected specific person who authenticated. It is becoming more and more popular that all PIN numbers are 6 instead of 4 digits long and they are entered on a keyboard resembling a phone dial pad, but every time showing different order of numbers, making it harder for abusers to read
  • using 2-factor authentication with third-party products, like Google Authenticator or Microsoft Authenticator who generate 8 digit numeric code every second and that code identifies the smartphone and consequently increasing the likelihood that a specific person is trying to authenticate
  • slowly introducing qualified digital signatures with qualified time stamp issued by local authorities (in each EU member state) and especially those that earned to be listed on national eIDAS Trusted Lists and the EU List of eIDAS Trusted Lists (companies listed are mostly specialized in digital identity management, banks, financial institutions, national postal operators, ministries and other governmental bodies, like government agencies focused on finances, commerce, and defense) 

Indirect identification also includes consulting publicly or freely available sources for many data types:

  • online phone books (e.g. it is possible to search for the name, address, and a city for a phone number and the other way around)
  • social networks (e.g. Facebook had a feature that if a mobile phone is typed into a search field the search result would be a Facebook profile)
  • news articles (e.g. search online for political views on certain topics, religious views, sports affiliations of a certain businessman to prepare for a meeting and use that information as a negotiation tool)
  • blogs of certain authors (e.g. to find out their position about a certain topic or an experience in a certain field, social network profiles, etc.)
  • other publicly available online sources (e.g. when performing due diligence on a potential employee going through the results of search engines)

If some original data (or data set) cannot be used to identify a specific person or make them identifiable, but when it's used with other data, original data should be considered as personal data and is subject to GDPR and all the protection that it warrants to the data subject and all obligations that it imposes to the data controller and data processor.

Make no mistake, asking a third party to provide additional personal data by providing them with some personal data is a processing activity.

Transfering a small sum of money (e.g. 1,00 EUR or 1,00 USD) coupled with a reference code unique to a specific person entered into a bank transfer order when executing the initial small transfer to the online bank is a common step in the indirect identity confirmation process.

This blog post is made available by the author who is a licensed ISO 27001 Internal Auditor and has extensive experience in managing privacy. This blog is intended for educational purposes only as well to present views of the author how business understands the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney-client relationship between you and this blog publisher. The blog should not be used as a substitute for competent legal advice from a licensed professional attorney. Views of the author do not necessarily represent views of Infranet (see our incorporation details) nor does it constitute a promise. Photos: Pexels.com

Tags: GDPR identity confirmation indirect identification
Cookie settings