grant_id & PII

Issue #383 resolved
Brian Campbell created an issue

The wording “grant_id MUST NOT be derived from PII that can make possible to identify the user” is awkward. And maybe ambiguous as a result. Is this meant to say something more like “it must not be possible to derive any personally identifiable information from the grant_id value alone”?