From Wikipedia, the free encyclopedia
Jump to: navigation, search

Pseudonymization is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field. The purpose is to render the data record less identifying and therefore lower customer or patient objections to its use. Data in this form is suitable for extensive analytics and processing.

The choice of which data fields are to be pseudonymized is partly subjective, but should include all fields that are highly selective, NHS number (in the UK) for example. Less selective fields, such as Birth Date or Postal Code are often also included because they are usually available from other sources and therefore make a record easier to identify. Pseudonymizing these less identifying fields removes most of their analytic value and should therefore be accompanied by the introduction of new derived and less identifying forms, such as Year of Birth or a larger Postal Code region.

Data fields that are less identifying, such as Date of Attendance, are usually not pseudonymized. It is important to realize that this is because too much statistical utility is lost in doing so, not because the data cannot be identified. For example, given prior knowledge of a few attendance dates it is easy to identify someone's data in a pseudonymized dataset by selecting only those people with that pattern of dates. This is an example of an Inference attack.

The weakness of pseudonymized data to Inference attacks is commonly overlooked. A famous example is the AOL search data scandal. This example illustrates that there is no way to universally protect pseudomymized data whilst allowing general analysis of it.

Protecting statistically useful pseudonymized data from re-identification requires:

  1. a sound Information security base
  2. controlling the risk that the analysts, researchers or other data workers cause a privacy breach

The pseudonym allows tracking back of data to its origins, which distinguishes pseudonymization from anonymization (comment: better distinction is given in [1]), where all person-related data that could allow backtracking has been purged. Pseudonymization is an issue in, for example, patient-related data that has to be passed on securely between clinical centers.

The application of pseudonymization to e-health intends to preserve the patient's privacy and data confidentiality. It allows primary use of medical records by authorized health care providers and privacy preserving secondary use by researchers.[2] However, plain pseudonymization for privacy preservation often reaches its limits when genetic data are involved. Due to the identifying nature of genetic data, depersonalization is often not sufficient to hide the corresponding person. Potential solutions are the combination of pseudonymization with fragmentation and encryption.[3]

An example of application of Pseudonymization procedure is creation of datasets for De-identification research by replacing identifying words with words from the same category (e.g. replacing a name with a random name from the names dictionary),[4][5][6] however, in this case it is in general not possible to track data back to its origins.

See also[edit]


  1. ^ Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management – A Consolidated Proposal for Terminology
  2. ^ Neubauer T, Heurix J. A methodology for the pseudonymization of medical data. Int J Med Inform. 2011 Mar;80(3) 190-204. doi:10.1016/j.ijmedinf.2010.10.016. PMID 21075676.
  3. ^ Privacy-Preserving Storage and Access of Medical Data through Pseudonymization and Encryption
  4. ^ Neamatullah, Ishna; Douglass, Margaret M; Li-wei; Lehman, H; Reisner, Andrew; Villarroe, Mauricio; Long, William J; Szolovits, Peter; Moody, George B; Mark, Roger G; Clifford, Gari D (2008). "Automated de-identification of free-text medical records". BMC Medical Informatics and Decision Making. 8: 32. doi:10.1186/1472-6947-8-32. 
  5. ^ org/physiotools/deid/doc/ishna-meng-thesis.pdf
  6. ^ Deleger, L; et al. (2014). "Preparing an annotated gold standard corpus to share with extramural investigators for de-identification research". J Biomed Inform. 50: 173–183. doi:10.1016/j.jbi.2014.01.014. 

External links[edit]