De-identification
De-identification is the process of removing or masking direct identifiers so data no longer directly names a person, while accepting that re-identification may still be possible.
De-identification strips or masks the fields that obviously point to someone — name, SIN, email — often replacing them with pseudonyms or tokens. It reduces risk but does not make data fully anonymous: with enough auxiliary information, de-identified records can sometimes be re-linked to individuals.
Quebec’s Law 25 defines de-identified information as data that *no longer allows a person to be directly identified*, and it remains personal information subject to the law. You must apply reasonable measures to guard against re-identification and may only use it for the purposes the law permits.
Use de-identification when you still need record-level detail (analytics, testing, research) but want to limit exposure. When you need data that falls *outside* privacy law entirely, you need true anonymization instead.