Pseudonymization is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field. The purpose is to render the data record less identifying and therefore lower customer or patient objections to its use. Data in this form is suitable for extensive analytics and processing.
The choice of which data fields are to be pseudonymized is partly subjective, but should include all fields that are highly selective, NHS number (in the UK) for example. Less selective fields, such as Birth Date or Postal Code are often also included because they are usually available from other sources and therefore make a record easier to identify. Pseudonymizing these less identifying fields removes most of their analytic value and should therefore be accompanied by the introduction of new derived and less identifying forms, such as Year of Birth or a larger Postal Code region.
Data fields that are less identifying, such as Date of Attendance, are usually not pseudonymized. It is important to realize that this is because too much statistical utility is lost in doing so, not because the data cannot be identified. For example given prior knowledge of a few attendance dates it is easy to identify someone's data in a pseudonymized dataset by selecting only those people with that pattern of dates. This is an example of an Inference attack.
The weakness of pseudonymized data to Inference attacks is commonly overlooked. A famous example is the AOL search data scandal. This example illustrates that there is no way to universally protect pseudomymized data whilst allowing general analysis of it.
Protecting statistically useful pseudonymized data from re-identification requires:
- a sound Information security base
- controlling the risk that the analysts, researchers or other data workers cause a privacy breach
The pseudonym allows tracking back of data to its origins, which distinguishes pseudonymization from anonymization (comment: better distinction is given in ), where all person-related data that could allow backtracking has been purged. Pseudonymization is an issue in, for example, patient-related data that has to be passed on securely between clinical centers.
- http://dud.inf.tu-dresden.de/literatur/Anon_Terminology_v0.31.pdf Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management – A Consolidated Proposal for Terminology