Anonymisation, deidentification and protection of privacy
For those data considered personal and/or sensitive, questions such as those in Activity 5 would need to be asked and, to meet legal obligations, privacy notice information provided to participants. However, to show respect, ethically, all forms of data should have the same data protection considerations, and information should be provided to the participants about how the data will be handled and stored.
You will see from the suggested data sources that anonymisation is referred to in several cases, and that these can then be considered protected from being considered personal or sensitive data. Anonymisation and deidentification are key techniques for a researcher to help protect an individual’s rights to privacy (as summarised in Box 3.1).
Box 3.1 Anonymising and deidentifying
Anonymous data is data in which the identities of those providing it are not known to the researcher – and hence to an eventual reader of the research. GDPR (and other equivalent regulations) does not apply to such data. (See Recital 26 [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)] of GDPR – open link in a new tab/window so you can easily return to this page.)
Data can be anonymised by removing personal identifiers so that the individual providing the data cannot be recognised. This might involve removing names, addresses, postcodes and contact numbers and amending photographs, other images or audio data. It might also involve offering to replace names with pseudonyms (false names).
Deidentification might also be needed to protect the identities of individuals by removing indirectly identifiable information that a reader could use by combining sources of information to identify the context (and hence individuals). This might involve removing reference to particular features of the setting or specific names of roles of those in the setting.
The ICO’s Code of Conduct on Anonymisation (2012) provides further guidance on anonymisation techniques.