In March 2025, the UK’s Information Commissioner’s Office (ICO) released new comprehensive guidance on anonymisation and pseudonymisation. Building on earlier consultations, this guidance complements the ICO’s data sharing code of practice by providing practical advice on how to use anonymisation and pseudonymisation techniques effectively.
The ICO highlights that while sharing personal data can bring major benefits to organisations, it also carries significant risks.
Anonymisation provides a privacy-friendly solution by allowing organisations to share and use data without identifying individuals.
On the other hand, we have pseudonymisation, that is also an important technique that reduces risks by separating identifiable information from other data.
In this blog, we will explore the ICO’s guidance and how it can help organisations anonymise and/or pseudonymise personal data for various purposes.
Anonymisation
What is anonymisation?
Anonymisation is the process of turning personal data into information that no longer identifies individuals.
Under the UK GDPR, personal data means any information that could directly or indirectly identify a person – things like a name, ID number, location or an online identifier.
In its Recital 26, UK GDPR states that anonymous information is anything that cannot be linked back to the person, either directly or indirectly.
Is anonymised data personal data?
Once personal data is anonymised properly, the information falls outside the scope of the UK data protection laws.
However, it is really important to understand that while fully anonymised data is no longer personal data, the process of anonymising it is still considered processing of personal data. That means organisations must follow data protection rules while they are carrying out anonymisation – like having a lawful basis to process such data, clearly explaining why it is being processed and informing relevant data subjects about it.
There is a risk that an organisation mistakenly believes it has successfully anonymised personal data, when in reality, someone could still piece together who the information is about. In general terms, the legal test is: if you or someone else could reasonably re-identify a person using additional information that you hold, then the data is not anonymised. In that case, it is still personal data and falls under the UK GDPR.
When should organisations consider anonymisation?
Organisations should consider anonymisation when personal data is not necessary to achieve their objectives as it reduces legal risks and makes data safer to share – whether with organisation or even the public – and allows for greater flexibility in how the information can be used and distributed.
Effective anonymisation process
The purpose of anonymising personal data is to reduce the chances that a person will be identified based on the information.
The ICO sets a high standard: anonymisation must reduce identification risk to a sufficiently remote level. What is considered sufficiently remote will depend on individual circumstances. The ICO suggests taking into account the concept of identifiability (discussed below) when assessing whether someone could be identified from the information.
As a result of an effective anonymisation process, the organisation should be able to demonstrate that disclosing or sharing anonymous information will not lead to an inappropriate disclosure of personal data.
The concept of identifiability
The concept of identifiability is broad and it is important to remember that a person can be identified by more than just their name. Factors such as an ID number, location data or even an online username can all be sufficient to identify someone, either on their own or when combined with other information.
To help organisations check if their anonymised data is truly anonymised, the ICO suggests using the ‘motivated intruder’ test.
A motivated intruder is ‘someone who wishes to identify a person from the anonymous information that is derived from their personal information’. This test shows that if the motivated intruder could succeed in identifying the individual, then the data is not properly anonymised.
The ICO also highlights two important indicators to look out for in order to determine whether information is or is not personal data: singling out and linkability.
What is singling out?
Singling out happens when it is possible to pick out a person from a dataset, even without using their name. For example, if a company shares a report showing how much each team earned and one team only has one member, it would be obvious who that person is. Even without using their name, they could still be identified, meaning the data would has not been truly properly anonymised.
What is linkability?
Linkability is a little trickier. It is when someone cannot identify a person from just one set of information, but by linking it with other data (another database or even public records) they can figure out who that person is.
For instance, imagine your organisation holds some anonymous survey results. On their own, they do not reveal identities. However, if you combine them with other details, such as social media profiles or public registers, it might be possible to piece together who answered what. In that case, the data is not truly anonymised – it is still personal data.
Anonymisation techniques
When organisations want to anonymise personal data, there are two main anonymisation techniques that are often used – generalisation and randomisation. They both protect individuals’ identities but work slightly different ways. Choosing the right technique depends on the type of data, how it will be used and what level of protection is needed.
Generalisation reduces the level of detail in the data, making it less precise. Instead of showing specific information that could identify a person, the data is grouped into broader categories. This makes it harder to single someone out because the information now relates to a group of people. For example, instead of showing someone’s exact age, the data might show an age rage, e.g. 20-30 years old.
Randomisation on the other hand involves altering the data so that it cannot be easily linked to an individual. This is done by adding random noise or modifying the values. However, randomisation aims to maintain overall patterns and statistical usefulness of the data. For instance, when publishing survey results, researchers might adjust participants’ ages or incomes to ensure no single respondent can be identified but research still remain valid.
Pseudonymisation
The ICO dedicates a substantial section to pseudonymisation. It is important not to confuse anonymisation with pseudonymisation. They are not the same. Put simply, pseudonymisation hides a person’s identity by replacing their details with something else (like a code) but the link to their identity still exists within the organisation and can be restored. Therefore, both sets of data are personal data as the organisation has the means to re-identify the pseudonymised data set. Anonymisation, on the other hand, “prevents there being a link between the information and the person concerned”.
According to Article 4(5) of the UK GDPR, the pseudonymisation is: “…processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”
This means that by pseudonymising personal data, we are separating information that identify a person and storing it separately, basically turning one input (personal data) into two outputs (pseudonymised data and the additional information). These two outputs are stored separately as together they form the original personal data.
As opposed to anonymised data, pseudonymised data is still considered personal data if someone holds both pseudonymised data and additional information. Recital 26 of the UK GDRP states that ‘personal data which has undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person’.
If pseudonymised data is shared with another organisation without additional information, it could be anonymous information. This is because the third-party organisation would not have the means to re-identify it. However, the third party would still have to consider the above points on anonymisation.
So why do organisations use pseudonymisation? It is because pseudonymisation can reduce the risk of harm to people that may arise from personal data breach.
Pseudonymisation techniques
There are three common ways to pseudonymise personal data:
Hashing is a way to protect personal data by turning it into a code (called a hash), making it difficult to trace the data back to an individual. It is one-way process, which means it cannot easily be turned back into the original information. To make it even more secure, random data (called a salt or pepper) could be added before hashing.
Encryption is a way of ‘locking’ personal data so it can only be unlocked with a special key. There are two types: symmetric encryption, where a single key is used to encrypt and decrypt the data or asymmetric encryption where different keys (public key and private key) are used. The public key can be shared widely but only the private key kept in secret can decrypt the data. This means that anyone holding the public key can encrypt the data but only the holder of the private key can decrypt it.
Tokenisation is a way of protecting personal data by replacing original information (like a name) with a randomly generated code called a token. The link between the token and the original information is kept separately and securely, so even if someone sees the token, they cannot figure out who it belongs to.
Governance and accountability in anonymisation process
When anonymising personal data, the UK GDPR’s accountability principle requires organisations to plan and manage how anonymised information is created and shared. An organisation’s governance approach should cover areas such as planning for anonymisation, who is responsible for the anonymisation process, identifying and managing risks, completing a data protection impact assessment and setting out reasons for anonymisation. All major decisions and rationale behind anonymisation methods must be documented as part of accountability obligations.
The ICO is less likely to carry out an enforcement action (including monetary penalties) if the organisation can demonstrate that it made serious effort to comply with data protection law and had a genuine reason to believe that the information was not personal data by showing that identifiability risk was sufficiently remote.
Conclusion
The ICO’s Guidance emphasises the importance of using anonymisation and pseudonymisation techniques effectively. By following the Guidance, organisations can reduce privacy risks while still getting benefits of using valuable information.
If your organisation handles personal data and you are (or thinking about) anonymisation or pseudonymisation but want to do thing right, please get in touch with our data protection team here who would be happy to assist.
