If nothing else GDPR is helping to broaden my vocabulary – and now I’ve learnt what ‘pseudonymisation’ is I wish I’d included it in our staff training!
Backtracking a little, our previous post was about staff training. We completed this at the start of term and have, of course kept a register to make sure we have covered all staff. I’m pleased to say it was all quite straightforward and nothing came up that caused any surprises although there was some interesting discussion about what constitutes a data breach.
Going through the presentation made me realise how many parallels there are with how we treat staff training for safeguarding, which always concludes here at Chase Bridge with ‘if in doubt record it and report it’. The same can be said in some respects with reporting any data breaches: ‘if in doubt, report it’. The other parallel being with the role of the DPO and Designated Safeguarding Officer – it’s important everyone in the organisation knows who this is and what they do.
One aspect we missed out of the training was ‘pseudonymisation’. There are some technical definitions to this but simply it is where partial information is shared about individuals or groups. Schools and education services are used to doing this already, sometimes just giving a child’s initials in an email or leaving out other personal identifiers such as date of birth. ‘Anonymisation’ would mean that the recipient cannot find out who the message is referring to whereas ‘pseudonymisation’ means that the receiver can identify the person in question. This is something I will be encouraging all staff to do in future (although most understand this already) – in most communications it is not necessary to give all identifying information and in doing so could increase the risk.
A. King