c. Anonymisation and pseudonymisation

Any research data from identifiable natural persons should be anonymized or pseudonymised. Anonymisation means processing data with the aim of irreversibly preventing the identification of the person to whom it relates. Pseudonymisation means replacing any identifying characteristics of data with a pseudonym, i.e., a value which does not allow the person to be directly identified.

You need to de-identify study subjects by anonymising or pseudonymising the data. In addition, you may aggregate data to reduce the probability of identification. For example, you could replace birth date with age or age bin.

Pseudonymisation is preferred over anonymisation if you wish to:

  • retain the possibility to inform patients of incidental findings;
  • be able to collect extra data for the same patient;
  • be able to verify your research data with the source data.

Pseudonymisation only provides limited protection for the identity of data subjects as it still allows identification using indirect means. However, it does allow you to report accidental findings back to the patient. In general, you can protect the privacy of your study subjects by:

  • keeping identifiable data separated from unidentifiable research data;
  • using random unique research codes and separating the code list from the research data;
  • encrypting vital identifying information;
  • change encryption methods every few years;
  • independent key management.

Frequently Asked Questions

Use the Toolbox to find support on pseudonymisation and privacy at your UMC.

Researchers aiming to store personal data on human subjects may consider involving a trusted third party (TTP, for independent external key management) or a trusted second party (for independent internal key management) to encrypt and decrypt identifiers. This is not legally required, but it could enhance the trust of the general public that all feasible measures were taken to protect the privacy of the study subjects.

Strictly speaking, a mere encryption of the personal data is sufficient. When also allowing decryption of encrypted data, processes should be in place to limit such decryption rights to people for whom a legal ground exists to have access to such knowledge. Such processes can either be guaranteed by standard operation procedures and risk assessments within the organisation itself, or by involving a TTP.