What is the difference between anonymisation and pseudonymisation?
''...information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.'' - Recital 26, GDPR
“…the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” - Article 4, GDPR
It is vital to accurately categorise your data in consideration of the definitions above. The GDPR does not apply to anonymised data. However pseudonymised data falls fully within the scope of the GDPR and must be treated with the same levels of consideration in terms of security and processing:
"Pseudonymisation is effectively only a security measure. It does not change the status of the data as personal data. Recital 26 makes it clear that pseudonymised personal data remains personal data and within the scope of the GDPR."
In the situation where clinical trial data has had all identifiers removed, this can only be considered anonymised data if it was impossible to re-identify the trial subjects, even when cross referenced against supporting documentation.
Another way of defining the difference between anonymised and pseudonymised data is as follows:
- Anonymised data: data is unrecognisable, even to the data owner. It cannot be re-identified by referring to the study ID or by processing it together with other information which is available or likely to be available.
- Pseudonymised data: identifiable data has been replaced with alternative identifiers that bear no overt relationship to the true values. Re-identification of data can only be achieved with knowledge of the de-identification key.
If you are uncertain whether your data should be considered anonymised or pseudonymised, it should be treated as identifiable data in accordance with the department's Anonymisation Policy.
If you have any questions or concerns about the category of your data, please contact the Information Governance Lead for assistance.
What is personal data? (ICO)
Personal data anonymisation and pseudonymisation under the GDPR (Slaughter and May)