Contents

Summary

Data anonymisation, pseudonymisation, and obfuscation are all techniques used to protect sensitive data, also known as data masking.

Categories

The categories applicable to this standard are:

Information and Data Management
  • Data Protection
  • Data Lifecycle
  • Data Governance

Purpose

Data anonymisation, pseudonymisation and obfuscation are techniques used to protect personal and sensitive information by erasing or encrypting identifiers that connect data to an individual.

Data anonymisation removes identifiable information entirely, making it impossible to derive insights about the individuals to whom the data belongs. 

Pseudonymisation replaces private identifiers of data with artificial identifiers or pseudonyms. While it can provide a degree of anonymity, it’s reversible if the original data is obtained.

Data obfuscation replaces sensitive data with fictional yet realistic data, rendering the data useless to malicious actors while still useful for testing or development.

How to meet this standard

What you need to ensure to be compliant

  1. You have applied relevant masking to all your data.
  2. You have reviewed previously applied techniques to validate they are still appropriate.
  3. Compliance target: Annual review of data masking completed.

What all DfE staff, including consultants, contractors and third-party suppliers must do

  1. Ensure personal data has an appropriate masking technique applied.
  2. Ensure the quality of data is evaluated and understand, post application of any technique.
  3. Evaluate and understand the likelihood of re-identification post application of any technique.
  4. Carry out a motivated intruder test on all data being shared or leaving the department.
  5. Review existing techniques at least annually to see if they are still robust and relevant or when:
    1. The dataset specification is changed.
    2. The dataset is merged or refreshed.
    3. There is a change in the use of the data set.
    4. There is a change in regulation specific to the dataset.

The accountability to ensure a dataset remains anonymised, pseudonymised or obfuscated effectively sits with the Information Asset and / or Data Owner.

Declaring conformance with this standard

Conformance with the standard must be recorded every 12 months.

Owner and contacts

Standard owner
Saheel Sankriwala
Chief Technology and Data Officer
Other point of contact
DDT Standards
Team