Spirion AnyFind and Common Custom Data Types Defined

Overview

Spirion AnyFind™ Data Types are provided by Spirion Sensitive Data Platform by default.

• These data types are found on the Data Types page (Settings > Global Data Types), on the tab SPIRION DATA TYPES (ANYFINDS).
• AnyFinds include Social Security number, credit card number, and phone number

Custom data types are created by users with Administrator rights,

• These data types are found on the Data Types page (Settings > Global Data Types), tab "CUSTOM DATA TYPES."
• Custom data types include ABN, IMEI, and ICCID

ABN

Custom data type. This data type must be created by you, the user.

Australian Business Number, a unique 11-digit identifier for businesses in Australia for government, tax, and business dealings.

• The ABN is an 11-digit number where the first 2 digits are a checksum.
• • Unlike with the tax file number (TFN), the ATO has publicised the formula for checking and creating valid ABN checksums.
  • The nature of the ABN algorithm means that any 9-digit number can be made into a valid ABN.
• Australian ABN identifies entities like sole traders, companies, and non-profits for tax (GST), invoicing, and grants.
• Purpose: A unique identifier for businesses dealing with the Australian government and other businesses, helping verify identity and avoid PAYG tax.
• Who needs it: Most Australian businesses, including sole traders, companies, and partnerships.
• Uses: Invoicing, claiming GST credits, applying for grants, setting up an Australian domain name, and identifying your business.

CCPA

Custom data type. This data type must be created by you, the user.

The California Consumer Privacy Act (CCPA), effective since 2020 and amended by the CPRA, grants California residents significant control over their personal data, including the rights to know, delete, correct, and opt-out of the sale or sharing of their information. It applies to for-profit businesses meeting specific, high-volume data or revenue thresholds.

Key Aspects of the CCPA:

• Consumer Rights: Residents can request to see what information a business has collected, delete that information, opt-out of data sales/sharing (including targeted advertising), and receive equal service/pricing even if they exercise these rights.
• Business Requirements: Covered businesses must update privacy policies, implement methods for submitting consumer requests, and provide a clear "Do Not Sell or Share My Personal Information" link.
• Penalties & Enforcement: The California Privacy Protection Agency (CPPA) and state Attorney General enforce the law, with fines up to per unintentional violation and per intentional violation.
• Recent Changes: The CCPA was significantly expanded by the California Privacy Rights Act (CPRA), which added rights regarding sensitive personal information and corrected information. 

The CCPA applies to businesses that do business in California and meet one of the following:

• Have an annual gross revenue over 1 million USD.
• Buy/sell/share the personal information of 100,000 or more California residents/households.
• Derive 50% or more of their revenue from selling/sharing personal information. 

Canada Social Insurance Numbers (SIN)

Spirion data type (AnyFind). This data type is provided by default.

• A Social Insurance Number (SIN) is a unique 9-digit number used by the Canadian government to identify individuals for tax purposes and to administer national programs. It is essential for anyone who wants to work legally in Canada or access government benefits. 
• Employment: A SIN must be provided to an employer within 3 days of starting a job so they can report your income and taxes.
• Taxes: The Canada Revenue Agency (CRA) uses a person's SIN to identify them when they file annual income taxes.
• Benefits: A SIN is required to receive payments from government programs like the Canada Pension Plan (CPP), Employment Insurance (EI), and the Canada Child Benefit. 
• Canadian Citizens and Permanent Residents are issued a permanent SIN that does not expire.
• Temporary Residents: International students and foreign workers are issued a temporary SIN beginning with the number "9". These numbers have an expiry date, usually matching the individual's work or study permit.
• Social Insurance Numbers are used in Canada and can be used to open credit cards and bank accounts on your behalf, so searching for this Data Type is of critical importance to prevent identity theft.

Credit Card Numbers

Spirion data type (AnyFind). This data type is provided by default.

• A credit card number is a unique identifier (typically 13-19 digits) on your card
• The number is composed of sections identifying the industry, issuer, and your account
• The final digit acts as a checksum for validity, essential for transactions but requiring careful protection from fraud.
• Credit card numbers can be used to make unauthorized purchases on your behalf.

Structure of a Credit Card Number

• First Digit (MII): The first number starts with a 3, 4, 5, or 6.
• • This first number is called the major industry identifier (MII) number, and it shows the primary industry associated with the card or card issuer
  • • Example: 4 for Visa, 5 for MasterCard, 6 for Discover
  • Numbers 3 through 6 represent the MIIs most used by the majority of personal credit card issuers.
  • Other MII examples:
  • • 1 - Designates an air travel and financial services issuer
    • 7 - Primarily used for cards issued in the petroleum industry
• 2nd through 6th Digits - Issuer Identification Number (IIN/BIN): The next 5-digit set of numbers is called the issuer identification number (IIN) or the bank identification number (BIN).
• • These numbers refer to the credit card company that issued the card, and also identified which payment network the card belongs to.
• 7th through 14th or 15th Digits: This section immediately follows the IIN.
• • The individual account number is assigned by the card issuer and is unique to each credit card account.
  • Your account number and card number aren’t the same.
  • While the MII and IIN let merchants know what institution the money is coming from, this section can tell them which accounts may be charged.
• Checksum Digit: The very last digit is a calculated number to verify the card's authenticity. 

Security & Protection

• CVV/CVC: The 3 or 4-digit security code (usually on the back) is needed for online/phone purchases, says Lloyds Bank and American Express. 
• Passwords: Passwords can be used to authenticate you online.
• Bank Account Numbers: Can be used to gain access to your financial information and conduct transactions on your behalf.

CUI

Custom data type. This data type must be created by you, the user.

Controlled Unclassified Information (CUI) is sensitive, non-classified federal information requiring safeguarding or dissemination controls. Established by Executive Order 13556, CUI ensures consistent handling of sensitive data across government agencies and contractors. It covers diverse categories, such as PII, intellectual property, and technical data, often subject to DFARS 7012. 

Key details about CUI include:

• Purpose: Standardizes how sensitive information is marked, handled, and protected to prevent unauthorized disclosure, without reaching the level of classified national security information.
• Categories: Covers areas including Critical Infrastructure, Defense, Financial, Intelligence, Law Enforcement, and Controlled Technical Information.
• Applicability: Applies to government employees and contractors, universities, or private entities holding such data on behalf of the government.
• Marking: CUI is marked to inform holders that it requires special handling, typically with a "CUI" header and specific category indicators.
• Compliance: Controlled by regulations like 32 CFR Part 2002 and often requires compliance with NIST SP 800-171 for security controls. 

Examples include Personally Identifiable Information (PII), Protected Health Information (PHI), and attorney-client privileged information. 

Driver Licenses

Spirion data type (AnyFind). This data type is provided by default.

• A U.S. driver's license, issued by each state's DMV, is required to drive, with requirements varying by state but generally including proving identity (birth certificate, passport), residency (utility bill), and legal presence (for non-citizens). 
• The process involves passing vision, written (knowledge), and on-road (skills) tests, plus paying fees, with most people getting a standard Class D license for personal vehicles.  
• Commonly used as a way to identify who you are.
• Driver license formats vary by U.S. state
• • For more information about formats by state, see NTSI Driver's License Formats

Dates of Birth

Spirion data type (AnyFind). This data type is provided by default.

• A person's "date of birth" (or birthdate) is simply the specific day, month, and year they were born, a key piece of personal information used on forms, documents, and for age verification, usually written as MM/DD/YYYY (United States) or DD/MM/YYYY (most other places). 
• Recorded on birth certificates. 
• Commonly used as a way to authenticate a person over the phone as companies typically ask you to confirm you are who you say by stating your Date of Birth.
• Found in passports, driver's licenses, and old family records. 
• Format: Most commonly Month/Day/Year (example: 01/15/1990 in the United States) or Day/Month/Year (example: 15/01/1990). 
• Usage: Essential for official records, IDs, banking, and healthcare. 

E-Mail Addresses

Spirion data type (AnyFind). This data type is provided by default.

• An email address is a unique digital identifier (like username@domain.com) used for sending and receiving electronic messages
• Consists of a local part (username), the @ symbol, and a domain name that points to the mail server
• Essential for online communication, account creation, and services. 
• When entering a unique E-Mail Address, it must be entered as no more than 100 letters, numbers, dashes, periods, or underscores, but without any other characters.
• One '@' character is required.

ePHI

Custom data type. This data type must be created by you, the user.

Electronic Health Information.

Electronic Protected Health Information (ePHI) is any identifiable health data (treatment, payment, or condition) created, stored, or transmitted in digital format, such as EHRs, images, or emails. Under HIPAA, it requires strict administrative, physical, and technical safeguards like encryption to ensure security, confidentiality, and integrity. 

Key Aspects of ePHI

• Definition & Scope: ePHI is a subset of Protected Health Information (PHI). While PHI can be paper or electronic, ePHI specifically refers to data in electronic media.
• Examples: Electronic health records (EHRs), digital lab results, X-rays, MRIs, and billing information.
• Security Requirements: The HIPAA Security Rule requires safeguarding this data, as it is easily copied and transmitted, posing higher breach risks.
• Protection Measures: Implementing encryption for data at rest and in motion, using secure messaging, and restricting access to authorized users.
• Violations & Penalties: Unauthorized access, such as via cyberattacks, leads to breaches. Violations can result in significant financial penalties, including fines up to $1.9 million per year depending on the level of negligence. 

Health Information

Spirion data type (AnyFind). This data type is provided by default. Other health information data types, such as MRN, are custom data types and must be created by you, the user.

• There are many regulations about Health Information that must be complied with. See below. Also see "ePHI," above.

Medical Record Number (MRN)

• A Medical Record Number (MRN) is a unique identifier assigned by a healthcare facility or hospital system to track a patient’s health information over time. It serves as a permanent internal code that links all of an individual's medical history, treatments, and laboratory results within that specific organization.
• Organization-Specific: Most patients have different MRNs for different hospital systems (example: 1 for Inova and another for Sentara), as there is currently no universal national medical ID in the U.S..
• Permanent: Unlike a visit or "encounter" number, which changes every time you see a doctor, an MRN remains the same for your entire life within that healthcare network.
• Privacy Protected: Under HIPAA, an MRN is considered Protected Health Information (PHI) and is used in place of names or Social Security numbers to reduce the risk of identity theft and data breaches. 
• Discharge Papers: MRNs can be found at the top or bottom corner of visit summaries, lab orders, or hospital discharge instructions.
• Wristbands: If currently admitted, the number is printed on your hospital identification band.
• Insurance Cards: Some integrated systems, such as Kaiser Permanente, print the MRN directly on the front of the member ID card. 

DEA Number (Drug Enforcement Administration Registration Number)

• Other health information may include a DEA Number (Drug Enforcement Administration Registration Number) which is a unique identifier assigned to healthcare providers and facilities that allows them to legally prescribe, dispense, or administer controlled substances. 
• Unlike a personal address or SIN, a DEA number is not assigned to patients. It is only issued to the following 3 entities: 
• • Individual Practitioners: Physicians (MD/DO), dentists, nurse practitioners, physician assistants, veterinarians, and optometrists.
  • Facilities: Hospitals, clinics, pharmacies, and manufacturers.
  • Mid-level Practitioners: Assigned with a first letter of "M" to distinguish them from high-level practitioners (typically "A", "B", "F", or "G"). 
• In Medical Records
• • Prescription Authentication: Pharmacists use the DEA number to verify that a provider has the legal authority to order controlled medications (like narcotics or sedatives).
  • Tracking and Monitoring: It enables the DEA to track prescribing patterns and identify potential fraud, misuse, or drug diversion.
  • Record Retention: Providers must maintain thorough records of all controlled substance transactions associated with their DEA number for at least 2 years. 
• Structure of DEA Number
• • A valid DEA number always follows a specific 9-character format:
  • • 1st Letter: Identifies the type of registrant (example: Characters A/B/F/G for doctors, M for mid-level).
    • 2nd Letter: Usually the first letter of the provider's last name (or "9" for businesses).
    • 7 Digits: A unique sequence where the last digit is a "check digit" calculated through a specific mathematical formula to prevent errors or forgery.

National Provider Identifier (NPI)

• Other health information may include an NPI. A National Provider Identifier (NPI) is a unique 10-digit identification number issued to healthcare providers in the United States.
• Established by HIPAA, it serves as a universal standard to identify individual clinicians and healthcare organizations in all administrative and financial transactions, such as billing insurance. 
• Universal & Permanent: An NPI replaces all "legacy" identifiers previously assigned by different insurance plans. It stays with a provider for their entire career, regardless of changes to their name, specialty, or practice location.
• "Intelligence-Free": The number does not contain coded information about the provider, such as their state of practice or medical specialty.
• Public Record: NPI numbers are not private. They are listed in a public database for verification by patients, pharmacies, and other providers. 
• Two Types of NPIs:
• • Type 1 (Individual): For sole practitioners, such as physicians, dentists, nurse practitioners, and physical therapists.
  • Type 2 (Organization): For healthcare entities, including hospitals, clinics, group practices, pharmacies, and laboratories. 
• Uses:
• • Billing & Claims: Providers must have an NPI to submit electronic claims to any health plan, including Medicare and Medicaid.
  • Prescriptions: Pharmacists use NPIs to identify the prescriber on a prescription. While a DEA number is required for controlled substances, an NPI is the standard identifier for all other medications.
  • Referrals: When a doctor refers you to a specialist, they use the specialist's NPI to ensure medical records and billing are correctly linked. 

ICCID

Custom data type. This data type must be created by you, the user.

An ICCID (Integrated Circuit Card Identifier) is a unique serial number for your SIM card (or eSIM) that identifies it to the mobile network, acting like a digital fingerprint.

• Typically 19-20 digits long and found on the card or in device settings.
• Used for network authentication and SIM management. 
• It is distinct from your phone number (MSISDN) or device ID (IMEI) and helps carriers manage services, track devices, and troubleshoot issues.  
• Format: ITU-T E.118 standard format, starting with '89' (telecoms), followed by the country code (CC), issuer identifier (II/MNC), the unique SIM number (Account ID), and ending with a Luhn algorithm-calculated check digit for error detection, identifying the card and carrier.
• • ICCID Format Breakdown:
  • • 89 (MII - Major Industry Identifier): 
      The first 2 digits always signify it's a telecommunications card (like a SIM).
    • CC (Country Code): 
      Next 2 or 3 digits identify the country where the SIM was issued (for example, 310 for the USA).
    • II (Issuer Identifier/MNC): 
      1 to 4 digits identifying the specific mobile network operator (for example, AT&T, Verizon).
    • IAIN (Individual Account Identification Number): 
      A unique sequence of digits identifying the specific SIM card account.
    • C (Check Digit): 
      The final digit, calculated using the Luhn algorithm, validates the number for accuracy. 
  • Example: 8931021000000381209
  • • 89: Telecoms, 310: USA, 210: Telnyx (Issuer), 00000038120: Unique SIM Identifier, and 9: Check Digit.

What it's used for:

• Identification & Authentication: Mobile networks use it to recognize and verify your SIM card.
• SIM Management: Operators use it to track, provision, and troubleshoot SIMs, especially for IoT devices.
• Service Activation: Helps activate services and link them to the correct chip.

IMEI

International Mobile Equipment Identity (IMEI) is a unique 15-digit number identifying GSM, WCDMA, and iDEN mobile phones, acting as a device "fingerprint" to track stolen or unauthorized devices. It differs from a serial number, allowing carriers to block devices, and is found by dialing *#06#, in settings, or on the SIM tray/battery compartment. 

• Function: Enables tracking and blocking of lost or stolen devices, and verifies device authenticity/compatibility, particularly for used phones.
• Format: The IMEI (15 decimal digits: 14 digits plus a check digit) or IMEISV (16 decimal digits: 14 digits plus 2 software version digits) includes information on the origin, model, and serial number of the device.
• • As of 2004, the format of the IMEI is AA-BBBBBB-CCCCCC-D, although it may not always be displayed this way.
  • The IMEISV does not have the Luhn check digit but instead has 2 digits for the Software Version Number (SVN), making the format AA-BBBBBB-CCCCCC-EE
  • The structure of the IMEI/SV is specified in 3GPP TS 23.003.
  • The model and origin comprise the initial 8-digit portion of the IMEI/SV, known as the Type Allocation Code (TAC).
  • The remainder of the IMEI is manufacturer-defined, with a Luhn check digit at the end.
  • For the IMEI format prior to 2003, the GSMA guideline was to have this Check Digit always transmitted to the network as zero.
  • This guideline seems to have disappeared for the format valid from 2003 onwards.

Commonly Associated Information

• Dual SIM: Devices with multiple SIM cards may have multiple IMEI numbers.
• Distinction: It is distinct from the manufacturer's serial number.
• Industry Standard: It is utilized by carriers worldwide to identify devices on cellular networks. 

Personal Addresses

Spirion data type (AnyFind). This data type is provided by default.

• A personal address (often called a residential or home address) is the specific geographic location where an individual or family lives.
• A personal address is not necessarily the same as a mailing address, business address, or legal address. It serves as a primary point of contact for personal correspondence, legal identification, and accessing essential services. 
• Standard Format: In the U.S., it typically includes the recipient’s name, house/apartment number, street name, city, state, and ZIP code.
• Legal Identity: It is the official "home of record" used on government documents like driver's licenses, passports, and voter registrations.
• A permanent personal address is considered a long-term residence, distinguishing it from temporary or vacation addresses. 

Common Uses

• Official Documentation: Required for tax records, vehicle registration, and background checks.
• Utility Services: Used to activate electricity, water, and internet services.
• Financial: Can be used to open credit card accounts and bank accounts on your behalf.

Passport Numbers

Spirion data type (AnyFind). This data type is provided by default.

• A passport number is a unique alphanumeric code identifying your specific travel document, found on the photo page (usually top right) and often the back cover, used for travel, visas, and identity verification; it changes with each new passport issued, unlike a national ID. 
• Structure: U.S. passports now use a letter followed by 8 numbers, while formats vary by country. 
• • A passport is a travel document that certifies the identity and nationality of its holder.
  • Most passports contain information such as name, place and date of birth, photograph, signature, and other relevant identifying information.

PII

Custom data type. This data type must be created by you, the user.

Personally Identifiable Information. See PII

Social Security Numbers

Spirion data type (AnyFind). This data type is provided by default.

• A US Social Security Number (SSN) is a unique, 9-digit number issued by the Social Security Administration (SSA) to citizens, permanent residents, and eligible temporary workers for tracking earnings, benefits, and taxes, effectively acting as a primary national ID for work, finance, and government services, applied for using Form SS-5.
• A security and privacy risk because Social Security numbers can be used to open credit card accounts and bank accounts on someone's behalf.
• Format: A Social Security Number (SSN) is a unique 9-digit number formatted as AAA-GG-SSSS, where AAA is the Area Number (first 3 digits), GG is the Group Number (middle 2 digits), and SSSS is the Serial Number (last 4 digits). 
• • While the format is fixed, the actual digits were historically assigned geographically, but since 2011, the Social Security Administration (SSA) assigns them randomly, so the old structure (area, group, serial) no longer holds meaning for newer numbers.
• SSN Format Breakdown
• • Area Number (AAA): The first 3 digits, generally reflecting the state where the card was issued (historically from northeast to west), but now centrally assigned by the SSA.
  • Group Number (GG): The middle 2 digits, used to manage the issuance sequence within an area.
  • Serial Number (SSSS): The final 4 digits, assigned sequentially within each group.

Telephone Numbers

Spirion data type (AnyFind). This data type is provided by default.

• A telephone number is a sequence of digits used as an address for a telecommunication endpoint, such as a phone.
• Often used to confirm identity, such as sending an SMS message to the phone number on file.

United Kingdom National Insurance Numbers (NINO)

Spirion data type (AnyFind). This data type is provided by default.

• A National Insurance number is a unique identifier used in the United Kingdom to record your taxes and National Insurance contributions. It ensures these payments are credited to your personal record, which determines your eligibility for the State Pension and other benefits.
• National Insurance Numbers can be used to open credit cards and bank accounts on your behalf, so searching for this Data Type is of critical importance to prevent identity theft.
• Format: National Insurance numbers consist of 2 letters, 6 numbers, and a final letter (example: QQ 12 34 56 A).
• Duration: The number stays the same for your entire life, even if you move abroad and return.
• Not ID: While unique, National Insurance numbers are not a form of legal identification and does not prove your right to work in the UK. 
• Employment: Employers require a National Insurance number to process payroll and deduct taxes correctly.
• Government Benefits: Necessary to claim Universal Credit, Jobseeker’s Allowance, or maternity allowance.
• Financial Services: A National Insurance number is required for opening an Individual Savings Account (ISA) or applying for a student loan.
• Voting: Used to verify your identity when registering to vote. 
• Automatic Issuance: UK residents are usually issued their National Insurance number automatically 3 months before their 16th birthday if their parents claimed Child Benefit for them.

United Kingdom National Health Service Numbers (NHS)

Spirion data type (AnyFind). This data type is provided by default.

• The National Health Service (NHS) Number is a unique 10-digit identifier for individuals in England, Wales, and the Isle of Man, used to access healthcare;
• Found on official letters, prescriptions, test results, or by contacting your GP or using the online service,
• National Health Service Numbers are used in the United Kingdom and can be used to open credit cards and bank accounts on your behalf, so searching for this Data Type is of critical importance to prevent identity theft.

Australia Tax File Numbers (TFN)

Spirion data type (AnyFind). This data type is provided by default.

• An Australian Tax File Number (TFN) is a unique, personal reference number in the Australian tax and superannuation systems
• An Australian Tax File Number (TFN) is a unique, 9-digit number
• The number is issued by the Australian Taxation Office (ATO).
• Recipients keep their Tax File Number for life, even if they change jobs, name, or move overseas.
• Tax File Numbers can be used to open credit cards and bank accounts on someone's behalf, so searching for this Data Type is of critical importance to prevent identity theft.