Table of Contents
Your business will create and store various forms of data, including pseudonymised data. Some businesses confuse this with anonymised data, but the Information Commissioner’s Office (ICO) treats the two types of information differently. It is essential your business handles this information according to the General Data Protection Regulation (GDPR) guidelines. The ICO investigates alleged breaches and can fine non-compliant businesses. This article will explain pseudonymised information, how it differs from anonymised data and how your company must handle it under the GDPR.
What is Pseudonymisation?
This is information that has had all identifying information removed or replaced. This makes the remaining data clean as to the original person’s identity. For example, a straightforward method is to delete an individual’s address or email address and replace the data subject’s name with ‘Person 5’ or ‘#005’ (or similar).
Pseudonymised data is not truly anonymous. This is because your company will still possess the original data, so they can determine who ‘Person 5’ really is. Because of this, the GDPR defines pseudonymised information as personal data and places specific requirements on your company when processing it.
An Example
Suppose your company has decided to carry out an optional equality survey in the workplace. The purpose is to learn about the workforce’s diversity and set a marker to improve in the future. The questions within the survey include ones relating to each person’s age, ethnicity, religion and opinion on whether they feel your business encourages diversity and equality or not.
If you have a relatively small workforce, it may be possible to identify individuals from their age and the data given, even if the survey does not record names. However, this would constitute pseudonymised data because, if you were motivated to do so, you could reverse engineer the identity of the majority of staff.
For example, they could do so by:
- giving individuals randomly assigned identities (such as ‘Member 11’);
- presenting the feedback within one document highlighting comments without reference to age, ethnicity, etc.;
- grouping staff members into age categories (such as ‘21-30’, ‘31-40’) rather than attaching exact ages to comments; and
- carrying out a final check to ensure identity privacy.
Why is Pseudonymised Data Useful?
Pseudonymised data allows your company to obtain more answers from any survey or study, as you can study and identify trends. For example, common trends may be that staff of a particular age group are happier or newer employees are less happy. Whichever way, it gives your organisation the chance to figure out why and seek to incorporate any necessary changes. In comparison, truly anonymised data would simply show a percentage of satisfied versus unsatisfied employees without explaining why.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Pseudonymised Information is ‘Personal Data’
The ICO monitors data protection issues and can launch investigations into the misuse of personal data. Since ICO fines can range up to £17.5m, you must correctly handle, store, and process personal data. In reality, pseudonymous data is usually relatively safe to handle if your business does not combine it with identifying information. So, for example, if someone were sent an email with a copy of the pseudonymous report and a spreadsheet listing each name against each identification number (e.g. Joe Bloggs = Employee 3), this would be a likely data breach.
Key Takeaways
Under the GDPR, your company should always take special care of any information that could potentially identify an individual. Pseudonymising data is a good way to collect and store information. In most situations, recording pseudonymised information is safe because the act of producing it removes personal information. Furthermore, it enables your business to collect more useful data to make strategic decisions. Generally, the less personal information a document contains, the lower the risk of a personal data breach.
If you need help with data protection requirements and the safe collection and handling of pseudonymised data, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Your organisation cannot trace properly anonymised data back to the original person. The purpose of the GDPR is to protect an individual (known as a ‘specific data subject’) by preventing the distribution of personal information. So if it is impossible to know who they are, there is little risk of breaching their data protection rights.
No. Your company must tailor the process of removing identifying information on each occasion. The starting point is usually to replace each name with an identification number.
We appreciate your feedback – your submission has been successfully received.
