Reading time: 5 minutes

In the digital age, businesses are collecting more data about individuals than ever before. If you collect personal information from your customers, you may have privacy obligations concerning how that data is collected and handled. Data de-identification can assist in minimising your privacy obligations. However, you should avoid relying on this process to protect your business from violating its privacy responsibilities, as this can come with certain risks. This article will explain what data de-identification is and how it can minimise your privacy obligations.

What Is Data De-Identification?

Data de-identification involves the removal of identifiable information from a dataset. This means anyone who accesses your data will not be able to identify any specific individual from the personal information you have collected. Methods of de-identification and the reason for doing so can vary.

There are two core concepts which are important to understand when thinking about de-identifying your data. These are pseudonymisation and anonymisation.

Pseudonymisation applies where you cannot identify an individual from the data, but the use of additional information could lead to their identification. This additional information must be kept separate from the first set of data. 

Anonymisation applies where it is not possible to identify an individual and any risk of re-identification of that information is very low. 

You should assess the risk of re-identification on a case-by-case basis by considering all of the circumstances, including: 

  • who has access to the data; 
  • what you will use the data for; and
  • other information that might be available and lead to identification.

Anonymisation differs from pseudonymisation because there is no reasonable likelihood of re-identification, even when using other datasets.

Does Data De-Identification Minimise Your Privacy Obligations?

If your data is de-identified to the standard of anonymisation, your business will have fewer privacy obligations.

What Are the Privacy Obligations?

The Australian Privacy Principles (APPs) set out your privacy obligations within Australia. These principles outline some basic requirements for the collection, disclosure and security private data. The rules must only be followed by:

  • entities with an annual turnover of more than $3 million;
  • healthcare service providers; and
  • businesses that sell or purchase personal information.

As a result, many small businesses are exempt from the requirement to comply with Australian privacy laws. However, even if you are not legally required to comply with these obligations, it is generally best practice to do so. This can help build trust with customers and avoid damage to your reputation. 

How Does Data De-Identification Interact With These Obligations?

You will be able to avoid the application of many of these privacy principles if you anonymise the data that you collect. This will reduce the: 

  • technical and operational burden on your business; and 
  • risk of complaints or disciplinary action, such as fines. 

Alternatively, you can collect identifiable information and later anonymise that data, to reduce the ongoing burden and risk to your business.

For example, after you have finished using the identifiable data collected from a customer through your online business, you could anonymise the data and keep it for future analytics.

In each instance, data anonymisation will reduce the number of privacy principles that apply to your business. However, you will still need to consider some of the core principles, including how you:

  • use and disclose personal information;
  • disclose personal information overseas; and 
  • ensure the security of personal information.

These principles still apply because re-identification could occur if someone takes the data from its anonymised form into another context.

If you disclose de-identified data to a third party, that third party may have other information which may make it identifiable. This includes situations where you disclose the data outside Australia. 

For example, your business might collect anonymised data about the health and wellbeing of your employees. A third-party could potentially re-identify this information with a separate list of your employees by matching their age and gender.

Additionally, if a data breach occurs, that data may also be at risk of re-identification if a third party views that information and links it with another data set. 

How Does the Risk of Re-Identification Affect My Privacy Obligations?

You must consider the possibility of re-identification when assessing the risk of failing to meet your privacy obligations. Indeed, you can only consider the data anonymised where there is a very low risk of re-identification.

Even where the risk is very low, you must continue to keep the APPs in mind. This is because unexpected obligations may arise due to circumstances outside your control. 

For example, a data breach may: 

  • affect your data; and 
  • trigger your obligation to notify the regulator and individuals of the data breach, despite the data being de-identified. 

Privacy Impact Assessment

If you intend to rely on the anonymisation of data as a means to reduce your privacy compliance requirements, you should undertake a privacy impact assessment to comprehensively assess the risk of re-identification. You can use a privacy impact assessment to: 

  • identify how you intend to use personal information for a particular purpose; and 
  • identify and mitigate the associated privacy risks.

Key Takeaways

You can reduce your business’ privacy obligations by de-identifying data through anonymisation techniques. However, anonymisation requires a careful assessment of the risk that the data could be re-identified. When considering your privacy obligations, you should be aware of your responsibilities when disclosing personal information, including overseas. You should also note that your security obligations may continue to apply, such as notifying government regulators and the affected individuals of a data breach. If you would like legal advice concerning your privacy obligations, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page.

Webinars

Construction Contract Essentials

Thursday 12 August | 11:00 - 11:45am

Online
Understand how construction contracts are drafted and how to protect your construction business.
Register Now

Startup 101: Understanding Cap Tables and ESOPs

Thursday 19 August | 11:00 - 11:45am

Online
Cap tables and employee share option plans are essential for fast-growing startups. Learn more with this free webinar.
Register Now

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • 2020 Excellence in Technology & Innovation – Finalist – Australasian Law Awards 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice – Winner – Australasian Lawyer 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards 2021 Law Firm of the Year - Australasian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer 2019 Most Innovative Firm - Australasian Lawyer