Words matter: Using the Framework Method to analyse the definitions of ‘anonymise’, ‘pseudonymise’, ‘de-identify’, and ‘not de-identified’
Article Sidebar
Main Article Content
Abstract
A significant number of students handle personal information (PI) during work-integrated learning and supervised research, requiring compliance with both South African (SA) law and internationally derived research ethics instruments. Where these instruments use different terminology, students face barriers to understanding, reflecting not only linguistic differences but materially distinct legal standards and regulatory consequences.
Using the Framework Method across seven analytical dimensions, this study examined the conceptual equivalence of key PI protection terms across four sources: the Oxford English Dictionary, the European Union General Data Protection Regulation (GDPR), the Council for the International Organizations of Medical Sciences (CIOMS) ethical guidelines for human research, and SA’s Protection of Personal Information Act 4 of 2013 (POPIA).
Three findings emerged. First, GDPR’s ‘anonymisation’ and POPIA’s ‘de-identification’, although similar in stated purpose, apply different threshold tests: GDPR uses a probability test (whether re-identification is reasonably likely), while POPIA applies a capacity test (whether re-identification is possible by any reasonably foreseeable method). A data set compliant under GDPR may therefore not satisfy POPIA. Second, the instruments diverge on regulatory scope: GDPR treats anonymisation as an exit from regulation, whereas POPIA imposes ongoing obligations on de-identified data, including an explicit re-identification prohibition absent from GDPR. Third, CIOMS and POPIA are more conceptually compatible with each other than either is with GDPR, yet CIOMS employs GDPR-tradition terminology, creating misleading signals of equivalence for SA students.
These divergences reflect fundamentally different conceptions of PI and the rationale for its protection. Students, educators and institutional governance structures must address these distinctions explicitly, rather than assuming terminological equivalence across instruments.
Article Details
Issue
Section
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
The SAJBL is published under an Attribution-Non Commercial International Creative Commons Attribution (CC-BY-NC 4.0) License. Under this license, authors agree to make articles available to users, without permission or fees, for any lawful, non-commercial purpose. Users may read, copy, or re-use published content as long as the author and original place of publication are properly cited.
Exceptions to this license model is allowed for UKRI and research funded by organisations requiring that research be published open-access without embargo, under a CC-BY licence. As per the journals archiving policy, authors are permitted to self-archive the author-accepted manuscript (AAM) in a repository.
How to Cite
References
1. Marine Board of Investigation. CG115 interview Deep Sea Explorer redacted. Washington, DC, September 2025. https://media.defense.gov/2025/ Sep/17/2003800984/-1/-1/0/CG-115_INTERVIEW-DEEP-SEA-EXPLORER_ REDACTED.PDF (accessed 20 October 2025).
2. European Parliament, European Council. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1. 2016. https://gdpr-info.eu/ (accessed 16 September 2025).
3. South Africa. Protection of Personal Information Act 4 of 2013. https://www.gov.za/ documents/protection-personal-information-act (accessed 16 September 2025). 4. South African Law Reform Commission. Project 124 – privacy and data protection
report. 2009. https://www.justice.gov.za/salrc/reports/r_prj124_privacy%20
and%20data%20protection2009.pdf (accessed 16 September 2025).
5. Council for the International Organizations of Medical Sciences (CIOMS). International ethical guidelines for health-related research involving humans. Geneva: CIOMS, 2016. https://cioms.ch/wp-content/uploads/2017/01/WEB-
CIOMS-EthicalGuidelines.pdf (accessed 5 August 2025).
6. World Medical Association. WMA Declaration of Helsinki – Ethical Principles for
Medical Research Involving Human Participants. 19 October 2024. https://www.
wma.net/policies-post/wma-declaration-of-helsinki/ (accessed 27 February 2026). 7. Edgcumbe A, Botes M, Donnelly DL, Townsend B, Shachar C, Thaldar D. ‘Potato potahto’? Disentangling de-identification, anonymisation, and pseudonymisation for health research in Africa. J Law Biosci 2025;12(1):lsae029. https://doi.
org/10.1093/jlb/lsae029
8. Kushida CA, Nichols DA, Jadrnicek R, Miller R, Walsh JK, Griffin K. Strategies for de-identification and anonymization of electronic health record data for use in multicenter research studies. Med Care 2012;50(Suppl 1):S82-S101. https://doi. org/10.1097/MLR.0B013E3182585355
9. Chevrier R, Foufi V, Gaudet-Blavignac C, Robert A, Lovis C. Use and understanding of anonymization and de-identification in the biomedical literature: Scoping review. J Med Internet Res 2019;21(5):e13484. https://doi.org/10.2196/13484
10. Swales L. The Protection of Personal Information Act and data de-identification. S Afr J Sci 2021;117(7/8). https://doi.org/10.17159/SAJS.2021/10808
11. Wallace SE. What does anonymization mean? DataSHIELD and the need for consensus on anonymization terminology. Biopreserv Biobank 2016;14(3):224-230. https://doi.org/10.1089/bio.2015.0119
12. Ritchie J, Spencer L. Qualitative data analysis for applied policy research. In: Bryman A, Burgess RG, eds. Analyzing Qualitative Data. New York: Routledge, 2002:173-194.
13. Gale N, Heath G, Cameron E, Rashid S, Redwood S. Using the Framework Method for the analysis of qualitative data in multi-disciplinary health research. BMC Med Res Methodol 2013;13:117. https://doi.org/10.1186/1471-2288-13-117
14. Oxford English Dictionary [Internet]. 2024. https://www.oed.com/?tl=true (accessed 26 September 2025).
15. De Stadler E, Luttig Hattingh I, Esselaar P, Boast J. Over-thinking the Protection of Personal Information Act: The Last POPIA Book You Will Ever Need. Cape Town: Juta, 2021.
16. Adams R, Adeleke F, Anderson D, et al. POPIA Code of Conduct for Research. S Afr J Sci 2021;117(5-6). https://doi.org/10.17159/SAJS.2021/10933
17. Roos A. Data protection principles under the GDPR and the POPI Act: A comparison. THRHR 2023;86(1):1-26.
18. Syed H, Genç Y. General data protection regulation: A transformative law. Balkan J Soc Sci 2020;9(17):209-216. https://dergipark.org.tr/en/download/article- file/1140029 (accessed 27 March 2026).
19. Legodi LF, Mukonza RM. The promise and peril of access to information as a human right: A critical analysis of South Africa’s experience. J Public Adm 2024;59(4):708-726. https://doi.org/10.53973/jopa.2024.59.4.a4
20. Mahomed S. The evolution of privacy governance in healthcare in post-apartheid South Africa. In: Dove ES, ed. Confidentiality, Privacy, and Data Protection in Biomedicine: International Concepts and Issues. London: Routledge, 2024:150-170.
21. International Network of Civil Liberties Organizations. Surveillance and democracy: Chilling tales from around the world. 11 October 2016. https://inclo. net/publications/surveillance-and-democracy-chilling-tales-from-around-the- world/ (accessed 28 March 2026).
22. Metz T. Ubuntu as a moral theory and human rights in South Africa. Afr Hum Rights Law J 2011;11(2):532-559. https://hdl.handle.net/10520/EJC51951 (accessed 27 March 2026).
23. Radebe SB, Phooko MR. Ubuntu and the law in South Africa: Exploring and understanding the substantive content of ubuntu. S Afr J Philos 2017;36(3):239- 251. https://doi.org/10.1080/02580136.2016.1222807
24. Mokgoro Y. Ubuntu and the law in South Africa. Potchefstroom Electron Law J 1998;1(1):17-27. https://perjournal.co.za/article/view/2897/2848 (accessed 28 March 2026).
25. Roos A. The European Union’s General Data Protection Regulation (GDPR) and its implications for South African data privacy law: An evaluation of selected ‘content principles’. Comp Int Law J South Afr 2020;53(3):7985. https://doi. org/10.25159/2522-3062/7985