Anonymisation checklist

Before anonymising, you need to make sure that you are permitted to retain the data in anonymised form. If you have promised data subjects that you will delete the data or if the owner of the data, e.g. Statistics Norway, requires the deletion of data upon project completion/completion of processing, you will not be able to anonymise the data. Such data needs to be deleted.

In case of anonymisation, you need to consider which data you need to delete or reword in order to ensure that it is not possible to link the data to an individual, now or in the future (this includes considering technological developments in the event that processing is performed electronically).

General rule: It should not be possible to link data to a group of five or fewer people in a selection/unit. A concrete assessment should also be conducted in each case.

See web page on anonymised data versus de-identified data.

1. What is the purpose of the anonymisation? The purpose could relate to publication, research or teaching. This will have an impact on the risk of re-identification. The risk of re-identification is greater in connection with online publishing than in the event of limited use (research and teaching). When publishing online, a risk assessment (sikresiden.no) should be carried out both before and after publication.
2. What types of personal data will be anonymised? The re-identification of an individual for which special categories (sensitive personal data) and/or other confidential information have been anonymised could have major negative consequences for the individual in question.
3. Who and how many people will require access to the anonymised data? Should there be any access restrictions in place?
4. How large is the anonymised dataset? It can be more difficult to anonymise smaller datasets (few data subjects).
5. Does the dataset contain information that external commercial parties or foreign powers would be particularly interested in and should it therefore be subject to additional safeguards for protection? In this case, the data should not be stored and analysed just anywhere.
6. Have you deleted all directly identifiable personal data, such as names, personal identification numbers and photographs?
7. Have you deleted other identifiable personal data, such as telephone numbers, email addresses, IP addresses, code keys or reference numbers? Keep in mind that such data, combined with other data, datasets or registers, can be used to identify individuals.
8. Have you deleted or reworked any indirectly identifiable data (e.g. through rough categorisation of variables such as age, place of residence, institution, school, etc.)? Keep in mind that individuals with rare diagnoses that only a few people in the country have or someone with a professional title of, for example, priest in a small municipality with only a single priest may be identifiable.
9. Have you made sure that the data is sufficiently imprecise that it can no longer be traced back to an individual (randomisation)? This means that the data is rendered inaccurate, but the overall distribution is retained. This approach is recommended in cases in which special categories (sensitive personal data) are processed and the potential for harm to the sample is great.
10. Have you deleted (or edited/redacted) audio recordings, photographs and video recordings? Remember that future technological developments may be used to re-identify past voice distortion. If only one body part is visible in a video recording, the recording will generally be considered to be anonymous. Exceptions are cases in which the body part has a tattoo or other distinctive characteristic.

• Registry data (Microdata)
• Checklist for anonymous processing