Reading time: 5 minutes

As a business owner, you will have legal obligations to secure the data you hold. Here, it is crucial that you meet these obligations so that your customers feel confident in providing you with their data. If you do not properly store data, you heighten the risk of your business facing a data breach and someone stealing sensitive information about your customers. This article explains what your legal obligations may be surrounding how de-identification of data can assist you in meeting these obligations and mitigating risk to your business.

What Are My Legal Obligations on Securing Data?

Privacy Law Obligations

In Australia, there is a core federal privacy law which may apply to your business, called the Privacy Act. This law only applies in certain situations, including, notably, where a business has an annual turnover of over $3 million. 

If you run a small business, you may not need to comply with Australian privacy law. However, you need to make this assessment based on the specifics of your business.

Your business must comply with the Privacy Act if you have:

  • an obligation for the security of the personal information you hold;
  • a limitation on how long you can store identifiable data for; and
  • notification obligations for some types of data breaches.

The obligation for the security of the personal information you hold requires that you take reasonable steps to protect the personal information from: 

  • misuse;
  • interference;
  • loss;
  • unauthorised access; or
  • modification.

The limitation on how long you store identifiable data for states that you should:

  • not hold personal information for any longer than the period that you need it;
  • only use it for permitted purposes; or 
  • not disclose personal information to unauthorised parties.

Data breach obligations require that you notify both the regulator and the affected individual if the data breach would likely result in serious harm to them. When considering this, you should take into account the context of the breach when making this assessment, like the:

  • number of people who accessed the breached data;
  • sensitivity of the data; and
  • quantity of data.

Contractual Obligations

You may also have contractual obligations to secure data. 

For example, in contracts with customers where you receive their data, you may have to:

  • limit staff access to a need to know basis;
  • use appropriate security measures to protect the data from unauthorised access; and
  • protect the data from data breaches.

Can De-Identification of Data Help?

De-identification of data can have a significant role in meeting the legal obligations described above. De-identifying data involves altering the data in a way which hides the identity of the person that the data relates to.

De-identification is beneficial as:

  • it can protect personal information and therefore can help you meet your security obligations;
  • you can use it instead of disposing of the data, as a means of making sure you do not hold data past its legal storage limit; and
  • it limits the likelihood that a data breach will cause serious harm to any of the individuals that the personal information relates to.

It is crucial to highlight that if you are de-identifying data instead of disposing of it, the risk of that information being re-identified should be very low.

What Are the De-Identification Options?

If you use de-identification as a means to assist in securing your data, you will need to consider whether your intention is to: 

  • anonymise the data; or
  • pseudonymise the data. 

Where you anonymise the data, you should reduce it to a state where it is very unlikely that someone will be able to re-identify it, even if the data is paired with another source of information.

Pseudonymisation, however, is a lesser form of de-identification. This is because pseudonymisation only requires that the data set is not identifiable by itself, but can be identified if paired with other data.

For the purposes of security, businesses often choose pseudonymisaton over anonymisation because it means the data can still be identified, but it is better protected from unauthorised access.

Encryption is a common form of pseudonymisation. Encryption works by making text appear as code until a secret key is used to unlock the text. Another technique to pseudonymise data is to store the data sets in separate locations so that each data set may only be used to identify an individual if it is combined with a data set in another location.

Key Takeaways

De-identifying data is a useful tool for securing your data. You may wish to secure data to satisfy your legal obligations under Australian privacy law and any contracts you have with customers. When you choose to de-identify data, you will need to consider whether to anonymise or pseudonymise it. This will depend on the purpose of de-identifying it and what you wish to use the data for. If you have any questions about d-identifying data, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page.


Redundancies and Restructuring: Understanding Your Employer Obligations

Thursday 7 July | 11:00 - 11:45am

If you plan on making a role redundant, it is crucial that you understand your employer obligations. Our free webinar will explain.
Register Now

How to Sponsor Foreign Workers For Your Tech Business

Wednesday 13 July | 11:00 - 11:45am

Need web3 talent for your tech business? Consider sponsoring workers from overseas. Join our free webinar to learn more.
Register Now

Advertising 101: Social Media, Influencers and the Law

Thursday 21 July | 11:00 - 11:45am

Learn how to promote your business on social media without breaking the law. Register for our free webinar today.
Register Now

Structuring for Certainty in Uncertain Times

Tuesday 26 July | 12:00 - 12:45pm

Learn how to structure to weather storm and ensure you can take advantage of the “green shoots” opportunities arising on the other side of a recession.
Register Now

Playing for the Prize: How to Run Trade Promotions

Thursday 28 July | 11:00 - 11:45am

Running a promotion with a prize? Your business has specific trade promotion obligations. Join our free webinar to learn more.
Register Now

Web3 Essentials: Understanding SAFT Agreements

Tuesday 2 August | 11:00 - 11:45am

Learn how SAFT Agreements can help your Web3 business when raising capital. Register today for our free webinar.
Register Now

Understanding Your Annual Franchise Update Obligations

Wednesday 3 August | 11:00 - 11:45am

Franchisors must meet annual reporting obligations each October. Understand your legal requirements by registering for our free webinar today.
Register Now

Legal Essentials for Product Manufacturers

Thursday 11 August | 11:00 - 11:45am

As a product manufacturer, do you know your legal obligations if there is a product recall? Join our free webinar to learn more.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Jacqueline Gibson
Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards