Data safeguards

What is considered an appropriate safeguard?

This depends on the personal or special category data you are processing and what you have agreed with the participants you collected the data from. Appropriate safeguards could be:

1. Data minimisation

Only collect the personal or special category data that is necessary for the research.

2. Anonymisation

Anonymisation involves removing personal identifying information to the extent that a motivated third party could not re-identify the individual either directly or indirectly.

Anonymisation allows data to be shared whilst protecting the privacy of individuals.

UK GDPR does not apply to personal data that has been anonymised.

Be careful where datasets contain special category data or if datasets are large and have a wide range of personal data.

Following anonymisation, if there remains a risk that participants could be re-identified, the data is still categorized as personal data under UK GDPR. In this case, data may be considered pseudonymised or partially deidentified.

For qualitative data, it may be better to control access rather than over-anonymise.

The UKDS have some helpful guides for anonymising qualitative and quantitative data.

When using comments from social media platforms, you may need to anonymise data to minimise the risk of reverse-searching to identify the speaker.

3. Pseudonymisation

Pseudonymisation is where you remove the identifying characteristics of an individual and replace it with something less identifiable (such as a reference number).

Store the translation key in a separate, secure location in line with the risk level of the original data.

Pseudonymisation reduces data protection risk, but it does not eliminate it.

Pseudonymised data remains within the scope of UK GDPR.

If your institution holds the key to reidentify individuals then this is classed as pseudonymised data.