This is the seventh article in the series about finding protected attributes in data. We've covered the main four categories (Race, Sex/Gender, Disability, and Age), and then detailed religion.
National origin is where someone, or their family, comes from. It's protected in many jurisdictions.
National origin is rarely a field of its own. But the data that reveals it often is. Banks and some insurers record country of birth, passport details, tax residency and visa information for KYC, sanctions, and tax reasons. Expected, and often required.
The problem is leakage. National origin (or a proxy) can flow into systems that were never meant to use it: marketing models, risk scoring, fraud detection.
A lot of the proxies for national origin are the same ones we covered for religion: names that point to a country of origin, postcodes with high concentrations of a particular migrant community, and transaction patterns like remittances and foreign currency activity. We've also discussed postcodes on their own. The logic is the same here, so we won't repeat it.
Country of birth, passport details and residency information often reveal national origin directly. They're fairly reliable, which is why their use in unrelated models is a problem.
The steps are the same as the rest of the series, with one addition.
Run the same checks we'd run for religion: e.g. audit name fields, review remittance data in credit and fraud models.
The addition is the direct information (sometimes captured as documents). Country of birth, passport details, visa status, and tax residency are collected for good reasons. But we check whether they're flowing into models that weren't designed to use them, like pricing, marketing, or fraud scoring.
The goal is the same: confirm that national origin, and proxies for it, are not influencing decisions they shouldn't.
Disclaimer: The info in this article is not legal advice. It may not be relevant to your circumstances. It was written for specific contexts within banks and insurers, may not apply to other contexts, and may not be relevant to other types of organisations.