Anonymization and Pseudonymization Policy

Anonymization and Pseudonymization Policy

Anonymization and pseudonymization are two important ways of protecting personal information within your organization.

These concepts have been central to EU data protection law for many years. But with strict privacy laws emerging in the US and elsewhere, organizations all over the world should now be considering how best to integrate these practices into their operations.

In this article, we'll be explaining how an Anonymization and Pseudonymization Policy can help protect personal information within your organization and outlining the contents of this type of policy.


What are Anonymization and Pseudonymization?

Anonymization and pseudonymization are two ways of processing personal information.

Anonymization and pseudonymization are not the same, as explained by the Article 29 Working Party, a now-retired working group that provided guidance on EU data protection law (at page 3 of the linked PDF):

Article 29 Working Party Opinion on Anonymisation Techniques: Executive Summary - Pseudonymisation section

Under EU law, anonymized data is not personal information, but pseudonymized data remains personal information.

What is Anonymization?

Perhaps the best definition of "anonymization" comes from the EU General Data Protection Regulation (GDPR), which defines "anonymous information" at Recital 26:

EUR-Lex Europa: GDPR Recital 26 - Definition of anonymous information

Accordingly, anonymization means removing any references to an identifiable person from a data set, thus turning personal information into non-personal information.

Given the changing nature of technology, it is possible that some anonymized data sets might, one day, be subject to re-identification. However, this should not be reasonably possible in the current technological climate.

Anonymization is commonly used to depersonalize personal information before processing it for statistical purposes.

What Is Pseudonymization?

Pseudonymization is defined at Article 4 (5) of the GDPR:

EUR-Lex Europa: GDPR Article 4 section 5

A virtually identical definition appears at Section 1798.140 (r) of the California Consumer Privacy Act (CCPA):

California Legislative Information: CCPA - Definition of Pseudonymize

There are several conditions inherent to this definition:

  • After personal information has been pseudonymized, no individual can be identified from the personal information without reference to additional information
  • The additional information must be kept separately from the pseudonymized personal information
  • The additional information must be subject to technical and organizational safeguards (such as access controls) to keep them secure

If any one of these conditions is not present, then pseudonymization has not taken place.

Benefits of an Anonymization and Pseudonymization Policy

Benefits of an Anonymization and Pseudonymization Policy

Having a robust set of policies in place ensures everyone in your organization is on the same page when it comes to privacy and data protection.

Maintaining an Anonymization and Pseudonymization Policy will also help ensure you can demonstrate your compliance with the relevant laws and regulations, and it could reduce your liability under such laws.

It Ensures Proper Anonymization

Your Anonymization and Pseudonymization Policy will ensure that your employees understand the high standards that apply when anonymizing personal information.

The concept of "anonymization" is often misunderstood and misapplied.

A relatively common misapplication of "anonymization" involves the use of individuals' initials in place of their full name. This method is unlikely to even meet the threshold for "pseudonymized" personal information, let alone "anonymized."

In the context of EU law, anonymization is an effectively irreversible process that prevents the identification of individuals (using current technology). This is a high threshold.

It Ensures Proper Pseudonymization

As with anonymization, the threshold for pseudonymization is also relatively high.

To return to the example above, the use of an individual's initials in place of their full name would probably not meet the threshold for pseudonymization.

Your Anonymization and Pseudonymization Policy will ensure that your employees understand that the re-identification of individuals from pseudonymized personal information must be very unlikely without reference to additional information.

The Policy will also make clear that any additional information used to re-identify individuals must be stored separately from the personal information, and appropriate security measures and access controls must be applied to it.

Your employees must also understand that pseudonymized data remains "personal information," and, therefore, it must be presented to individuals in an intelligible form if they request access to it.

Anonymization Reduces Your Compliance Burden

Another key benefit of creating an Anonymization and Pseudonymization Policy is that it will help ensure employees are anonymizing personal information wherever possible and appropriate.

The benefits of anonymization are clear. The GDPR states that data protection law does not apply to anonymous data at Recital 26:

EUR-Lex Europa: GDPR Recital 26 - Regulation does not apply to anonymous information

This is confirmed by the Article 29 Working Party (at page 5, here):

Article 29 Working Party Opinion on Anonymisation Techniques: Introduction - Anonymisation strategy section

The CCPA does not explicitly refer to anonymization, but given that the law uses a very similar definition of "personal information," it is reasonable to assume that anonymized data also falls outside of the scope of the CCPA.

Because privacy law no longer applies to anonymized data, this means:

  • There is no need to store it securely (unless it is sensitive or valuable for other reasons)
  • Individuals can no longer exercise their data rights over it (therefore you will not need to provide access to it, delete it, or rectify it on request)
  • If it is compromised in a data breach, you will not have to notify the authorities or the individuals affected

Note, however, that other laws and regulations may still apply to anonymized data.

Anonymization and Pseudonymization Policy will ensure that your employees pseudonymize personal information whenever required.

The GDPR presents pseudonymization as a valid means of mitigating risks to privacy and fulfilling certain obligations to protect personal information. For example, at Recital 28:

EUR-Lex Europa: GDPR Recital 28 - Application of pseudonymisation to reduce data subject risk

At Article 25, pseudonymization is presented as a means by which to implement the principle of "data protection by design and by default":

EUR-Lex Europa: GDPR Recital 25 - Data protection by design and by default

Encrypting personal information also allows your company to escape liability for data breaches under some privacy laws (encryption being, under certain conditions, a form of pseudonymization).

For example, the New York Shield Act applies to businesses holding the "private information" of New York residents. Private information is defined as certain types of personal information that have not been encrypted. Therefore, it is possible that encrypting personal information could allow a business to escape the jurisdiction of this law altogether.

In addition to mitigating the risks once personal information has been compromised, pseudonymization also reduces the likelihood of a cyberattack. Ultimately, pseudonymous data is worthless to an attacker who does not have access to the additional information required to identify individuals.

Outline of Your Anonymization and Pseudonymization Policy

Outline of Your Anonymization and Pseudonymization Policy

Your reasons for using anonymization and pseudonymization will be specific to your organization. Therefore, every Anonymization and Pseudonymization Policy will be unique.

Below are some of the sections that are common to most Anonymization and Pseudonymization Policies, together with some examples from real organizations.

Scope

The "Scope" section of your Anonymization and Pseudonymization Policy explains whom the policy applies to and what activities it covers.

For example, your policy may apply to all members of staff and contractors, and it may apply to particular types of personal information or all personal information.

Here's an example from Dundalk Institute of Technology:

Dundalk Institute of Technology Anonymisation Pseudonymisation Policy: Scope clause

Note that the policy applies whenever employees and third parties engage in the anonymization of personal information. When doing so, these parties must abide by the process and principles set out in the policy.

Purpose

The "Purpose" section of your Anonymization and Pseudonymization Policy sets out the reasons for which the policy exists.

Broadly speaking, this is to protect personal information. But your policy may serve a more specific purpose within the context of your organization.

Here's an example from the Anonymization and Pseudonymization Policy of the NHS Business Services Authority (NHSBSA):

NHSBSA Pseudonymisation and Anonymisation of Data Policy: Purpose clause

In addition to setting out the purpose of your policy, you may also wish to describe the purposes of anonymization and pseudonymization.

Here's an example from the Anonymization and Pseudonymization Policy of Luton Council, which explains the benefits of anonymization.

Luton Council Pseudonymisation and Anonymisation Policy: Why Anonymise and Benefits of Anonymisation clause

Explaining the benefits of anonymization and pseudonymization will help ensure your employees adhere to your policy.

Definitions

Your Anonymization and Pseudonymization Policy should provide definitions of anonymization and pseudonymization that are valid under the laws relevant to your organization. It should also define other terms commonly used throughout the policy.

Here's an example from Leicester City Council:

Leicester City Council Policy and Guidance on Anonymising Personal Data Policy: Definitions Section - Anonymisation and Pseudonymisation

Roles and Responsibilities

Your Anonymization and Pseudonymization Policy should explain who within your organization has responsibility for enforcing the policy and who is responsible for carrying out the processes of anonymization and pseudonymization.

Here's an example from Essex Partnership University:

Essex Partnership University Pseudonymisation Policy: Roles and Responsibilities clause - Individuals section

Process

Your Anonymization and Pseudonymization Policy should set out a standardized process by which anonymization and pseudonymization must take place.

This is important to help ensure that your employees anonymize and pseudonymize personal information in a legally-compliant way.

The process will be largely specific to the context in which your organization operates, but there are certain standards that must nonetheless be met.

Process of Anonymization

An effective anonymization process will make the re-identification of an individual from the anonymized personal information very unlikely.

The Article 29 Working Party provides a three-part test for assessing the effectiveness of an anonymization method.

Once the anonymization process has been carried out, the following three conditions should apply:

  1. It is no longer possible to single out an individual
  2. It is no longer possible to link records relating to an individual
  3. No information can be inferred concerning an individual

Here's an example of how to carry out effective anonymization, from Northumberland County Council:

Northumberland County Council Anonymisation and Pseudonymisation Policy: De-identification techniques list

The policy provides several methods of anonymization (referred to as "de-identification"), including using date ranges instead of age (e.g. 25-35 instead of 30.

Process of Pseudonymization

The process of pseudonymization must ensure that individuals can be reidentified, but only where necessary.

Some methods of pseudonymization include encryption, hashing, and tokenization. However, these measures must meet certain conditions above before they can be considered pseudonymization methods.

For example, encrypted data is only pseudonymized if the encryption key is kept separately, securely, and with limitations on access.

Here's how Northumberland County Council describes some of the standards that must be met when pseudonymizing personal information:

Northumberland County Council Anonymisation and Pseudonymisation Policy: Actions required to effectively pseudonymise information

Applicable Laws and Regulations

Your Anonymization and Pseudonymization Policy should list the laws and regulations that apply to when anonymizing and pseudonymizing personal information.

Depending on where your customers are based, such laws may include:

Here's an example from Cambridgeshire County Council:

Cambridgeshire County Council: Pseudonymisation and Anonymisation Data Policy: Legal and Professional Obligations

Summary

An Anonymization and Pseudonymization Policy can help ensure your employees are properly applying these important information security techniques to protect personal information within your information.

Some key parts of your policy should include:

  • Scope: Describes which people and activities are covered by the policy
  • Purpose: Describes the reasons for implementing the policy
  • Definitions: Defines key terms used throughout the policy
  • Roles and Responsibilities: Explains who is responsible for overseeing and carrying out the policy
  • Process: Provides a legally compliant process for anonymizing and pseudonymizing personal information
  • Applicable laws and regulations: Sets out the legal context in which your organization operates
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.