Effective barriers and 'keys' to re-identification
Applying de-identification techniques to personal data does not in itself mean that the data has been anonymised, especially if such data can be readily converted back to personal data. If an organisation has access to other information that can re-identify the individuals (e.g. the organisation holds the “key” to re-identification), the dataset will not be treated as anonymised and will continue to be considered personal data.
PDPC recognises that anonymisation can be relevant to the safe use of data where effective barriers are established to prevent re-identification from the data, including restricting access by a group (or groups) of users within the organisation to information held by the organisation that could re-identify an individual.
Such effective barriers could mean that the 'keys' to re-identification be kept within the School's or Institute's research office, and separate from the research team in such a way that the research team will not have access to the 'keys' to re-identify the data.
Note: Datasets which has been anonymised are still considered personal data if a research team has access to the key/linkages to re-identify the data, unless it has been irreversibly-deidentified.