A hospital analytics team must share a large set of patient treatment records with an external university researcher. Under GDPR Recital 26, the data will fall outside the scope of data-protection law only when the data subjects are not identifiable by any means that are reasonably likely to be used. Which data-preparation strategy BEST achieves true anonymization before release?
Remove names and mask the last four digits of each Social Security number, but keep full postcode and exact date of birth for analysis.
Generalize quasi-identifiers (for example, turn exact birth dates into five-year age bands) and publish only aggregated records in which each row represents at least 50 patients, with no key linking back to individuals.
Replace every patient identifier with a random string and store the mapping table on a secure internal server.
Encrypt the entire data set with AES-256 and give the researcher only the ciphertext while the hospital retains the decryption key.
GDPR regards data as anonymous only when neither the controller nor any other party can single out, link to or infer the identity of an individual using means reasonably likely to be employed. The strategy that first generalizes indirect identifiers (such as converting exact dates of birth into five-year age bands) and then aggregates the records so that every published row summarises at least 50 patients-with no retained mapping key-removes both direct and indirect identifiers and eliminates the possibility of re-identification, satisfying the anonymization test in Recital 26. Replacing patient IDs with random tokens still allows re-identification through the lookup table, so it is merely pseudonymization. Encrypting the file is a security measure; because the controller holds the decryption key, the underlying personal data remain accessible and therefore subject to GDPR. Simply masking names and a portion of Social Security numbers leaves quasi-identifiers (full postcode plus exact date of birth) that can single out individuals, so the data are not anonymous.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between anonymization and pseudonymization under GDPR?
Open an interactive chat with Bash
What is a quasi-identifier, and how does it impact data anonymization?
Open an interactive chat with Bash
Why is generalizing quasi-identifiers and aggregating data effective for anonymization?
Open an interactive chat with Bash
CompTIA Data+ DA0-002 (V2)
Data Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .