Thanks again for these suggestions. I've been going through this, but it looks like the only way I could do it would be by following Jsneed's suggestion to put the combination logic in separate rules.
For example, inside the policy I would need a separate rule for each combination of data I want to match (one rule to match passport number and drivers licence in one email, another rule to match passport number and SS number, etc, and so on). This seems quite arduous considering the amount of combinations you would need to detect significant PII leakage.
I looked into creating a special data identifier but I couldn't see where I could put the logic in for either/or matches.
Stephane - Sorry, I got a bit lost when looking into your suggestion. I wonder if you could elaborate?
The main problem I have is that the individual rules are triggering hundreds of real matches (i.e. people sending passport numbers to travel brokers), and I have no remit to tell them not to. Therefore, I'm mainly interested in detecting major leakage such as combinations of PII to start with.