In the digital age, businesses are collecting more data about individuals than ever before. If you collect personal information from your customers, you may have privacy obligations concerning how that data is collected and handled. Data de-identification can assist in minimising your privacy obligations. However, you should avoid relying on this process to protect your business from violating its privacy responsibilities, as this can come with certain risks. This article will explain what data de-identification is and how it can minimise your privacy obligations.

What Is Data De-Identification?

Data de-identification involves the removal of identifiable information from a dataset. This means anyone who accesses your data will not be able to identify any specific individual from the personal information you have collected. Methods of de-identification and the reason for doing so can vary.

There are two core concepts which are important to understand when thinking about de-identifying your data. These are pseudonymisation and anonymisation.

Pseudonymisation applies where you cannot identify an individual from the data, but the use of additional information could lead to their identification. This additional information must be kept separate from the first set of data. 

Anonymisation applies where it is not possible to identify an individual and any risk of re-identification of that information is very low. 

You should assess the risk of re-identification on a case-by-case basis by considering all of the circumstances, including: 

  • who has access to the data; 
  • what you will use the data for; and
  • other information that might be available and lead to identification.

Anonymisation differs from pseudonymisation because there is no reasonable likelihood of re-identification, even when using other datasets.

Does Data De-Identification Minimise Your Privacy Obligations?

If your data is de-identified to the standard of anonymisation, your business will have fewer privacy obligations.

What Are the Privacy Obligations?

The Australian Privacy Principles (APPs) set out your privacy obligations within Australia. These principles outline some basic requirements for the collection, disclosure and security private data. The rules must only be followed by:

  • entities with an annual turnover of more than $3 million;
  • healthcare service providers; and
  • businesses that sell or purchase personal information.

As a result, many small businesses are exempt from the requirement to comply with Australian privacy laws. However, even if you are not legally required to comply with these obligations, it is generally best practice to do so. This can help build trust with customers and avoid damage to your reputation. 

How Does Data De-Identification Interact With These Obligations?

You will be able to avoid the application of many of these privacy principles if you anonymise the data that you collect. This will reduce the: 

  • technical and operational burden on your business; and 
  • risk of complaints or disciplinary action, such as fines. 

Alternatively, you can collect identifiable information and later anonymise that data, to reduce the ongoing burden and risk to your business.

For example, after you have finished using the identifiable data collected from a customer through your online business, you could anonymise the data and keep it for future analytics.

In each instance, data anonymisation will reduce the number of privacy principles that apply to your business. However, you will still need to consider some of the core principles, including how you:

  • use and disclose personal information;
  • disclose personal information overseas; and 
  • ensure the security of personal information.

These principles still apply because re-identification could occur if someone takes the data from its anonymised form into another context.

If you disclose de-identified data to a third party, that third party may have other information which may make it identifiable. This includes situations where you disclose the data outside Australia. 

For example, your business might collect anonymised data about the health and wellbeing of your employees. A third-party could potentially re-identify this information with a separate list of your employees by matching their age and gender.

Additionally, if a data breach occurs, that data may also be at risk of re-identification if a third party views that information and links it with another data set. 

How Does the Risk of Re-Identification Affect My Privacy Obligations?

You must consider the possibility of re-identification when assessing the risk of failing to meet your privacy obligations. Indeed, you can only consider the data anonymised where there is a very low risk of re-identification.

Even where the risk is very low, you must continue to keep the APPs in mind. This is because unexpected obligations may arise due to circumstances outside your control. 

For example, a data breach may: 

  • affect your data; and 
  • trigger your obligation to notify the regulator and individuals of the data breach, despite the data being de-identified. 

Privacy Impact Assessment

If you intend to rely on the anonymisation of data as a means to reduce your privacy compliance requirements, you should undertake a privacy impact assessment to comprehensively assess the risk of re-identification. You can use a privacy impact assessment to: 

  • identify how you intend to use personal information for a particular purpose; and 
  • identify and mitigate the associated privacy risks.

Key Takeaways

You can reduce your business’ privacy obligations by de-identifying data through anonymisation techniques. However, anonymisation requires a careful assessment of the risk that the data could be re-identified. When considering your privacy obligations, you should be aware of your responsibilities when disclosing personal information, including overseas. You should also note that your security obligations may continue to apply, such as notifying government regulators and the affected individuals of a data breach. If you would like legal advice concerning your privacy obligations, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.
Jacqueline Gibson
Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.
Our Awards
  •  Top 20 Startups in Australia - 2018 LinkedIn Startups List Top 20 Startups in Australia - 2018 LinkedIn Startups List
  • NewLaw Firm of the Year – 2019 Australian Law Awards NewLaw Firm of the Year – 2019 Australian Law Awards
  • Law Firm of the Year Finalist – 2018 Australasian Law Awards Law Firm of the Year Finalist – 2018 Australasian Law Awards
  • AFR Fast 100 List – 2018 Australian Financial Review AFR Fast 100 List – 2018 Australian Financial Review
  • NewLaw Firm of the Year – 2017 Australian Law Awards NewLaw Firm of the Year – 2017 Australian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer Most Innovative Law Firm - 2019 Australasian Lawyer

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at info@legalvision.com.au

View Privacy Policy