11/13/2025

11:10:13 PM

Back to the news

Anonymization and Pseudonymization of Medical Documentation

This article explains the differences between anonymization and pseudonymization of medical documentation in Poland and discusses the position of the President of the Polish Data Protection Authority (UODO), who highlights the need to amend national legislation to enable the safe use of health data in scientific research. It also presents how Mycroft Sweeper and dedicated Mycroft Solutions technologies support institutions in protecting medical data.

Why anonymizing medical data is so important

Medical documentation is an extremely valuable source of knowledge — it contains information about the course of treatment, test results, diagnoses and patients’ responses to therapies. These data are essential for the development of medicine, scientific research and improving treatment methods.

At the same time, medical documentation includes personal data, such as name, surname, PESEL number (Polish national ID number), address or other identifiers. The presence of these identifiers makes it impossible to share such documentation for research purposes in its original form.

Anonymization solves this problem because it involves the irreversible removal or permanent transformation of elements that enable identification of a patient, while preserving the medical content of the document. The data can still be analyzed, but they can no longer be linked to a specific individual.

This makes anonymization a method that allows safe and lawful use of medical documentation in scientific research, with full respect for patient privacy. At the same time, although anonymization serves a key protective function, it is not always optimal when it comes to conducting advanced medical research. This is precisely why the President of the Polish Data Protection Authority (UODO) addressed the need for legal changes and emphasized the role of pseudonymization.

The Position of the President of UODO – the need to amend Polish legislation

In a letter dated 1 September 2025, the President of the Personal Data Protection Office (UODO), Mirosław Wróblewski, addressed the Minister of Health and the Minister of Science and Higher Education regarding the rules for sharing medical documentation for scientific purposes in Poland.

The President of UODO highlights several key issues:

1. Under current Polish law, medical documentation may only be shared after anonymization

Article 26 of the Polish Act on Patient Rights and the Patient Ombudsman states that medical documentation may be shared with a university or research entity only if it does not allow identifying the patient.

In practice, this means that institutions may currently receive only anonymized data.

Sharing pseudonymized data — which are still personal data under GDPR — is not permitted.

2. EU law allows pseudonymization in justified cases

The President of UODO refers to several EU regulations, including:

  • GDPR (especially Art. 9(2)(j) and Art. 89),
  • EHDS (European Health Data Space) Regulation,
  • Data Governance Act,
  • AI Act.

Under EU law, in exceptional and clearly justified situations, it is possible to share pseudonymized health data, where anonymization would prevent achieving the research objective.

3. Pseudonymization is a security measure — not a “lighter” form of anonymization

The President of UODO emphasizes:

  • pseudonymized data remain personal data,
  • pseudonymization does not meet the requirements of anonymization,
  • it is a method of protecting rights and freedoms,
  • its use must be based on clear and precise legal grounds.

4. Polish regulations are insufficient and require amendments

According to the President of UODO:

  • Polish law does not allow sharing pseudonymized medical data,
  • reforms are needed to make pseudonymization possible when required by the research purpose,
  • legal provisions must be aligned with EU standards and the requirements of EHDS.

Anonymization vs. Pseudonymization

Anonymization

  • irreversible,
  • permanently removes or distorts identifying information,
  • makes it impossible to determine the identity of the patient,
  • results in data that are no longer personal data.

Pseudonymization

  • replaces identifying information with an identifier or encrypted value,
  • prevents identification by the data recipient,
  • allows the data holder (e.g., medical provider) to re-identify the patient using a key,
  • remains a form of processing personal data,
  • is a security measure, not anonymization.

Why pseudonymization matters in scientific research

The President of UODO points out that medical and scientific communities — as well as the Polish Medical Research Agency — report the need to use medical data in pseudonymized form, not only anonymized form.

Pseudonymization is important because it:

  • allows combining data from multiple sources (hospitals, laboratories, disease registries),
  • enables long-term analysis of treatment outcomes in the same patient,
  • allows — in justified cases — linking research results back to the patient by an authorized entity (e.g., a physician),
  • increases the quality and usefulness of data because they can be updated and verified.

Today, Polish law does not enable this, and the President of UODO clearly indicates that this must change.

Mycroft Sweeper – technology ready for both anonymization and pseudonymization

Mycroft Sweeper is a desktop application designed for anonymizing personal data in documents, including medical records. Its key features include:

  • completely local processing (offline, no cloud use),
  • automatic detection of personal data, including in scanned documents (OCR),
  • irreversible anonymization of sensitive data,
  • readiness to support pseudonymization, once Polish law allows it,
  • high processing performance (approx. 1 page in 2 seconds),
  • intuitive interface.

More than just an application — dedicated data protection solutions

Mycroft Solutions also provides dedicated data protection solutions for institutions that require integration of anonymization or future pseudonymization processes into their existing IT infrastructure.

Support includes:

  • integration with DMS, HIS, LIMS systems,
  • customizing data-detection algorithms for specific use cases,
  • building secure API modules,
  • workflow automation and compliance support.

All solutions follow key principles: local data processing, transparency and full control for the institution.

Summary

Anonymization and pseudonymization are two complementary approaches to protecting medical data. Currently, Polish law permits only anonymization when sharing medical documentation for scientific purposes. However, as the President of UODO points out, this is insufficient for modern, data-driven medical research.

Aligning Polish legislation with EU standards would allow the controlled, secure and scientifically valuable use of pseudonymized medical data.

Mycroft Sweeper and the dedicated solutions provided by Mycroft Solutions are already technically prepared to support healthcare and research institutions in both anonymization and pseudonymization — once the law enables it.

👉 Learn more: https://mycroftsolutions.ai/en/products/sweeper

PrivacyTerms of Service
© Mycroft Solutions Sp. z o.o.