Deidentification

The process of removing or obscuring identifying information from data so that individuals cannot be readily identified. Deidentification techniques include removing direct identifiers (names, addresses, ID numbers), generalizing or suppressing indirect identifiers (making birthdates less specific, grouping zip codes), and applying statistical techniques to mask patterns. Unlike anonymization (which is irreversible), deidentification may be reversible under certain circumstances or with additional information. Privacy laws treat deidentified data differently than fully anonymized data—CCPA excludes deidentified information from coverage if organizations meet specific requirements, while GDPR's anonymized data falls outside the regulation entirely. For deidentified data, organizations should implement technical safeguards preventing re-identification, maintain organizational controls limiting access, contractually prohibit re-identification attempts, regularly assess re-identification risks, and document deidentification methods and safeguards. Proper deidentification enables valuable data use while protecting privacy.