Anonymisation v Pseudonymisation

The ICO has recently published some draft guidance titled ‘Introduction to anonymisation’. Whilst the guidance is currently only a draft and is likely to be subject to some refinement, it still offers a helpful insight into both anonymisation and pseudonymisation in the context of data protection.

What is anonymisation?

When looking at what is meant by anonymisation, it is first helpful to look at the definition of anonymous information.

Recital 26 of UK GDPR offers some guidance as to the term ‘anonymous information’ which states it is:

Once the information has been anonymised correctly the data is no longer personal data, meaning the principles of data protection do not apply nor do they need to be followed when the data is processed.

So what is anonymisation? Anonymisation is the way in which personal data is turned into anonymous information so that it falls outside of the scope of data protection legislation.

Data is sufficiently anonymised when it no longer relates to an identified or identifiable individual or is rendered anonymous so that the individuals are not/no longer identifiable.

What is pseudonymisation?

The guidance makes it clear that pseudonymisation is a technique that replaces or removes information that identifies an individual, such as replacing a name or other identifier with a reference number.

Article 4(5) of the UK GDPR confirms that pseudonymisation is:

The additional information referred to within Article 4(5) must of course be kept separately with the relevant controls in place to ensure that it is not possible to re-identify the individual.

Whilst anonymisation and pseudonymisation do have some similarities in very simple terms:

1. Anonymisation means that individuals are not identifiable and cannot be re-identified by any means; and
2. Pseudonymisation means that individuals are not identifiable from the data itself but can be identified by referring to other information held separately.