Anonymisation and Pseudonymisation: Are They The Same?

When organisations in New Zealand talk about personal information, two words often surface: anonymisation and pseudonymisation. They are often used interchangeably but the difference between them is more than semantics. It defines whether the Privacy Act 2020 applies and how much risk individuals are exposed to.

The Irish Data Protection Commission’s 2022 guidance on anonymisation and pseudonymisation is one of the clearest global explanations of these terms. Even though it is rooted in the GDPR context, the concepts translate directly for New Zealand.

So what’s the difference? Pseudonymisation is a technique that masks identifiers, such as names, IDs, addresses, by replacing them with codes or tokens. It makes it harder to immediately connect data to a person, but not impossible. The link still exists somewhere, often in the form of a key. That means pseudonymised data is still personal information, and the Privacy Act continues to apply. It’s useful when you need to track individuals over time, for example in research or audits, but it comes with obligations associated with being personal information.

Anonymisation, on the other hand, aims to remove those links entirely. Properly anonymised data is no longer considered “personal information” because it is not reasonably possible to re-identify the individuals it relates to. It falls outside the scope of the Privacy Act. Anonymisation is only as strong as your confidence that nobody can stitch the puzzle back together. As the Privacy Commissioner has warned, agencies must take great care before claiming data is truly anonymised.

This is where the New Zealand Government Chief Digital Officer’s (GCDO) guidance on making personal information safe for reuse becomes particularly relevant. GCDO sets out practical advice on how to de-identify and aggregate data. The emphasis is on recognising that these techniques exist along a continuum of risk rather than as binary states. The more useful the data, the higher the re-identification risk; the safer the data, the less detailed it often becomes.

And then there’s the vendor angle. It’s increasingly common to see contracts that include a clause allowing providers to use your organisation’s data once it has been “anonymised.” But how confident are you that it is truly anonymous and not just pseudonymous? If the link back to individuals still exists, even in another system, then your data remains personal information, and the obligations remain yours.

At its heart, this is less about technical definitions and more about trust, accountability, and maturity.