In this blog post, we examine the two types of Personal Identifiers: direct and quasi- (or indirect) identifiers, why we care about distinguishing them, and what challenges they pose regarding compliance with data privacy laws and regulations.
In short, both direct and quasi-identifiers refer to pieces of information that can be used to identify an individual, either by themselves or in combination with other readily available information. Both these types of data are protected under data privacy legislation with the goal of mitigating the risk of information about individuals being mishandled, leaked, and/or used for malicious purposes.
The main difference between those two personal identifiers is their usefulness for data analytics. Hence, the classification of data points as direct or indirect identifiers is mostly important when determining which ones to remove, to de-identify, or to disclose as they are.
While direct identifiers are more easily classified, quasi-identifiers can be a very wide range of data, because today’s technology is so powerful and so much data is publicly available that even seemingly innocuous data can be used to identify individuals.
Direct Identifiers
As the name suggests, direct personal identifiers are pieces of information that can be used to directly identify an individual. Examples of direct identifiers include:
- – Name
- – Social Security number
- – Email address
- – Credit card number
- – Medical record number
However, it is not required for a data point to be able on its own to uniquely identify an individual in order for it to be classified as a direct personal identifier This would be too much to ask as that definition would only include very few identifiers. It would, for example, exclude DNA (as there are identical twins) and social insurance numbers (also not unique!). More obviously, a common name such as John Smith may not be enough to pinpoint the John Smith to whom certain data relates. It may require additional information to distinguish him from another John Smith also in the data set. Nevertheless, names are direct identifiers.
Hence, in order to be classified as a direct personal identifier, the data point must either on its own or in combination with other readily available data be able to identify an individual. But there is a second characteristic of direct identifiers, namely their general uselessness for data analytics.
The motivation for disclosing data varies, of course, but often, the social or commercial utility of a data set can be maintained, at least to some degree, without disclosing direct personal identifiers. For example, research on the spread of diseases or work commutes can likely still generate important insights without the names of the study participants, as long as a part of the ZIP code is still available.
The combination of these two characteristics, ability to considerably narrow down the number of individuals to whom the data pertains and their limited utility for data analytics, means that direct personal identifiers should be removed from the data set before disclosure, replaced with a pseudonym, hashed, or encrypted.
Quasi-Identifiers
Quasi-identifiers, or indirect personal identifiers, too, are pieces of information that, when combined with other data, can identify an individual. Examples of quasi-identifiers include:
- – Date of birth
- – Gender
- – Zip code
- – Occupation
- – Medical diagnosis
- – Approximate location
What, then, distinguishes them from direct personal identifiers? While indirect personal identifiers generally do not narrow down the number of individuals to whom a data point may pertain to the same degree as direct identifiers, this is not a useful means to distinguish the two. For one, it depends on the size of the data set and the distinguishability of the variables captured in a data set whether a variable can directly identify an individual. Recall the example of the only blonde person in a data set. But what is perhaps more important is that with the right tools, seemingly innocuous data may be used, in the right combination, to uniquely identify a vast number of individuals. For example, a study has shown that “87% (216 million of 248 million) of the population in the United States had reported characteristics that likely made them unique based only on {5-digit ZIP, gender, date of birth}.”
Quasi-identifiers are rather distinguished from direct personal identifiers by the fact that an adversary, i.e., someone who would attempt to re-identify individuals by means of a de-identified data set, is assumed to have background knowledge of the quasi-identifier. The adversaries could come at the data set from two perspectives: they either know an individual and are trying to figure out which data points in the set match the individual, or they pick a record from the data set and use other available information to determine to whom the records pertains.
There are lots of ways an adversary may have background knowledge of quasi-identifiers of an individual. Think of public registries, social media, and special personal knowledge. Background knowledge may also be obtained from other information about the individual that is contained in the same data set, e.g., a visual characteristic. As a result, the classification of indirect identifiers can be tricky, as the background knowledge of an adversary may be unknown.
Data Privacy Challenges Posed by Direct Personal Identifiers
Generally, direct personal identifiers in any given data set are easier to exhaustively classify than quasi-identifiers. Again, it depends on the context, but if we consider large data sets that are not easily manageable from a data privacy perspective, there are only so many data points in there that can, without anything further, identify a person.
However, even data such as SIN, phone, credit card number, or IP address can be difficult to identify automatically if the data set is unstructured and, in the case of large data sets, impossible to get humans to review the data tractably. Take a 10-digit phone number. Writing a logic governing all possible ways a phone number can be displayed in an effort to automate the detection of personal information would keep you busy for a while. Here are only a few options:
- – +1 423 555 6789
- – (+1) 423 555 6789
- – 423.555.6789
- – 423-555-6789
- – Four, two, three, five, five, five, six, seven, eight, nine
- – Four twenty-three, five fifty-fife, sixty-seven, eighty-nine
- – Can I have the first three digits of your phone number?
Sure, 423.
Thanks, now the next six digits, please.
555 6789.
It gets much more complicated when having to account for local particularities, such as the different number of digits in a phone number, or the addition of extensions.
Since a data set cannot be said to be de-identified while containing any identifying information, direct personal identifiers must always be either removed or carefully masked in some other way, i.e., by replacing them with synthetic data, or encrypting them.
Data Privacy Challenges Posed by Indirect Personal Identifiers
With indirect personal identifiers, or quasi-identifiers, the challenges get even harder. First, as discussed, it is context-dependent what constitutes a quasi-identifier, as it varies with the other information available to an adversary whether an individual can be identified via the prospective quasi-identifier.
Conceding to this reality, data protection laws protect both direct and indirect personal identifiers. For example, the GDPR defines personal information as
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Yet, since quasi-identifiers are the juicy bits in data sets that hold a lot of value for research and analytical purposes, there is a great interest in accessing this data. Not disclosing it would hence come at a great cost. In addition, non-disclosure may sometimes not be an option, as certain records are subject to public access rights.
There are several techniques available to de-identify quasi-identifiers in such a way that their value is retained while lowering the risk of re-identification and hence exposure of the individuals to whom the data pertains. These techniques make it possible for the data to be disclosed in a way that they are no longer considered to contain personal information that is likely able to identify an individual. For example, it may be sufficient from a data protection perspective to modify the variable ‘date of birth’ to instead display an age range. The age range may at the same time suffice for researchers to draw valuable insights from the data.
Conclusion
In order to do right by your customers and to comply with global privacy legislation, you have to protect direct as well as indirect personal identifiers. You have to do a good job at it, too, because data privacy laws have developed real teeth over the last few years (learn more about the cost of a data breach) and malicious actors have also been busy refining their cyber attack strategies.
However, we have seen that direct and indirect personal identifiers warrant different kinds of protection. While direct identifiers should be removed or masked, quasi-identifiers would ideally be de-identified in a manner that retains at least some of their value for data analytics.
If you’re looking for a solution to identify and remove direct and quasi-identifiers from your data, Private AI can help. With its ability to identify and classify more than 50 entities of Personally Identifiable Information (PII), Payment Card Industry (PCI) data, and Protected Health Information (PHI), Private AI is well equipped to help with the difficult task of achieving compliance with data privacy regulations. To see the tech in action, try our web demo, or request an API key to try it yourself on your own data.
