Anonymous, anonymised or de-identified data

Anonymous or anonymised data is information that in no way can identify individuals in a data material, neither directly through name, social security number or other personal characteristics, indirectly through background variables such as gender, age, place of residence, diagnosis and occupation or through name lists/scrambling key, encryption formula and code or IP address. 

Anonymous data 

On Data Protection Services (Sikt)`s website (sikt.no), you can read about how you can carry out projects without registering personal data.

If a project or processing is to be considered anonymous (the privacy regulations do not apply and you do not need permission from external or the research participant/the registered), the information must be anonymous throughout the processing process from collection to completed processing, both on paper and electronically.

• Checklist for anonymous processing 

• E-learning "Do you actually need personal data" (sikresiden.no)

• New criteria for anonymous health information (helsedirektoratet.no) (in Norwegian) 

Nettskjema (uio.no) can be used for anonymous surveys. Check this website for measures to ensure anonymity (uio.no) (in Norwegian) and this website about electronic tracks (uio.no) (in Norwegian). 

Anonymised data

You must be aware that: 

• The information itself may be sufficient to identify the individual participant. In that case, the personal data will not be considered sufficiently anonymised. You must make a concrete assessment in each individual case. A rule of thumb is that the information cannot be linked to a group of 5 people or fewer. 

• A compilation of different databases can de-anonymise personal data in such a way that research participants are identified. 

• You must consider that future technical developments may identify information that was previously considered anonymous; e.g., distortion of voice on audio recordings. 

If the data is completely anonymised, the privacy legislation does not apply, and you do not need to apply for permission from an external body or ask for new consent from the registered person.

See our checklist for anonymisation

De-identified data is personal data where the name, national ID number and other directly personal identifiers have been removed and replaced by a connection key/list of codes, so that the information cannot be immediately linked to a single person. However, the use of a connection key will make it possible to reveal the research participant's identity. It is therefore important that connection keys/lists of codes are stored separately from the personal data, locked down or secured in a proper manner. 

Note that the number of background variables (e.g., gender, age, place of residence, occupation, diagnosis, etc.) and type of background variables (e.g., rare diagnoses or a profession few people have within a geographically limited area) can mean that the information must be considered de-identified, even if any connection key is destroyed. 

As it is possible to reveal the participant's identity, the privacy legislation applies, and you must have the processing registered/assessed or approved by OsloMet/Data Protection Services for research (Sikt) and/or by an external body. 

There may be instances where it is uncertain whether research data is sufficiently anonymised, for example in small sample sizes; i.e. research on very rare diagnoses or a research project with few research subjects within a limited geographical area. When in doubt, you should check with the Data Protection Services (Sikt) or privacy contact FoU at your faculty or center. The Data Protection Services for research (Sikt) also has a test (meldeskjema.sikt.no) you can take.