How identifiable is your data?
Anonymisation, pseudonymisation and de-identification
This brief guide provides examples of the main differences between identifiable, de-identified, pseudonymised and anonymised data; and what that means for working with data about people according to the UK GDPR.
Data protection law applies to any information about an identified or identifiable living person.
An individual may be directly identified from their name, address, telephone number, image, or some other unique personal characteristic. They may be indirectly identifiable when certain information is linked together with other sources of information, such as their job title, place of work, or a health condition etc.
Personal data which has been pseudonymised or de-identified and which could be attributed to a person is considered by the UK GDPR as information on an identifiable person, so data protection laws will apply.
To understand if the de-identified or pseudonymised data you are working with, is regarded as information on an identifiable person. You should conduct a motivated intruder test by considering ‘all means reasonably likely to be used’ to identify the individual directly or indirectly. Taking account of the cost and amount of time required for identification and considering available technology and technological developments that could be used to identify individuals. For example, if you have pseudonymised personal data, but you also hold the mechanism to re-identify them, the data will be subject to data protection laws.
If the risk of identification cannot be completely resolved, consider if it is possible to mitigate its impact by using techniques such as rounding up numbers of individuals within a specific category, or redefining categories e.g., re-grouping age ranges. If this is not possible, or individuals remain identifiable, revisit your data protection impact assessment and reassess if it is safe and appropriate to continue.
Data protection laws do not apply to anonymous information, information which doesn’t relate to an identified or identifiable person, or to personal data rendered anonymous in such a manner that the person is not or no longer identifiable.
Examples of how data enables personal data to be more or less identifiable.
Identifiable data
This is Spot’s ID badge. It includes the following personal information:
- Gender
- Name
- Image
- He is a member of staff at The Doghouse
- Company ID number
- Role
- Spot often loses his ID badge
De-identified data - example 1
A lot of personal information has been removed from Spot’s ID badge. He is still identifiable by combining the following information:
- Gender
- He is a member of staff at The Doghouse
- Role
De-identified data - example 2
In this example, Spot has been de-identified by redacting his image and changing his name, ID number, role, and company name.
Changing, rather than removing personal data may help make the content more meaningful.
Anonymised data
More personal information has been removed. His data has been de-identified or made anonymous. However, he may still be identifiable if he is one of only a small number of males in the company, or his de-identified ID badge is attached to other contextual information, such as an accident report.
Pseudonymised data
Most personal information is pseudonymised, making re-identification impossible without access to the system in which his personal information is stored. His ID number can be used a pseudonymisation key, making it possible to re-identify him.
Please Note: The UK GDPR applies only to ‘identified or identifiable natural persons (people)’. It does not apply to dogs.