Anonymisation Plan Template

When you are planning to anonymise your research project it is a good practice that you document both the process and the techniques that you use for the anonymisation, along with a justification why these techniques are both necessary and suitable. This allows you to make a sensible trade-off between the information value of your research data and the privacy risks of your participants. Furthermore, good documentation increases the integrity of the research data, as this shows other researchers how the data has been modified to make it anonymous, and how these alterations might affect their re-use of the data. Lastly, good planning reduces the time and effort required for an effective anonymisation of the research data. 

One tool that can make the planning of your anonymisation strategy easier is an anonymisation plan. This plan allows you to describe all the privacy risks associated with your research project and the measures or techniques you will use to address them. The anonymisation plan not only makes it easier to prepare for the task of anonymising your dataset but can also serve as the basis on which you can document your dataset when you archive or publish the research data in a repository. Lastly, the anonymisation plan can also help you when you are meeting with university support staff, e.g. data stewards or privacy officers, to discuss the privacy risks and the steps you want to take to mitigate these. 

The anonymisation plan in this template covers a range of information about your research project:

• General information: here you can provide relevant information about the research project, including who is responsible for the anonymisation process, a short project summary and any external sources that might be linked to your dataset.
• Population and sampling: the extent to which a dataset is anonymous depends on the overall research population and the sample of the participants that is included in the dataset. Smaller populations, samples containing significant parts of the total population or populations that share a rare phenomenon are often more likely to be identifiable.
• Dataset age: older data tends to be more difficult to identify, especially when data has changed over time.
• Information value: anonymisation always affects the information value of a dataset and with that the usability for other researchers and the accuracy of the results. Anonymisation therefore requires a careful balancing act between the data you anonymise to protect the participants and the data that you preserve to answer your research questions.
• Identifiers in the dataset: here you can identify all direct, indirect and sensitive identifiers in the dataset, along with the decision whether to anonymise them, the technique necessary to do this, and the rationale why it is necessary and suitable to use this technique.
• Other identifiable information: even after all identifiers are anonymised there can still be remaining identifiable characteristics in the dataset, such as open-ended responses, combinations of information, information on third persons or risks that might only become apparent at a future date. These too must be addressed to ensure the anonymity of the dataset.

Besides a blank template with form fields and an editable template without form fields this publication also contains two examples of a completed anonymisation plan. One example is related to qualitative research, whereas the other is based on a quantitative study. While the template with form fields is locked in order to prevent editing by default, this lock can be removed without the need for any password. Both the template and the examples are created by the Radboud University Digital Competence Centre and based on examples that have been provided by the Finnish Social Science Data Archive under a CC-BY licence.