Checklist for anonymous processing
Requirements for processing to be considered anonymous
In order for a project or processing to be considered anonymous (the data protection regulations do not apply and you do not need consent from external parties or research subjects/data subjects), the data must remain anonymous throughout the entire processing, from collection to completion of processing both on paper and electronically.
General rule: It must not be possible to link the data to a group of five or fewer people in a selection/unit. A concrete assessment must also be conducted in each case.
Questions you should ask yourself when considering whether data is sufficiently anonymous
- What will the anonymous data be used for? Perhaps you will use the data in publishing, teaching or research? This will have an impact on the risk of re-identification. The risk of re-identification is greater in connection with online publishing than in the event of limited use (research and teaching). When publishing online, a risk assessment (sikresiden.no) should be carried out both before and after publication.
- What types of personal data should be anonymous? In the event of re-identification of an individual you believed to be anonymous, and the data is considered to be in a special category (sensitive personal data) and/or other confidential information, this could have major negative consequences for the individual in question.
- Who and how many people will have access to anonymous data? Should there be any access restrictions in place?
- How large is the anonymous dataset or selection/unit? It can be more challenging to make a smaller dataset, data from small units/selections (few people) sufficiently anonymous.
- Does the dataset contain information that external commercial parties or foreign powers would be particularly interested in and should it therefore be subject to additional safeguards for protection? In this case, the data should not be stored and analysed just anywhere.
- Have you refrained from asking for and recording directly identifiable personal data such as names, national identification numbers and photographs?
- Have you refrained from asking for and/or note down other identifiable personal data such as telephone numbers, postal addresses and email addresses? Keep in mind that such data, combined with other data, datasets or registers, can be used to identify an individual.
- Have you refrained from asking for and note down indirectly identifiable data (such as age, place of residence, institution, school, rare diagnosis, etc.)? Keep in mind that individuals with rare diagnoses that only a few people in the country have or someone with a professional title of, for example, priest in a small municipality with only a single priest may be identifiable. Roughly categorise and use the smallest amount of background data possible.
- Have you made sure that the data is sufficiently imprecise at time of collection that the data cannot be traced back to an individual (randomisation)? This means that the data is rendered inaccurate, but the overall distribution is retained. This approach is recommended in cases in which special categories (sensitive personal data) are processed and the potential for harm to the sample is great.
- What is shown in the video recording? If the video recording shows only a body part, such as a knee or an arm, then it will normally be considered anonymous. Exceptions are cases in which the body part has a tattoo or other distinctive characteristic.
- What does the photograph show? Is the picture of the individual so small and/or unclear that it is impossible to identify the individual?
Example: Extract from patient records.
Remember that extract of data from patient records that contain identifiable personal data, may constitute the processing of personal data. The data protection regulations apply in the event that the data extracted can be traced back to an individual in any way. The size of the selection and any additional information available will have an impact on the assessment.