Ways to anonymise or de-identify personal data
Personal data collected through research is classified as Confidential under NTU's Data Governance Policy. Such data must be properly secured and handled to prevent accidental leakages. [Refer to NTU's data handling guidelines here.]
To minimise such risks, personal data should be anonymised (or de-identified) whenever possible. Please refer to:
- PDPC's guide on basic anonymisation.
- NTU-Library's general guide on anonymisation.
- NTU-Library's guide for concealing identities within photos/ images/ video/ audio recordings.
Note: Datasets which has been anonymised are still considered personal data if a research team has access to the key/linkages to re-identify the data, unless it has been irreversibly-deidentified.
Effective Barriers and 'Keys' to re-identification
Applying de-identification techniques to personal data does not in itself mean that the data has been anonymised, especially if such data can be readily converted back to personal data. If an organisation has access to other information that can re-identify the individuals (e.g. the organisation holds the “key” to re-identification), the dataset will not be treated as anonymised and will continue to be considered personal data.
PDPC recognises that anonymisation can be relevant to the safe use of data where effective barriers are established to prevent re-identification from the data, including restricting access by a group (or groups) of users within the organisation to information held by the organisation that could re-identify an individual.
Such effective barriers could mean that the 'keys' to re-identification be kept within the School's or Institute's research office, and separate from the research team in such a way that the research team will not have access to the 'keys' to re-identify the data.