Methods for quantitative data

When pseudonymizing research data, it is important to document what you are doing – for your own reference and for potential secondary users. Use a statistical tool that allows you to document your transformations using a script. 

You will likely have to experiment and refine your methods to find a solution that fits your needs. Therefore, you should always work on a copy of your data instead of on the original data to avoid any irreversible loss of important information. 

Always begin by identifying and addressing direct (e.g., names) and indirect identifiers (e.g., age, location) first. Prioritize the variables that most reduce the risk of re-identification.

By tabulating and visualizing combinations of variables, you gain an overview of the distribution of your observations. Identify outliers or unique observations that may increase the risk of re-identification. Assess whether these observations can be recoded (e.g., grouped into broader categories), or should be removed entirely. 

If your research data include free-text or other open-ended responses or comments, review them carefully. Free-text responses may contain directly or indirectly identifying information about the respondent or third parties. A good starting point is to mark potentially identifying information in [square brackets] to flag it for masking, recoding, or removal.

Apply the same pseudonymization strategy consistently across all datasets. Avoid making separate solutions for parts of the material, or for individual datasets in a series. Using different approaches within the same project may not only be confusing but could increase the risk of re-identification.

Review any documentation or other background material associated with your research data – such as sampling details, contact lists, or method descriptions – for identifying information. Ensure that the material does not contain any accessible code keys and that method descriptions and metadata do not contain details that could directly or indirectly identify a participant.

Verify that your protective measures effectively protect the participants’ identities. Test whether individuals can still be identified using reasonable effort and check whether there are any external data sources that could be used for re-identification.

Document how you have recoded or altered variables and information in the dataset. If you are using scripting software (see 1 above), the script itself can often serve as a codebook.

If you plan to make your data publicly available, carefully consider which personal data you need to collect. In most cases, personal data, even if indirectly identifying, cannot be shared openly, and research data – including personal data – may not be deleted unless a formal disposal decision has been made and the retention period has expired. (For more information, see the section on legal aspects.)

Sometimes it may be necessary for the research question to collect personal data; in other cases, it is not necessary. Remember that personal data include both directly identifying information and any information that can indirectly and together with additional data identify an individual. For example, if you do not plan to collect direct identifiers like names or personal ID number but want to collect age and income data, consider using ranges instead of exact values (e.g., age 18–29 or 30–39; income <£2,000, £2,001–3,000) to reduce the risk of re-identification.

You should always remove direct identifiers (such as names, personal ID numbers, and e-mail addresses) from datasets intended to be shared outside your organization. However, keep in mind that research data are considered official documents (allmän handling) and may not be deleted without a formal disposal decision and after a mandatory retention period (see the section on legal aspects). 

It is also crucial to review any free-text responses before sharing data, as these may contain direct identifiers. This type of information is sometimes supplemented in an appendix to the main data files, which can result in overlooking it. For example, participants may include their names, e-mail addresses, or phone numbers when they provide feedback on a survey or leave their contact information for further questions.

Another risk is forgetting to remove direct identifiers from documentation such as sampling procedures, survey drop-out analysis, or methodological descriptions.

One of the most common anonymization techniques is to recode variable values into broader categories or brackets. Through generalization and aggregation of specific variable values, you can significantly reduce the risk of re-identification. Typically, you begin with indirect identifiers such as age, income, occupation, or geographic variables such as town or municipality.

It may be difficult to aggregate extreme values or outliers (low or high) into the same categories as the rest of the data. In such cases, consider top- or bottom-coding – replacing extremes with threshold values (e.g., “65 and over” or “18 and under”).

How you recode background variables and indirect identifiers will depend on how the data will be used, what analyses you want to be able to make, and how openly you intend to share the data. It is helpful to follow established classifications and standards, such as those published by Statistics Sweden (SCB), to guide your recoding.

The standard technique for pseudonymizing free-text responses is to recode, remove, or replace identifiable information with pseudonyms or aliases. The same principles apply as with pseudonymizing qualitative data. This could involve names, phone numbers, addresses, places of residence, next of kin, or information about third parties that could, in combination with other data, be used to identify an individual person. Another option is to recode free-text responses into categories for frequency rates or statistical analysis.

Create a consistent coding scheme in advance before starting the data collection, especially if you will work with large datasets or projects with several researchers. If you recode free-text responses, make code instructions with clearly described categories and criteria.

If you replace information with pseudonyms or aliases, you can use [square brackets] to mark information that has been changed. Document all changes in a code book, so that you can more easily understand the pseudonymized material and remove all information that is not relevant to your research question.

K-anonymity is a statistical concept and technique used to assess how well you have pseudonymized tabular data in quantitative datasets. It measures how many individuals in the data who share the same combination of attributes, which is an indication of the risk that an individual can be re-identified in a dataset.

When you recode background variables by grouping individuals with similar background variables in the data into broader categories, you create “data twins” with the same attributes who become almost impossible to distinguish from the population. k-anonymity provides a measure of how many individuals in a group share the same attributes, or how many data twins there are in a dataset. For example, k=10 means that there are at least ten individuals with each combination of variables. A higher k value means that each set of attributes is shared by more persons, reducing the risk of distinguishing a single individual from the population.

How high the k value needs to be depends on what the dataset contains, how easy it can be linked to additional data sources, and how sensitive the information is. A higher k value signifies better protection, but it generally also means greater information loss. Remember that k-anonymity is only one of several methods for pseudonymizing data.

There are several digital tools for calculating k-anonymity; we have collected some of them under Tools. You can also calculate k-anonymity in a statistics program, for example R or Stata, as shown in the video below.

Noise addition involves introducing random variation into the dataset to make it more difficult to identify individuals. This can be done in several ways – for example, by randomly altering values for certain attributes or by swapping individuals within the dataset. The purpose is to obscure links between data points and specific individuals, thereby reducing the risk of re-identification.

Permutation is a type of noise addition where existing values in one variable are shuffled within the same dataset, rather than replaced with new random values. In a quantitative, tabular dataset, this means that values are shuffled and reassigned within a column. For this reason, permutation is often used when it is desirable to preserve the original distribution in a dataset. By swapping values within a variable (or column), the variable’s variation or distribution is preserved, but the correlation between variable and individual is broken. 

Permutation is best suited for variables that are not strongly correlated with others, to avoid excessive information loss. For example, if two attributes like income and occupation are strongly correlated and one of them needs to be pseudonymized, it may be better to choose another method instead.

Differential privacy is another noise addition method and is used to analyze the trade-off between privacy and information loss. The basic principle is the same: random variation is introduced into the dataset to prevent specific responses from being linked to individuals. The key difference lies in scale and application.  

A simplified analogy is flipping a coin. In a research context, differential privacy might mean that participants’ answers are randomly altered according to a known probability distribution (see the figure below). While this may seem counterintuitive, if the dataset is large enough, the added randomness evens out potential asymmetries in the distribution, and the data can still be used for analysis and realistic predictions even though the responses are randomly distributed.

Differential privacy is generally applied only to exceptionally large datasets (“big data”), where random noise has limited impact on results due to the high number of observations. The advantage with differential privacy is that, if the dataset is large enough, researchers can still perform meaningful analyses while maintaining a high level of privacy protection. However, this method is unsuitable for small datasets, where random changes can significantly distort the results.

You can learn more about how to apply differential privacy in practice with Python coding in the guide A differential privacy example for beginners: