Ease of identification (EI)
Ease of identification (EI)
Ease of identification (EI) evaluates how easy it will be for a party who has access to the set of data to unequivocally match them to a certain person.
For the purpose of this methodology we have defined four levels of EI (negligible, limited, significant and maximum) with a linear increase in score. The lowest score is given when the possibility to identify the individual is negligible, meaning that it is extremely difficult to match the data to a particular person, but still it could be possible under certain conditions. The highest score is selected when identification is possible directly from the data breached with no special research needed to discover the individual's identity. Annex 2 describes these levels in details.
When defining EI, it should be taken into account that identification may be directly (e.g. on the basis of a given name) or indirectly (eg. on the basis of ID number) possible from the breached data, but may also depend on the specific context of the breach. Therefore, certain identifiers may lead to different EI scores according to the specific case of the breach.
In addition, when defining EI the controller should take into account all the means likely reasonably to be used by any person to identify the individuals. This includes information that is public, held or obtained otherwise, including over the Internet, as well as possible cross-matching with other sources than can be accessed by the data controller or a third party.