Cookies on this website

We use cookies to ensure that we give you the best experience on our website. If you click 'Accept all cookies' we'll assume that you are happy to receive all cookies and you won't see this message again. If you click 'Reject all non-essential cookies' only necessary cookies providing core functionality such as security, network management, and accessibility will be enabled. Click 'Find out more' for information on how to change your cookie settings.

Accept all cookies Reject all non-essential cookies Find out more

Psuedonymisation/Anonymisation

What constitutes pseudonymous or anonymous data, and how you can modify data to achieve these states.

Introd​​uction

To ensure compliance with ethics requirements and data protection legislation, WIN requires that all human scan data be pseudonymised (see below), in which the association between a subject's personal details and their data remains possible by virtue of a separately stored association record. Where data must contain personal information (e.g. these mapping records or subject contact details) this data must be encrypted (a topic covered in the Data Encryption user guide). If your research does not require this association and it is technically possible to do so consider total anonymisation of your dataset as the regulations around storage and sharing of such data are much simpler.

Details on how individual files may be processed to achieve pseud|anonymisation please see our data redaction page.

Anonymisation​​​

​Anonymised data cannot be associated with a living individual by any means. This is typically possible for derived data, e.g. summary statistics or where the dataset contains many subjects and the association table between subject and data set is destroyed. Structural MRI scans are unlikely to be anonymisable without significant manipulation so at this time should always be treated as pseudonymised.

Pseudon​​​ymisation

​Pseudonymisation is the replacement/removal of personal data but assigning a subject specific identifier to the dataset. The data can be re-associated with a living individual either through the use of a 'look up' or mapping table or by combining information in the dataset, e.g. is a right-handed, male, twin born in 1968 living in Cowley who visited the Centre on the 1st of June 2020. In law, pseudonumised data is to be treated as though it is personal (or personal sensitive) data. If there is a legal separation between the controller (creator) of the data and the processor then it may be possible to attest that the data is anonymous when provided to the processor. For transfer between Oxford University departments this can never be the case.

In the case of brain volumes, consideration must be given to the presence of facial and aural features in any structural scans due to the possibility of re-identification of the subject by facial comparisons.

WIN Centre Raw MRI Data​​ 

Sie​​mens 3 & 7T (FMRIB & OHBA)

Data collected on the Siemens 3Ts and 7T housed at FMRIB and OHBA is automatically pseudonymised at source - scans are given names of the form F3T_PROJECTCODE_serialnumber or W3T_PROJECTCODE_serialnumber eg, F3T_2010_07_001. You can identify the person scanned under this session by visiting the Calpendo booking service​ web interface, visiting the 'Projects > My Scans' interface, locating the scan and hovering over the grey/green person icon (where you can request the data be copied to your folder in /vols/Data/MRdata).

DICOM data collected from the elsewhere (for example OCMR) may contain sensitive information (subject name, age etc), you should take steps to ensure that any such data you store is stripped of this information. If you use the FSL utility load_dicom then the resulting NIFTI file will be suitably sanitised - you MUST choose a unique non-obvious name/serial number for the resulting NIFTI file and record this, along with the subject identification in a secure location. This program takes steps to try to recognise people's names/initials in the output file name, attempting to prevent this, however it is far from fool proof, and indeed offers an option to disable this functionality if it is blocking a file name you consider appropriate. If you then record the subject name alongside the scan number then this must be treated as sensitive data and be securely stored.

Subject Initials

Even once the personal data has been removed from the image files, it is essential that the psuedonymisation is preserved by not placing image files in directories labelled with subjects names or even initials or other directly identifying data (e.g. NHS number). Any data where subjects are identified by their names or initials should be treated as 'personal data' and encrypted or otherwise securely stored. This also applies to the saving and presentation of results, for example in graphs or PowerPoint slides.

If you already have extensive collections of data sets/results containing subject names/initials then please contact us for advice on what steps would be appropriate.

WIN Centre MEG Data

​MEG data is inherently less identifiable than MRI structural data so providing it is kept separate from any lookup data and named in a randomised fashion it is less sensitive, although pseudonymisation regulations remain.

FMRIB Legacy Varia​​n 3T Data

Legacy data collected on the Varian 3T was automatically pseudonymised at source - scans being stored in folders named with a 6 digit code, followed by the date of the scan, e.g. 001234_2008_01_01. Records of the subject name alongside the scan number must be treated as personal data and be securely stored.

References:

DICOM Standard - Anonymisation​