2. Background and Related Work
Automatic detection of personal data in texts is an increasingly important task as the volume of digital communication grows and data protection requirements become more stringent. Various methods can be applied to this task, including regular expressions, dictionary-based methods, transformer-based models, and context-aware models. However, the effectiveness of these methods depends strongly on the language in which the texts are written and may decrease when they are applied to low-resource languages. This section reviews relevant regulatory frameworks, methodological approaches, and existing tools and platforms for the automatic detection and classification of personal data.
2.1. International Standards and Frameworks
International standards and regulatory frameworks establish a methodological basis for the classification, processing, and protection of personal data. They define fundamental principles for information management, security, and privacy protection.
The most important regulatory document for the protection of personal data in the European Union is the General Data Protection Regulation (GDPR), which applies across the EU Member States [
1]. It defines personal data broadly and distinguishes special categories of personal data that require enhanced protection. The GDPR also requires a Data Protection Impact Assessment (DPIA) where processing is likely to result in a high risk to the rights and freedoms of natural persons [
2]. However, the GDPR does not provide a formal scale for determining the sensitivity level of personal data. Instead, it establishes principles according to which organizations must assess risks and implement appropriate data protection measures. Similar regulations also exist in other jurisdictions, such as the California Consumer Privacy Act (CCPA) in California, USA [
3], and the Lei Geral de Proteção de Dados (LGPD) in Brazil [
4].
The ISO/IEC 27000 series of standards provides a framework for information security management. These standards do not define specific categories of personal data. Rather, they establish a methodological basis on which organizations can develop their own information classification schemes and protection processes. Three standards within this family are particularly relevant to the processing and protection of personal data:
ISO/IEC 27001 specifies requirements for the establishment, implementation, maintenance, and continual improvement of an information security management system (ISMS) [
5].
ISO/IEC 27002 provides guidance on information security controls, including the classification of information (public, internal, confidential, restricted) according to its sensitivity and importance to the organization [
6].
ISO/IEC 27701 specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a privacy information management system (PIMS). It addresses the processing of personally identifiable information (PII), including the roles of PII controllers and PII processors, and can be aligned with an existing ISO/IEC 27001-based ISMS [
7].
In this paper, the term personal data is used in accordance with the GDPR. The term personally identifiable information (PII) is retained where it is used in the terminology of ISO/IEC standards or the documentation of specific technological tools.
2.2. Approaches and Methods for Personal-Data Classification and Detection
Under the GDPR, personal data are any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, by reference to information such as a name, an identification number, location data, or another identifying characteristic [
1].
Effective classification of personal data is based on a combination of legal principles, contextual analysis, and technical methods. Personal data classification commonly considers the following dimensions:
Distinguishing among general personal data, special categories of personal data, such as health or biometric data, and other potentially high-risk identifiers, such as personal identification numbers or financial identifiers;
Assessing the risks of disclosure and the possibility of identifying or re-identifying individuals;
Determining requirements for the storage and processing of personal data.
2.2.1. Classification of Personal Data
The classification of personal data is based on criteria that are largely determined by legal and regulatory frameworks, particularly the GDPR. This regulation establishes the principles of lawfulness, data minimization, and purpose limitation, requiring that personal data be adequate, relevant, and limited to what is necessary for the purposes for which they are processed. These principles provide a basis for distinguishing data categories, determining their sensitivity, and assessing the risks of re-identification.
Research indicates that data classification in different jurisdictions is based on distinctions between general personal data, special categories of personal data, and other data types requiring enhanced protection. For example, Supriyadia et al. (2023) indicate that, in Indonesia, personal data include names, addresses, identification numbers, financial information, and medical information, which require differentiated approaches to their processing [
8]. Similarly, an analysis of legislation in the United Arab Emirates shows that the protection of electronic personal data is supported through storage requirements, access control mechanisms, and civil liability provisions [
9].
In the context of e-commerce, data classification is considered an essential prerequisite for ensuring user trust. This is especially important because online platforms process large volumes of data, including transactional, behavioral, and identification data, which require classification according to their sensitivity levels [
10].
Thus, regulatory documents provide the basis for classification schemes by determining which data require protection and which criteria should be considered in their processing. In general, personal data may be differentiated into general personal data, special categories of personal data, and other data types that may create elevated risks in a particular processing context. Depending on the application scenario, classification schemes may additionally distinguish categories such as identification, financial, medical, transactional, behavioral, and biometric data.
2.2.2. Risk-Based Assessment Methods
Risk-based approaches enable the assessment of the likelihood of unauthorized disclosure of personal data and its possible consequences. Several studies emphasize that personal-data classification should consider not only the type of data involved, but also the potential risks in the event of a data breach. For example, Utami et al. (2025) analyzed actual data breach cases in Indonesia and indicated that medical, financial, and biometric data require particularly strict protection because of their potential for misuse [
11]. The study identified medical, financial, biometric, and identity-card data as high-risk data categories. Potential consequences include fraud, identity theft, discrimination, and financial loss.
In international practice, risk-based approaches are also reflected in information security standards. Previous research has examined how the information security controls defined in ISO/IEC 27002 can be extended or adapted to support GDPR compliance, including the assessment of re-identification risks and the implementation of additional protection measures [
12]. In such an approach, data can be classified according to risk level, for example, as low, medium, or high risk, enabling potential threats to be associated with appropriate protection measures. Attention should be paid to the risk of re-identification, especially where special categories of personal data or other high-risk identifiers are processed. In such cases, risk assessment may indicate the need for additional technical and organizational measures, supporting a differentiated approach to the protection of different categories of information.
2.2.3. Named Entity Recognition (NER) for Personal-Data Detection
NER models are widely used automated methods for detecting entities that may represent personal data in texts. Multilingual transformer models, such as XLM-R, can identify entities including personal names, addresses, organization names, and geographic locations. Some of these entity categories, particularly personal names and addresses, may directly correspond to personal data, while others may contribute to the identification of an individual depending on the context. This makes NER a useful component of personal-data detection and anonymization systems [
13].
In some studies, NER models have also been applied to the detection of sensitive information in social media texts. For example, Erol et al. (2022) investigated the detection of disclosed personal health information in Turkish social media data and reported strong classification performance [
14]. In clinical contexts, hybrid NER approaches have also been used to extract clinical parameters from free-text medical records [
15].
2.2.4. Rule-Based and Regular-Expression Methods
Since some types of personal data have structured formats, such as telephone numbers, email addresses, Latvian personal identification numbers, IBANs, and payment card numbers, regular expressions are a useful method for their detection. By combining regular expressions with specialized dictionaries, structured patterns relevant to personal-data detection can be efficiently identified in large volumes of text [
16]. Krishnaram (2025) emphasizes the usefulness of regular expressions for data validation and information extraction, demonstrating their applicability to various structured data types [
17].
2.2.5. Context-Aware Approaches
In personal-data detection and classification, context is essential because the sensitivity and significance of a data element may depend on the semantic context in which it occurs. This is particularly important when classifying ambiguous data elements. Tahir et al. (2025) propose a context-aware model for recognizing personal data based on the analysis of situational factors and context graphs [
18]. This approach makes it possible to assess the risk associated with personal data according to their use: for example, a patient’s name linked to medical information may present a higher risk than an author’s name appearing in a published article. Context-aware approaches provide greater flexibility in classification and enable methods to be adapted to specific scenarios.
2.2.6. Summary
The reviewed approaches indicate that the classification and detection of personal data constitute a multidimensional process based on legal and regulatory frameworks, risk analysis, and technical methods. Regulatory frameworks, especially the GDPR, establish fundamental criteria for the processing and protection of personal data. Risk-based methods enable the assessment of potential consequences and the adjustment of protection measures according to the sensitivity and context of the data. Technical approaches, ranging from NER models to regular expressions and context-aware analysis, provide practical methods for automatic personal-data detection in various scenarios. Taken together, these findings support the use of a hybrid approach that combines NER-based detection, rule-based identification of structured identifiers, and context-sensitive assessment of detected personal data.
2.3. Overview of Existing Tools
A range of tools is available for the detection and classification of personal data, from enterprise cloud platforms to specialized open-source libraries.
2.3.1. Microsoft Purview
Microsoft Purview is an enterprise platform that supports data classification, information protection, and compliance management [
19]. It includes Sensitive Information Types (SITs), which are classifiers used to detect predefined categories of sensitive information, such as financial identifiers, government-issued identifiers, and personal identifiers. SITs may rely on pattern matching, supporting evidence, confidence levels, named-entity detection, or Exact Data Match (EDM), depending on the type of classifier used. Match confidence levels, such as low, medium, and high, make it possible to configure the reliability threshold required for a detected match. Microsoft Purview also supports trainable classifiers for identifying particular categories of content, as well as EDM-based SITs for detecting predefined exact values. The platform integrates with Data Loss Prevention (DLP) policies, automatic labeling mechanisms, and Microsoft 365 services, making it suitable for enterprise information-protection workflows.
2.3.2. Microsoft Presidio
Microsoft Presidio is an open-source framework for detecting and anonymizing personally identifiable information (PII) [
20]. It uses a hybrid approach in which recognizers can apply regular expressions, context rules, rule-based logic, and NER models to detect PII entities in unstructured text. Presidio includes an Analyzer component for detecting PII entities and an Anonymizer component for applying de-identification operations to detected entities. As an open-source and extensible framework, Presidio can be supplemented with custom recognizers and adapted to additional entity types or languages, including low-resource languages.
2.3.3. Google Cloud Sensitive Data Protection
Google Cloud Sensitive Data Protection uses information types, or infoTypes, to define the categories of sensitive information to be detected, such as names, email addresses, telephone numbers, identification numbers, and payment card numbers [
21]. Each infoType is associated with an infoType detector, which determines how instances of that information type are identified. The platform supports built-in and custom detectors, including regular-expression detectors, dictionary-based detectors, and context-based inspection rules. It can inspect large volumes of data and integrates with other Google Cloud services, making it suitable for organizations that process data within cloud-based infrastructures.
2.3.4. Amazon Macie
Amazon Macie is a data security service that automatically discovers sensitive data in objects stored in Amazon S3 [
22]. It uses machine learning and pattern matching to detect categories of sensitive data, including credentials, financial information, personal health information, and personally identifiable information. Macie provides managed data identifiers and supports custom data identifiers for detecting organization-specific patterns. Its automated sensitive-data discovery functionality continually evaluates S3 bucket inventories and analyses selected objects to identify sensitive data and generate corresponding findings. In addition, Macie provides information that can assist organizations in assessing security and privacy risks associated with their S3 data.
2.3.5. IBM Guardium
IBM Guardium Data Protection is a data protection platform focused on discovering and classifying sensitive data, monitoring data access, and supporting compliance activities across heterogeneous data environments [
23]. It provides capabilities for monitoring sensitive-data activity, enforcing access policies, and protecting data through mechanisms such as dynamic masking and redaction. IBM Guardium also supports audit workflows and compliance reporting, making it suitable for organizations that process sensitive data across databases, data warehouses, cloud environments, and other data stores.
2.3.6. Collibra Data Intelligence Platform
The Collibra Data Intelligence Platform is a data and AI governance platform that includes capabilities for data privacy management [
24]. Its privacy-related functionality supports the discovery of sensitive data, the centralization of privacy controls, risk assessment, and compliance reporting across organizational data environments. Collibra can help organizations understand how sensitive data move across teams, systems, and third parties through data lineage and data-flow visualization capabilities. The platform also supports the automation of privacy and risk-management workflows, helping organizations manage regulatory requirements and apply data-protection policies consistently.
2.3.7. Summary of Existing Tools
The reviewed tools for personal-data detection and classification differ in their scalability, integration capabilities, and adaptability to specific organizational and sectoral requirements. Enterprise platforms, such as Microsoft Purview, Google Cloud Sensitive Data Protection, Amazon Macie, IBM Guardium, and the Collibra Data Intelligence Platform, provide broader functionality for data governance, protection, risk management, policy enforcement, and integration with cloud or enterprise data environments. By contrast, open-source frameworks, such as Microsoft Presidio, provide extensible components for the detection and anonymization of personal data in text.
Although their specific capabilities differ, the reviewed tools demonstrate that personal-data detection and classification are commonly supported through combinations of rule-based methods, predefined detectors, machine learning techniques, contextual information, and organizational protection workflows. This diversity enables organizations to select or adapt solutions according to their infrastructure, regulatory requirements, and data-processing contexts.
2.4. NLP Challenges for Low-Resource Languages
One of the main challenges in the automatic detection and classification of personal data is the processing of low-resource languages. Many modern methods, including NER models, machine learning algorithms, and context-aware models, are developed and evaluated primarily for English or other well-resourced languages. Consequently, their performance may decrease when they are applied to languages for which fewer annotated datasets and specialized linguistic resources are available.
Studies indicate that multilingual transformer models may also exhibit reduced performance when applied to low-resource languages [
13]. Errors may occur particularly in the detection of proper nouns, morphologically complex word forms, and infrequent vocabulary. A related problem is described by Erol et al. (2022), who investigated the detection of personal health information in Turkish social media data and noted the challenges associated with identifying such information in informal texts [
14].
An additional challenge arises from contextual variation and semantic ambiguity. Context-aware models require not only linguistic information, but also information about the situation in which a data element occurs [
18]. Consequently, models may fail to distinguish, for example, a person’s name from an organization name or to interpret medically relevant information correctly in a particular context. Such errors can reduce the accuracy of personal-data detection and limit the practical applicability of context-aware methods.
In some jurisdictions, the development of digital data-processing practices and personal-data protection requirements may progress faster than the development of language-specific automation tools. Studies concerning personal-data protection in Tanzania and Indonesia emphasize the importance of effective data-protection mechanisms in digitally developing environments [
25,
26,
27]. However, the extent to which these challenges can be addressed through automated language-processing tools depends on the availability of suitable linguistic resources, annotated datasets, and locally adapted detection methods. Similar conclusions are also drawn by Arifin et al. (2025) and Sulthanah et al. (2025), indicating that the lack of language resources hinders the implementation of effective data protection mechanisms and limits the practical use of automation tools [
26,
27].
Regarding hybrid approaches that combine regular expressions and NLP methods for low-resource languages, studies indicate that such approaches perform relatively well in detecting structured data but are less effective when processing free text [
28]. Further challenges arise from the limited availability of training data for low-resource languages, which may cause large language models to reproduce or reinforce inaccurate language patterns [
29]. Such errors may increase confidentiality risks, as incorrect classification or failure to detect sensitive data can increase the likelihood of unauthorized disclosure.
In summary, improving the detection and classification of personal data in low-resource languages requires methods that are adapted to the linguistic characteristics of the target language and to relevant national identifier formats. A hybrid approach combining deterministic detectors with machine learning methods provides a suitable basis for addressing these requirements in Latvian-language texts.
4. Implementation of the Hybrid Personal-Data Detection Approach
The developed hybrid approach was implemented in Python 3.12.10 as a modular system that combines a transformer-based NER model, regular expressions, and context filters. This architecture is intended to provide flexibility and support accurate processing of Latvian-language texts from various sources, including Microsoft Teams messages, emails, and documents. This section describes the practical implementation, code structure, and technical components of the developed system.
The NER component is based on the multilingual transformer model Davlan/xlm-roberta-base-ner-hrl, loaded using the Hugging Face Transformers library. The model was used without additional fine-tuning, as no sufficiently large manually annotated Latvian-language NER corpus was available for this study. Instead, the model output was supplemented with language-specific post-processing rules, including token merging, morphological filtering, and validation against the official PMLP list of Latvian personal names.
Prior to inference, all texts were normalized: non-breaking whitespace characters were replaced, redundant whitespace was removed, and Latvian diacritics were preserved. As shown in
Figure 1, the model was executed using the token-classification pipeline with the parameter aggregation_strategy = “simple”, which aggregates subword token predictions into complete entity spans. Inference was performed on a CPU-based system equipped with an Intel i7 processor and 32 GB of RAM. Processing time ranged from approximately 20 to 40 ms per text fragment, depending on text length.
4.1. Architecture of the Hybrid Personal-Data Detection Approach
The implemented architecture is built around the LatvianPIIDetector class, which provides a consistent text-processing flow and integrates the main detection components into a single structure (
Figure 2).
4.2. Implementation of Personal-Data Detectors in Python
The practical implementation of the hybrid approach is based on a clearly defined set of detectors, with each personal-data type detected using a specific mechanism implemented in Python: a NER model, regular expressions, or context filters. This structured approach provides a transparent and repeatable detection process and facilitates the extension of the system by adding new data types.
To ensure consistent detector management and processing flow, all detection mechanisms are integrated into the LatvianPIIDetector class, where each data type is associated with a corresponding detection mechanism.
Each detector is implemented either as a separate element in the regular-expression dictionary or as a function responsible for detecting a specific entity type. This approach provides precise control over how each personal-data type is detected and helps reduce false positives through the use of additional context filters. In addition, this structure supports system modularity, since each detector can be updated or improved independently of the other components.
The detection of given names and surnames was performed by the NER component, supplemented with several additional constraints. To reduce false-positive personal-name detections, the system automatically loads the official list of Latvian personal names maintained by the Citizenship and Migration Affairs Office (PMLP) (
Figure 3). This enables the system to verify whether a given name detected by the NER model occurs in the official Latvian personal-name list, thereby helping to reduce false positives.
To reduce false-positive cases in which the NER model incorrectly classifies common nouns as given names, a morphological filtering mechanism was developed based on an analysis of Latvian suffix patterns. Several Latvian suffixes, such as
-ums,
-ība,
-ācija, and
-isms, are characteristic of abstract nouns and rarely occur in given names (
Figure 4). Consequently, words ending in these suffixes are excluded from the set of potential given names, thereby helping to reduce false-positive detections.
Additional validation is performed by checking whether each potential given name satisfies several orthographic and formal criteria. At this stage, the system checks whether the word begins with an uppercase letter, contains no digits or non-alphabetic characters, and falls within the length range defined for Latvian given-name candidates (
Figure 5). These criteria help exclude cases in which the NER model would otherwise incorrectly classify common nouns as given names.
The structure of Latvian addresses is complex and differs from address formats for which many general-purpose detection tools are designed. A Latvian address may contain several components, including a street name, street type, building number, apartment number, city or municipality, and postal code. Street types may occur in forms such as iela, gatve, bulvāris, and prospekts. In addition, street names may contain Latvian diacritical marks, compound forms, and inflectional endings, all of which complicate automatic processing and limit the applicability of rules not specifically adapted to Latvian address formats.
To support accurate address detection, a language-specific regular expression was developed to capture common Latvian address patterns and orthographic characteristics (
Figure 6). This expression accounts for common street-type forms, building and apartment number formats, and the structure of Latvian postal codes. It therefore provides a Latvian-specific mechanism for detecting complete address expressions rather than relying on general language-agnostic patterns.
5. Evaluation and Results of the Hybrid Personal-Data Detection Approach
To evaluate the effectiveness of the hybrid approach, an experimental evaluation was conducted using a dataset created within the project and based on authentic organizational data from Microsoft Teams messages, emails, and documents. Since the initial dataset contained a limited number of personal-data instances, it was supplemented with synthetic texts containing various categories of Latvian personal data. The dataset included texts containing given names and surnames, personal identification numbers, telephone numbers, email addresses, addresses, International Bank Account Numbers (IBANs), payment card numbers and card verification values (CVVs), IP addresses, identity-card numbers, passport numbers, and driver’s license numbers. Particular attention was paid to detectors whose matching patterns may overlap, for example, when distinguishing between passport numbers and identity-card numbers. In such cases, additional validation and contextual analysis were applied to improve classification accuracy and reduce false positives.
The dataset contains a total of 13,525 records, of which 12,325 were derived from authentic organizational data and 1200 were synthetically generated. All text samples were stored in an Excel file and manually annotated by identifying personal-data instances and assigning them to the corresponding categories. The annotation was performed by two researchers with expertise in information security and Latvian-language processing to support the consistency and reliability of the labeling process.
The aim of the experiment was to assess the detection performance of the hybrid approach in unstructured texts and to evaluate the robustness of the detectors under format variation, orthographic variation, and differences in context.
After execution of the implemented system, an Excel-formatted output file was generated, indicating which types of personal data were detected in each record and how many instances of each type were identified. This output file was then compared with the manually annotated reference dataset to evaluate the performance of the detectors. The annotators manually reviewed the automatically generated results against the reference annotations and, on the basis of this comparison, compiled the detailed results. This manual validation provides a basis for the subsequent analysis of the performance of the hybrid approach.
Table 2 illustrates how the hybrid approach assesses the sensitivity of different texts on the basis of the number and diversity of personal-data instances detected in them. It includes examples from the larger dataset on which the developed approach was evaluated and indicates the risk score, entropy, and operational sensitivity level calculated for each text. The examples illustrate the relationship between the weighted quantity and diversity of detected personal data and the assigned risk level. Texts containing only a small number of detected personal-data instances, such as a personal name, an email address, or a single structured identifier, may be assigned a low operational sensitivity level. In such cases, the risk score is low, and the detected data types are relatively homogeneous, which is reflected in a low entropy value. Texts containing multiple higher-risk identifiers, such as a personal identification number, passport number or identity-card number, address, and contact information, may achieve a higher risk score and higher entropy. Such combinations may be classified as medium- or high-sensitivity texts.
In the specific example in the first record, the calculated risk score is 2, despite the presence of an identity-card number in the text. This outcome occurs because the hybrid approach did not recognize the ID-card number in this instance and therefore did not include it in the weighted risk calculation. As a result, the system detected only two low-risk identifiers: a personal name and an email address, which led to a low overall risk score and a correspondingly low operational sensitivity level.
Table 2 illustrates how the hybrid approach can be used not only to detect personal data, but also to quantitatively assess the operational sensitivity level of textual content by considering both the number of detected instances and the combination of detected personal-data types. This enables the automatic distinction between texts assigned a low operational sensitivity level and those that may require additional data-protection measures.
The detector-level evaluation results are summarized in
Table 3, which reports the number of true positives (TPs), false positives (FPs), and false negatives (FNs) for each personal-data type. To provide a more interpretable assessment of detector performance, precision, recall, and F1-score were calculated for each category. Precision indicates the proportion of detected instances that were classified correctly, recall indicates the proportion of reference instances that were successfully detected, and F1-score provides a combined measure of precision and recall. These indicators enable a comparative analysis of detector performance and provide an empirical basis for assessing the strengths and weaknesses of the developed approach, as well as for identifying areas for future improvement.
Table 3 also provides insight into the error structure of the developed approach. High numbers of false positives or false negatives for particular personal-data types may indicate overlap between identifier formats, insufficient contextual rules, or variations in the representation of those data types. These results therefore help identify the detectors that require further refinement.
The results summarized in
Table 3 indicate that the hybrid approach performs strongly for several personal-data types with well-defined structured formats. Personal identification numbers achieved an F1-score of 99.83%, email addresses 99.44%, telephone numbers 99.70%, addresses 99.50%, and IBANs 99.95%. These results indicate that regular-expression-based detection is highly effective for categories characterized by clearly defined formats and limited structural variation.
The detection of given names and surnames also produced comparatively strong results, with a precision of 79.70%, a recall of 90.32%, and an F1-score of 84.68%. The lower precision indicates that, although most reference instances were detected, a substantial number of other text elements were incorrectly classified as personal names. This finding supports the need for further refinement of contextual filters and language-specific validation mechanisms.
Substantially weaker performance was observed for document identifiers with overlapping formats. The driver’s license number detector achieved a recall of 100.00%, but its precision was only 0.16%, resulting in an F1-score of 0.31%. This indicates that, although all driver’s license numbers present in the reference dataset were detected, the detector incorrectly classified a very large number of other identifiers as driver’s license numbers. The passport number detector achieved a precision of 100.00% but a recall of only 61.59%, while the identity-card number detector achieved a precision of 100.00% but a recall of only 6.79%. These results indicate that the current rules for distinguishing among document identifiers require substantial improvement, particularly through refined conflict-resolution logic and contextual validation.
The results for payment card numbers, card verification values, and IP addresses should be interpreted cautiously because these categories are represented by relatively small numbers of reference instances. Although their calculated metrics provide an initial indication of detector behavior, additional evaluation data would be required to draw reliable conclusions about their general performance.
During system development, it was anticipated that identity-card numbers and passport numbers might have overlapping formats, creating a risk that the same identifier would be classified under both categories. To address this issue, the implementation was supplemented with an additional verification mechanism intended to prevent the same document number from being recorded simultaneously in both categories (
Figure 7).
The high number of false positives for driver’s license numbers can be explained by insufficient differentiation between document-identifier formats in the implemented detection rules. In particular, the evaluation results suggest that a substantial number of passport numbers were incorrectly classified as driver’s license numbers. Although passport numbers and driver’s license numbers are intended to follow distinct structural patterns, their similar alphanumeric structure and identical overall character length can create ambiguity when broad regular-expression rules are applied without sufficient contextual validation.
Although the system includes an overlap-filtering mechanism for the passport number (“Pases Nr.” in Latvian) and driver’s license number (“Vadītāja apliecības Nr.” in Latvian) categories, this mechanism functions only when both detectors return the same identifier in an identical textual representation (
Figure 8). In practice, differences in formatting, spacing, or pattern matching may prevent the filter from identifying equivalent values. Consequently, a value corresponding to a passport number may remain classified as a driver’s license number, contributing to the high number of false positives observed for the latter category and the high number of false negatives observed for passport numbers.
These results indicate that regular-expression-based detection alone is insufficient for reliably distinguishing between document identifiers with similar formats. Further improvement requires normalization of detected values before overlap checking, refinement of conflict-resolution rules, and the use of additional contextual indicators to distinguish between passport numbers and driver’s license numbers.
It is also important to note that a text does not always contain a keyword that enables the system to determine unambiguously the personal-data category to which a detected string belongs. As a result, a regular-expression detector may successfully extract a data sequence but may not classify it correctly in the absence of additional semantic cues. This limitation highlights the need for contextual information to support reliable differentiation between personal-data types with similar formats.
Comparative Analysis of the Proposed Hybrid Approach and Microsoft Presidio
To compare the developed hybrid approach with Microsoft Presidio, two representative Latvian text examples were selected from the constructed dataset (
Figure 9). These examples illustrate the behavior of the systems on texts containing different combinations of personal-data types and provide an illustrative comparison of the strengths and limitations of the developed approach.
Both examples were processed using Microsoft Presidio and the developed personal-data detection system adapted specifically to Latvian-language texts. This comparison illustrates how the two systems detect personal data in selected communication scenarios and highlights limitations that may arise when a general-purpose tool is applied without Latvia-specific recognizers and contextual rules.
Microsoft Presidio provides functionality for detecting and anonymizing personally identifiable information and can be extended with additional recognizers and language-specific components. However, its default configuration contains recognizers and models for English, while support for additional languages requires adaptation of the NLP engine and the relevant recognizers. In the evaluated configuration, Presidio did not include rules specifically designed for Latvian morphology, Latvian address forms, or Latvia-specific document identifiers. Latvian personal names may contain diacritical marks and inflected forms, street names and street-type terms are language-specific, and document numbers follow national formats. These characteristics may reduce detection performance when Latvian-specific recognizers and context rules are not configured.
To ensure comparability, the two systems were compared under the same circumstances—the same input data, the same annotation procedures, and the same evaluation criteria. In this way, any differences in performance will result from differences in the underlying systems, not the evaluation framework.
Furthermore, Latvian is a low-resource language for which the availability of large, high-quality annotated datasets for training or adapting NER models is limited. This creates additional challenges for detecting personal data in Latvian-language texts. In the present comparison, the observed results should therefore be interpreted as a comparison between the developed Latvian-specific approach and the evaluated Presidio configuration, rather than as a general assessment of the capabilities of Microsoft Presidio.
As illustrated in
Figure 10 and
Figure 11, the evaluated Presidio configuration correctly detected the given names, surnames, and email addresses present in the two text examples. It also detected the telephone numbers in these examples, although it additionally classified some unrelated digit sequences as telephone numbers. However, the Latvian personal identification number was incorrectly classified as a telephone number. This constitutes a significant classification error and indicates that the evaluated configuration did not include appropriate support for this Latvia-specific identifier. This form of classification error would be highly relevant in a GDPR-compliant scenario where personal ID card numbers are considered sensitive identifiers. The incorrect risk assessment may occur in this scenario, leading to either a wrong risk score or under-anonymized data. In the case of addresses, Presidio detected individual components separately but did not combine them into a complete address expression and did not detect the building and apartment numbers. In addition, the evaluated configuration did not recognize Latvian street-type terms, such as
iela,
bulvāris,
prospekts, and
gatve, whose forms and inflections differ from those used in English-language address patterns.
These results indicate that the evaluated Presidio configuration was not specifically adapted to Latvian address structures or Latvia-specific identifier formats. The outputs shown in the figures indicate that Presidio correctly detected several common types of personal data in the selected examples, including given names and surnames, email addresses, and telephone numbers. However, the Latvian personal identification number was not classified correctly, and in some cases the tool classified domain names as URLs or organization names while assigning low confidence scores to some structured identifiers. These observations highlight a limitation of the evaluated configuration: without Latvian-specific recognizers and contextual rules, the system did not reliably distinguish several local identifiers and address components in the selected examples. This mismatch between the configured recognizers and the linguistic and structural characteristics of Latvian data resulted in classification errors and reduced detection performance in the evaluated cases.
In the same examples, the developed approach correctly detected the personal-data types included in the comparison (
Figure 12). In particular, the system detected complete address expressions rather than isolated address components, and it correctly classified the Latvian personal identification numbers present in the examples. These results illustrate the benefit of applying Latvian-specific regular-expression rules, morphological filters, and post-processing mechanisms when detecting personal data in Latvian-language texts. In the selected examples, the developed approach detected Latvian address expressions and Latvia-specific identifiers more effectively than the evaluated Microsoft Presidio configuration.
The performance of both detection methods is summarized in
Table 4, which provides a structured, side-by-side comparison across the main personal-data categories present in the two representative examples. In addition to correctly detected entities, the table also documents systematic errors observed in the Microsoft Presidio configuration, including the misclassification of Latvia-specific identifiers and fragmented address detection. By contrast, the developed hybrid approach successfully identified complete address expressions and correctly classified national identifiers.
6. Conclusions
In this work, a hybrid approach for the automatic detection of personal data in Latvian-language texts was developed and experimentally evaluated. The approach combines a transformer-based NER model with regular expressions, specialized dictionaries, and context filters. The results indicate that this combination is suitable for detecting different categories of personal data in Latvian-language texts, particularly in a context where language-specific resources and detectors for Latvia-specific identifiers are limited.
The evaluation results demonstrate strong performance for several structured-identifier types. The developed approach achieved F1-scores of 99.83% for personal identification numbers, 99.44% for email addresses, 99.70% for telephone numbers, 99.50% for addresses, and 99.95% for IBANs. These findings indicate that deterministic detection methods are effective for personal-data categories with clearly defined structural formats. The detection of given names and surnames achieved an F1-score of 84.68%, indicating good overall performance but also revealing the continued presence of false-positive detections.
The risk-score and entropy-based assessment method introduced in this study adds an additional dimension to personal-data analysis. It enables texts to be assigned operational sensitivity levels based on both the weighted number of detected personal-data instances and the diversity of the detected data types. This method provides a structured basis for comparing textual content according to its potential data-protection risk and may support risk-assessment and security-policy workflows.
The contribution of this work lies in the development of a practical personal-data detection approach for Latvian-language texts and in demonstrating how NER-based processing can be combined with rule-based detectors for Latvia-specific structured identifiers. The experimental results suggest that this combination is useful for addressing detection tasks that cannot be handled uniformly by either contextual entity detection or structured-pattern matching alone. This is particularly relevant for low-resource languages, which are characterized by limited annotated data and a lack of specialized NLP tools.
At the same time, the evaluation identified substantial limitations in the detection of document identifiers with overlapping formats. The driver’s license number detector achieved an F1-score of only 0.31% because of an extremely high number of false positives, while identity card numbers achieved an F1-score of 12.72% because most reference instances were not detected. Passport numbers achieved an F1-score of 76.23%, with reduced recall indicating that a considerable number of instances were missed. These findings show that additional contextual validation and conflict-resolution mechanisms are required to distinguish reliably among similar document-identifier formats.
Overall, the results indicate that a locally adapted hybrid approach can support the detection of personal data in Latvian-language digital content, particularly for structured identifiers and Latvian-specific address patterns. The study also demonstrates that effective personal-data detection in a low-resource language requires category-specific evaluation, since strong aggregate results may coexist with substantial weaknesses in individual detectors. The developed approach therefore provides a basis for further refinement of language-specific personal-data detection technologies and their application in organizational data-protection workflows.