Improving participant anonymisation
In research settings, knowing a participant's name adds little to the data while reducing their anonymity significantly. Good study design treats participant identity as something to protect by design, not as an afterthought. That means assigning identifiers that carry no personal information and are resistant to guessing or inference.
The stakes here are higher than they might first appear. Research into synthetic data generation for biomedical analysis makes the point plainly:
While nearly all computational methods operate on pseudonymized personal data, re-identification remains a risk. With personal health data, this re-identification risk may be considered a double-crossing of patients' trust. Guillaudeux et al., patient-centric synthetic data research
Pseudonymisation, replacing a name with an identifier, is not the same thing as true anonymisation, and it's worth being honest with yourself about which one your study is actually achieving. If the identifier can be linked back to a real person through a separate key, a leaked dataset, or a small enough participant pool, the protection is procedural rather than absolute.
This matters more as datasets get richer. A participant identified only by a code can still become re-identifiable if enough other variables (age, postcode, a rare diagnosis, a specific combination of dates) are attached to that code and the dataset is ever combined with another source. Rare disease studies and small geographic cohorts are particularly exposed to this, since a handful of demographic details can narrow "anonymous participant" down to one plausible real person surprisingly quickly. Anonymisation strategy, in other words, isn't just about the identifier scheme. It's about everything sitting alongside that identifier too. With that caveat in mind, there are three main identifier approaches in common use, each with its own trade-offs.
Sequential numbering
The simplest method: participants are numbered in order of enrolment. Prefixes or suffixes can add structure, for example P-001-M, P-002-F.
Advantages:
- Easy to implement without specialised tooling
- Works with standard statistical software
- Immediately intuitive for staff
Disadvantages:
- Sequential IDs are easy to guess
- Mistakes are more likely when IDs look similar to each other
- Without password-protected access controls, sequences can be predicted
Random word chaining
Identifiers are generated by combining words from predefined libraries, producing codes like singing-green-monkey or dancing-blue-giraffe.
Advantages:
- Highly memorable for staff who need to recall IDs
- Difficult to guess
- Large combination space with sufficient word lists
Disadvantages:
- Language-specific, which creates difficulties in multilingual studies
- Potential difficulties for participants with literacy challenges or dyslexia
- Rare but possible combinations may be unintentionally offensive
- Word association can occasionally create patterns that reduce unpredictability
Random letter-number hybridisation
Identifiers are generated by combining random letters and numbers, such as 8xpea or wu3cc.
Advantages:
- Very low risk of pattern or association bias
- Highly unique across large participant pools
- Easy to expand by increasing the character length
Disadvantages:
- Visual similarity between certain characters (O and 0, I and 1) can cause confusion
- Capitalisation needs to be handled consistently
- Literacy considerations apply as with word chaining
Comparing the three at a glance
| Method | Best for | Main weakness |
|---|---|---|
| Sequential numbering | Small studies with strong access controls | Predictable without those controls |
| Random word chaining | Studies where staff need to recall IDs easily | Language and literacy dependent |
| Random letter-number hybrids | Large or complex participant pools | Character confusion (O/0, I/1) |
Choosing the right approach
The best choice depends on the study design, the participant population, and any guidance from the ethics review panel. Sequential numbering works well for small studies with robust access controls. Random approaches offer better security for larger or more complex studies.
Whichever method you choose, pair it with appropriate access restrictions so that even a known identifier cannot be connected to a real person without authorisation, and revisit whether pseudonymisation is genuinely enough for your study's risk profile. As the synthetic data research above underlines, the honest answer for sensitive health data is often that a further layer, such as strict key separation, minimal linkage, or synthetic data techniques for anything shared more broadly, is worth the extra design effort. An identifier scheme is only as strong as the weakest link connecting it back to a real person, and that link is usually a process or access control decision, not the identifier format itself.
None of this needs to be solved perfectly on day one. It needs to be treated as a live risk that gets revisited as the dataset grows, rather than a checkbox ticked once during protocol design and never looked at again.