Multicentre sharing de-identification is the removal of patient identifiers under UK GDPR Art. 9 & DPA 2018 before centres pool their files. anonym.plus does this on your own device, so each contribution arrives without a named patient.
When this applies
Several teams combine files for a joint analysis. Each contribution still holds patient names, dates, and a local record number.
How anonym.plus handles it
- Open one team’s file (CSV, XLSX, or PDF) in anonym.plus.
- The tool scans for names, dates, and local record numbers.
- Local OCR reads any scanned source page you add.
- Confirm the flags and align the codes across centres.
- Swap each identifier for a shared, steady token.
- Save each cleaned file locally before you pool them.
What you need to provide
- Each centre file (CSV, XLSX, PDF, or scan).
- An operator: Replace with a shared token scheme.
- Optional: a cross-centre token map held by the lead only.
Patient data entity types detected
| Category | anonym.plus entity type | Example |
|---|---|---|
| Names | PERSON | Mei Chen → [SUBJECT_C12] |
| Dates | DATE_TIME | visit 28/04/2026 → [DATE] |
| NHS number | MEDICAL_RECORD_NUMBER | NHS 512 345 6789 → [NHS_NO] |
| Centre | LOCATION | Centre B, Manchester → [CENTRE_B] |
| Investigator | PERSON | Dr. Hussain → [INVESTIGATOR] |
| Contact | PHONE_NUMBER | +44 161 496 0162 → [PHONE] |
Compliance achieved
- Meets de-identification duties under UK GDPR Art. 9 & DPA 2018.
- Runs offline, so no cloud data-processor contract is triggered between centres.
- On-device AES-256-GCM guards each working file.
- Anonymisation assessed per ICO motivated-intruder test.
Anonymise multicentre study files offline — see plans & start free →
Limitations & cautions
Pooling raises the re-identification risk, because one centre’s rare value can become unique in the combined set. The tool strips direct identifiers per file. The lead must still check the pooled result for rare combinations before any wider release.
Frequently asked questions
Why is multicentre sharing higher risk?
When centres pool files, a value that is common at one place can be unique across the whole set. So a record safe alone can become identifying once combined. The lead checks the merged data, not just each file.
How do tokens stay consistent across centres?
Each centre applies the same token scheme to the same person. A cross-centre map, held only by the lead, lets the records align without exposing names.
Does this need a data-processor contract between centres?
No. Each centre cleans its own file on its own device before sharing. No named data moves, so no processor agreement is triggered.