What are the three categories of identifiers in data protection, and what are examples of each?
The three categories are: (1) identifiers that directly identify a person, (2) quasi-identifiers that can identify when combined, and (3) sensitive attributes that reveal protected characteristics.
* The three identifier categories — direct identifiers, quasi-identifiers, and sensitive attributes. *
The three categories:
| Category | Definition | Examples |
|---|---|---|
| Identifiers | Directly identify a specific person | Name, SSN, email address, passport number |
| Quasi-identifiers | Don't identify alone, but can when combined | Date of birth, ZIP code, gender, profession |
| Sensitive attributes | Reveal protected personal characteristics | Medical diagnoses, salary, political views, religion |
Why this matters:
- Identifiers must be removed or replaced for anonymization
- Quasi-identifiers are the tricky ones — they seem harmless individually but are dangerous in combination
- Sensitive attributes are what attackers typically want to link back to a person
The critical insight: Most anonymization efforts focus on removing identifiers (names, SSNs), but forget that quasi-identifiers can be just as revealing. Latanya Sweeney's famous research showed that 87% of the US population can be uniquely identified by just three quasi-identifiers: date of birth + ZIP code + gender.
Go deeper:
Quasi-identifier (Wikipedia) — why combinable quasi-identifiers are the tricky middle category.