Reading time: 5 minutes

If you run a business which collects data on your employees or clients, you need to ensure that you store that data correctly. Anonymisation is a method of removing information which could reveal the identities of people within a set of data. You may need to use anonymisation as part of your data security processes and compliance with Australian privacy laws. This article outlines what it means to properly anonymise data and provides a three-step guide on how to anonymise data.

What is Anonymisation?

Anonymisation means the removal of all data features which may allow someone to identify an individual from that data. When you anonymise data, you must also consider the risk that someone could pair the data could with other information to work out the identity of someone in the data set. This risk is most likely to arise if you disclose the data to a third party.

Under Australian privacy law, data is only truely anonymised if the risk of re-identification is very low. You can make this assessment of the risk by taking into account the: 

  • type of data; 
  • context within which someone will use the data; and 
  • circumstances where someone may disclose the data.

If you decide that anonymising data is the right choice for your business, there are three key practical steps you must take.

1. Locate All of the Identifiers

The first step in anonymising data is to review the applicable data sets you have and locate all of the information which someone could use to work out someone’s identity.

2. Choose an Anonymisation Technique

The next step is to choose an anonymisation technique. The best technique will depend on your reason for de-identifying the data and your IT capabilities. Three common techniques that you may use include: 

  1. suppression;
  2. generalisation; and
  3. aggregation.

It is easiest to demonstrate the effect of these methods by using an example. The table below represents the raw data before the anonymisation.

RAW DATA

Name Date of Birth Gender Musician?
Bob Gainer 23.04.1965 Male Yes
Sally Smith 12.11.1983 Female Yes
Trevor Dallas 30.08.1992 Male No
Tessa Mert 14.07.1978 Female Yes

Suppression  

Suppression requires that you delete the identifying fields of the data. 

For example, in the table below, the identifiable data has been deleted. Therefore, the data set has been suppressed.

SUPPRESSED DATA

Name Date of Birth Gender Musician?
XXXX 23.04.1965 Male Yes
XXXX 12.11.1983 Female Yes
XXXX 30.08.1992 Male No
XXXX 14.07.1978 Female Yes

It is important to note that, for suppressed data, there is a risk that someone who is acquainted with a person on the list may be able to identify them based on the combination of their: 

  • date of birth;
  • gender;
  • classification as a musician; and 
  • association with your business.

This poses a risk of re-identification. To reduce this risk, you may need to also suppress the dates of birth.

Generalisation

As an alternative to suppression, you can use generalisation. Generalisation requires that you alter the identifying fields. This can reduce the re-identification risks associated with suppression, but still produce useful data. 

For example, in the table below, the date of birth has been removed. However, you can still identify the age of the individual through the year of birth. As this information is more general, it is less likely to be able to be paired with other information to identify the person.

GENERALISED DATA

Name Yeah of birth Gender Musician?
XXXX 1965 Male Yes
XXXX 1983 Female Yes
XXXX 1992 Male No
XXXX 1978 Female Yes

Aggregation

Another option is to aggregate the data. Aggregation requires that you convert the data into a summary of statistics, as illustrated in the example table below.

AGGREGATED DATA

Female musicians 2
Male musicians 2

The aggregated data option poses the lowest risk of re-identification. However, you must also destroy the data set you used to create this aggregated data to keep the risk of re-identification low.

3. Implement Your Anonymisation Technique

Once you have isolated the identifiers and chosen your preferred anonymisation technique, the final step is to implement that technique. If you have an IT department, they may be equipped to carry this out. 

Alternatively, you may need to source external IT support to implement the anonymisation. Then, the privacy officer within your business should review the results to confirm that they have correctly executed the anonymisation.

Key Takeaways

Anonymising data can be a useful part of your business processes and assist you in meeting your privacy obligations. If you choose to anonymise data, you must: 

  • locate the identifiers in the data set;
  • choose a method of anonymisation; and
  • properly carry this process out. 

After you have completed data anonymisation, you should check the results to confirm that the risk of re-identification is very low. If you have any questions about how to anonymise your data, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page.

Webinars

Redundancies and Restructuring: Understanding Your Employer Obligations

Thursday 7 July | 11:00 - 11:45am

Online
If you plan on making a role redundant, it is crucial that you understand your employer obligations. Our free webinar will explain.
Register Now

How to Sponsor Foreign Workers For Your Tech Business

Wednesday 13 July | 11:00 - 11:45am

Online
Need web3 talent for your tech business? Consider sponsoring workers from overseas. Join our free webinar to learn more.
Register Now

Advertising 101: Social Media, Influencers and the Law

Thursday 21 July | 11:00 - 11:45am

Online
Learn how to promote your business on social media without breaking the law. Register for our free webinar today.
Register Now

Structuring for Certainty in Uncertain Times

Tuesday 26 July | 12:00 - 12:45pm

Online
Learn how to structure to weather storm and ensure you can take advantage of the “green shoots” opportunities arising on the other side of a recession.
Register Now

Playing for the Prize: How to Run Trade Promotions

Thursday 28 July | 11:00 - 11:45am

Online
Running a promotion with a prize? Your business has specific trade promotion obligations. Join our free webinar to learn more.
Register Now

Web3 Essentials: Understanding SAFT Agreements

Tuesday 2 August | 11:00 - 11:45am

Online
Learn how SAFT Agreements can help your Web3 business when raising capital. Register today for our free webinar.
Register Now

Understanding Your Annual Franchise Update Obligations

Wednesday 3 August | 11:00 - 11:45am

Online
Franchisors must meet annual reporting obligations each October. Understand your legal requirements by registering for our free webinar today.
Register Now

Legal Essentials for Product Manufacturers

Thursday 11 August | 11:00 - 11:45am

Online
As a product manufacturer, do you know your legal obligations if there is a product recall? Join our free webinar to learn more.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Jacqueline Gibson
Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards