Close
This guidance outlines the key differences between anonymisation and pseudonymisation, how they apply to personal data processing, and how to implement them in line with the latest ICO recommendations
Informed by ICO Guidance – May 2025
Introduction
Anonymisation and pseudonymisation are essential tools for managing personal data responsibly. The ICO’s updated guidance (May 2025) provides a detailed framework for applying these techniques in compliance with UK data protection law, including the UK GDPR and the Data Protection Act 2018.
Key Concepts
What is Anonymisation?
Anonymisation is Anonymisation is the way in which you turn personal data into anonymous information, so that it then falls outside the scope of data protection law. You can consider data to be effectively anonymised if people are not (or are no longer) identifiable.
What is Pseudonymisation?
Pseudonymisation a term defined in UK GDPR as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is subject to technical and organisational measures to keep it separate. This can involve replacing identifiable information with pseudonyms (e.g., codes or tokens). While this reduces the risk of identification, the data remains personal and subject to data protection obligations. De-identified: data is considered equivalent to pseudonymised data under UK GDPR.
Pseudonymised data will still constitute personal data in the hands of the organisation that holds both the pseudonymised data and the separate key.
UCL's standard approach is that:
- pseudonymised data in the hands of an organisation that has access to the key – or any other means of identifying those individuals – is personal data; and
- pseudonymised data in the hands of an organisation that does not have access to the key – or any other means of identifying those individuals – is anonymous data and will not therefore be classed as personal data. Where pseudonymised data is shared with a third party, the key is not usually provided to the third party as part of the data sharing arrangement.
This means that where UCL shares data that, in the hands of UCL, is either: (i) truly anonymous data, or (ii) pseudonymised data for which UCL holds the key, that data is unlikely to constitute personal data in the hands of the third parties with which UCL has shared the data.
However, please note that where UCL shares pseudonymised data with a third party acting as a data processor for UCL (where it cannot process data for its own purposes) – that data should still be considered pseudonymised personal data within the scope of the UK GDPR. This is because a processor is considered an ‘extension’ of the controller as UCL will retain the ability to identify the individual from the pseudonym.
Legal Context
The guidance applies across three legal regimes:
General processing (UK GDPR and Part 2 DPA 2018)
Law enforcement processing (Part 3 DPA 2018)
Intelligence services processing (Part 4 DPA 2018)
It also intersects with:
Freedom of Information Act 2000 (FOIA)
Environmental Information Regulations 2004 (EIR)
Re-use of Public Sector Information Regulations 2015 (RPSI)
Techniques and Tools
Anonymisation Techniques
Aggregation: Combining data to show trends without individual details.
Data masking: Obscuring specific identifiers.
Generalisation: Reducing precision (e.g., age ranges instead of exact age).
Noise addition: Introducing random variation to obscure identity.
Pseudonymisation Techniques
Tokenisation: Replacing identifiers with tokens.
Hashing: Using cryptographic functions to obscure data.
Encryption: Securing data with keys (must be stored separately).
Risk Assessment
The “Motivated Intruder” Test
Evaluate whether a reasonably informed person could re-identify individuals using available resources. This test helps determine if data is truly anonymised. You will need to consider the nature of the data, such as the rarity of attributes recorded, the size of geographical areas in question and access to other data that could be linked.
Contextual Factors
Availability of auxiliary data
Nature of the dataset
Likelihood and impact of re-identification
Governance and Accountability
Data Protection Impact Assessments (DPIAs): Required when anonymisation or pseudonymisation is part of high-risk processing.
Documentation: Maintain records of techniques, decisions, and risk assessments.
Training: Ensure staff understand the principles and limitations.
Transparency: Inform individuals where appropriate, especially when pseudonymisation is used.
Re-identification and Reuse
Re-identification risks must be continuously monitored.
Re-use of anonymised data should be assessed for residual risks.
Data sharing: Anonymisation can enable lawful sharing without consent, but only if re-identification is not reasonably likely.
Use in Research
Both techniques are valuable in research settings:
Anonymisation enables broader data sharing and reuse without UKGDPR constraints.
Pseudonymisation allows researchers to retain analytical value while protecting identities, especially in longitudinal studies.
Researchers must consider the purpose of processing, data sensitivity, and likelihood of re-identification when choosing between the two.
Next Steps for UCL Staff and Researchers
Review your current data handling practices.
Apply the motivated intruder test when assessing anonymisation.
Ensure pseudonymisation keys are stored securely and separately.
Document your decisions and safeguards clearly.
Good Practice Checklist
- Clearly define your anonymisation or pseudonymisation goals
- Choose appropriate techniques based on context and risk
- Apply the “motivated intruder” test
- Document your process and decisions
- Regularly review and update your approach
- Train staff and ensure organisational awareness
- Consider legal obligations beyond data protection (e.g., FOIA)