Privacy is extremely important in healthcare systems. Unfortunately, most of the solutions already deployed are developed empirically. After discussing some of such existing solutions, this paper describes an analytic and generic approach to protect personal data by anonymization. This approach is then applied to some representative scenarios. The architecture and its implementation with a Javacard are finally presented. Our analysis, solution and implementation are generic enough to be adapted to various collaborative systems that process sensitive data such as e-commerce, e-government, social applications, etc.