The IRB Re-Identification protokoloa Requirement
IRBs now commonly require researchers to dokumentua their re-identification protokoloa — not just their de-identification method. The documentation must prove two things simultaneously: that the de-identified dataset cannot be re-identified by unauthorized parties, and that authorized re-identification is possible under defined conditions.
This dual requirement reflects the lessons of longitudinal research where clinically actionable findings emerged mid-study but permanent anonimizazioa prevented acting on them. GDPR enforcement actions increased 56% in 2024 (DLA Piper Annual Report 2025), and the EU research exemption under Article 89 specifically requires pseudonymization rather than permanent anonimizazioa for research data — recognizing that research requires reversibility under controlled conditions.
A 2024 NEJM AI paper on LLM-based de-identification explicitly flags this challenge: "de-identified clinical notes remain statistically tethered to identitatea through the very correlations that confirm their clinical utility." The paper's recommendation: pseudonymization with documented key custody rather than permanent anonimizazioa, specifically to preserve the re-contact capability that longitudinal research requires.
The Controlled Re-Identification Architecture
Deterministic AES-256-GCM zifraketa generates consistent tokens: the same patient identifier always encrypts to the same token using the same key. "Patient_001" in the oinarri assessment encrypts to "[ENC:f8a2c...]" — the same token appears in the 3-month follow-up, the 12-month follow-up, and the final analisia. The research team can track the patient's longitudinal data using the encrypted token as a stable identifier, without ever accessing the real identitatea.
The key custody arrangement satisfies the EDPB's key separation requirement: the research team holds the encrypted dataset. The designated data custodian holds the decryption key in a separate gakoaren kudeaketa sistema. Neither party can re-identify participants without the other — the research team cannot decrypt without the key, and the key custodian cannot identify which erregistroak belong to which participants without the data.
When re-identification is authorized (ethics committee onespena, duty-to-warn finding, erregetaleak requirement), the key custodian applies the key to the specific identified erregistroak. Each decryption event is logged: which erregistroak, when, by whom, under what baimena. The auditoria log demonstrates betegarritasun with GDPR Article 89 requirements for documented safeguards.
Practical inplementazioa
For a European oncology research center with a 5,000-patient cohort: the research dataset is anonymized using reversible zifraketa before distribution to collaborating institutions in three countries. Each institution's research team can analyze longitudinal data using encrypted patient tokens. The key is held by the coordinating institution's datuen babesa ofizial.
When a mid-study biomarker analisia identifies 47 participants with elevated arriskua markers, the ethics committee's onespena triggers a formal re-identification request. The datuen babesa ofizial decrypts the 47 specific erregistroak. The coordinating institution's clinical team contacts the 47 real patients. The 4,953 other participants' identities remain protected across all three collaborating institutions.
Sources: