What is Pseudonymisation?
Pseudonymisation is a technique that replaces or removes information in a data set that identifies an individual, it is defined in GDPR as
“…the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”
Pseudonymization is a recognized and increasingly important method for privacy protection of personal information where some individualized intervention is required. It is commonly used in basic research e.g., clinical trials, public health monitoring and assessments of individuals.
In practice, it may involve replacing names and/or other identifiers which are easily attributed to individuals with, for example, a reference number. Technical and organisational measures are then put in place to ensure that the additional information that would be necessary to link the reference back to an individual, are held sedately and securely.
Whilst pseudonymising personal data can reduce the risks to the data subjects and help the data processor meet its data protection obligations, it is however, only a security measure and does not change the status of the data as personal data. GDPR Recital 26 makes it clear that pseudonymised personal data remains personal data and within the scope of the UK GDPR:
“…Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person…”
More guidance on Pseudonymisation:
Health informatics — Pseudonymization (ISO 25237:2017) – Available from ISO
Using Pseudonymisation in SAVVI
During the phase of a SAVVI, the will investigate potential sources of data that may be used as s. Two potential examples where pseudonymization may be applied are: A may support the proposed use of the data but have concerns about its relevance to the stratification process. It may agree to release a limited sample pseudonymised set to the for test and evaluation purposes, prior to committing to enter into a formal data sharing agreement with data that is not pseudonymized. A may be concerned about the bulk use of its data for profiling of people. Depending on the algorithms used for the , and taking into account potential risk of re-identification of pseudonymised records, the may be prepared to approve release of pseudonymized data. In this scenario, the would process the pseudonymized data and, request the identification data for those records of interest.
@Risk Stratification Policy
In the above examples the is using pseudonymization as a risk management tool by limiting access to the person identification data. Its use will still require appropriate security measures to be adopted as it remains personal data.
The pseudonymisation process requires a separate instance of the , in which the have provided data where are identified only by a common generated identifier. The identifier cannot be unencrypted to discover the actual address, but can be matched to the same identifier from other . In this way, each household can be assessed against the .
@Risk Stratification Policy
If there is a need to subsequently link the pseudonymised data back to individuals, the pseudonymisation should be carried out by a specialist data processing service, using specialist software solutions, acting as a ‘Trusted Third Party’ so that are assured that their data is being accessed appropriately.