The blinding identity taxonomy initiative

The blinding identity taxonomy initiative

Paul Knowles, Thu 06 September 2018

The release of the Blinding Identity Taxonomy (BIT) Initiative on September 9th has the aim of providing needed common standards to help protect the privacy of personally identifiable information (PII) about people, organizations, or things. At Dativa, we believe this initiative puts the storing and use of data on a more secure footing. BIT classifies 46 different PII elements (see the list below) which require cryptographically encoding to prevent the identification of individuals and any information associated with them. Some of these elements can directly identify individuals, such as a name, physical address or bank account details, and some of them can do so indirectly, such as a photo, IP address or cookie browser identifier.

While this initiative addresses some of the fundamental demands of the EU's new GDPR regulation on the storage of data, we believe the BIT initiative is relevant to all companies and not merely those which store data about EU citizens. Barely a week goes by without some new story appearing about a data breach after some criminals have hacked into a database and extracted PII data which they can then use in ways which negatively impact on those about whom the company has stored data. On the other hand, with BIT in place, the now encrypted data which the thieves have will contain none of the valuable PII data the hackers are desperate to obtain. Not all data require encryption, and BIT identifies which data require a cryptographic process and which do not. While any data breach is serious, if customers lose out, as occurred in a recent British Airways data breach, not only will they require compensation, they are also much less likely ever to trust the company or purchase its products or services again.

The essence of the BIT initiative is in the 46 elements, which require encryption when they are stored in databases, regardless of whether these are on the cloud, in local servers or anywhere else. At Dativa we counsel a minimalist approach when it comes to data storage, meaning the inclusion of any data for storage should be justified according to their business value. Some data, such as a date-of-birth, has little value to criminals unless associated with other pieces of PII data. However, BIT advises caution, and it is is always better to flag data for encryption if there is any doubt about its value in a data breach. BIT also recommend that all free-form and unstructured data (the last element) undergo encryption as it is impossible to know if the data contains valuable PII or not. We strongly recommend that all data science team use the BIT checklist and ensure that no PII data escapes encryption.

  • Names (incl. First Names, Last Names, Full Names, Entity Names)
  • Physical Addresses
  • E-mail Addresses
  • Telephone Numbers
  • Postal Codes
  • Personal Software Application Handles (e.g. Skype, Slack, Hyperledger Chat, etc.)
  • Profile Pages
  • Passport Numbers
  • Social Security Numbers
  • National Insurance Numbers
  • Driving License Numbers
  • Vehicle Registration Numbers
  • Bank Account Numbers
  • Credit (or Debit) Card Numbers
  • Personal Identification Numbers (PIN)
  • Self-sovereign Key Identifiers
  • Decentralised Identifiers (DIDs)
  • Employee Identifiers
  • Account Identifiers
  • Governmental Identifiers
  • Membership Identifiers (e.g. Trade Union Membership, etc.)
  • Institutional Identifiers (e.g. Private Health Care Identifiers, etc.)
  • Case Identifiers (e.g. Case ID Numbers, Benefit Plan Participation Identi-fiers, etc.)
  • User Identifiers (e.g. User IDs, Logins, etc.)
  • Passwords
  • Signatures
  • Digital Certificates
  • Photos
  • Videos
  • Images
  • Vocal Sound Bites
  • Dates and timestamps (e.g. Date of Birth, transaction dates, etc.) *
  • Genetic Identifiers (incl. chromosomal, deoxyribonucleic acid (DNA) and ribonucleic acid (RNA) data)
  • Biometric Identifiers (incl. voiceprints, iris scans, facial imaging and dacty-loscopic (fingerprint) data)
  • Internet Protocol (IP) Addresses
  • Media Access Control (MAC) Addresses
  • Service Set Identifiers (SSID) (incl. local WiFi SSIDs)
  • Bluetooth Device Addresses (BD_ADDR)
  • GPS Locational Information
  • Cookie Browser Identifiers
  • Radio Frequency Identifiers
  • IoT Identifiers (incl. smart meter data)
  • International Mobile Equipment Identity (IMEI)
  • International Mobile Subscriber Identity (IMSI)
  • Social media interactive elements, posts and comments (incl. likes, emojis and polling results)
  • Free-Form Text Fields / Unstructured Data **


* Note: Not all captured dates will reveal identity but some will so, if in doubt, encrypt.

** Definition: Text which does not have a given structure, nor which is entered in any specific format. Note: All free-form text fields should be encrypted.

Need help? Get in touch...

Sign up below and one of our data consultants will get right back to you

Other articles about Data Science

Dativa is a global consulting firm providing data consulting and engineering services to companies that want to build and implement strategies to put data to work. We work with primary data generators, businesses harvesting their own internal data, data-centric service providers, data brokers, agencies, media buyers and media sellers.

145 Marina Boulevard
San Rafael

Registered in Delaware

Thames Tower
Station Road

Registered in England & Wales, number 10202531