Information Services Division


How to manage pseudonymised data on ISD services

Pseudonymisation is a way of mitigating the risk of accidentally disclosing confidential information. However, pseudonymisation is only useful where the identifying key is kept apart from the data.

Handling pseudonymised data requires that the user maintains some form of privileged access to the identifying key. If a single login or physical key can provide access to both the 'pseudonymised' data and the identifying key then the data cannot be adequately pseudonymised. Nor should it be possible to identify someone from a pseudonymised data set without access to that key. See guidance on adequate anonymisation.

When undertaking research with confidential information there are risks in working with standard ISD infrastructure because a single user login can be used for a number of services. If your login was exposed, for example, then an intruder would be able to tie many data sources together, including your research data. It is required that if you handle confidential information on UCL standard network storage and devices, there should be an account of the risk arising from it which is something that the information governance advisory service can help you do. Pseudonymised data are personal data under data protection legislation and therefore confidential. Researchers should not assume that working with personal data in this way is unavoidable. The UCL Data Safe Haven is designed to mitigate the risk of storing identifiers and highly confidential information on standard ISD infrastructure and it requires two factor authentication to log in.

For example, use of the ISD network storage for pseudonymous participant information could expose data to malware in the event of a UCL staff member unwittingly clicking on a link in a phishing email.

Accessing this kind of data using a regular Desktop @ UCL computer gives you continual anti-malware and a supported operating system but anyone with access to the same network storage as you who brings their own device onto the UCL network can expose your files to malware such as ransomware.

Access to ISD network storage is controlled using folder-level permissions but when people come and go, their access to files is not as tightly controlled as on the UCL Data Safe Haven.

ISD services are not, as a whole, designed with highly confidential information in mind. Consequently, there are a multitude of risks to working with participant information on ISD services.

These risks should be accounted for in a formal information risk assessment. Information asset owners are accountable for carrying out these risk assessments and for ensuring that any intolerable risks are escalated to Information Governance services. If information asset owners choose not to do this, they are accountable for any breach that occurs due to the choice of infrastructure.

It is recommended that studies using highly confidential information make use of the UCL Data Safe Haven where possible to store both the identities of research participants and any linked data. ISD services can be used to manage linked data but users must be aware and must account for the risks.