Reading time: 5 minutes

In the digital age, businesses are collecting more data about individuals than ever before. If you collect personal information from your customers, you may have privacy obligations concerning how that data is collected and handled. Data de-identification can assist in minimising your privacy obligations. However, you should avoid relying on this process to protect your business from violating its privacy responsibilities, as this can come with certain risks. This article will explain what data de-identification is and how it can minimise your privacy obligations.

What Is Data De-Identification?

Data de-identification involves the removal of identifiable information from a dataset. This means anyone who accesses your data will not be able to identify any specific individual from the personal information you have collected. Methods of de-identification and the reason for doing so can vary.

There are two core concepts which are important to understand when thinking about de-identifying your data. These are pseudonymisation and anonymisation.

Pseudonymisation applies where you cannot identify an individual from the data, but the use of additional information could lead to their identification. This additional information must be kept separate from the first set of data. 

Anonymisation applies where it is not possible to identify an individual and any risk of re-identification of that information is very low. 

You should assess the risk of re-identification on a case-by-case basis by considering all of the circumstances, including: 

  • who has access to the data; 
  • what you will use the data for; and
  • other information that might be available and lead to identification.

Anonymisation differs from pseudonymisation because there is no reasonable likelihood of re-identification, even when using other datasets.

Does Data De-Identification Minimise Your Privacy Obligations?

If your data is de-identified to the standard of anonymisation, your business will have fewer privacy obligations.

What Are the Privacy Obligations?

The Australian Privacy Principles (APPs) set out your privacy obligations within Australia. These principles outline some basic requirements for the collection, disclosure and security private data. The rules must only be followed by:

  • entities with an annual turnover of more than $3 million;
  • healthcare service providers; and
  • businesses that sell or purchase personal information.

As a result, many small businesses are exempt from the requirement to comply with Australian privacy laws. However, even if you are not legally required to comply with these obligations, it is generally best practice to do so. This can help build trust with customers and avoid damage to your reputation. 

How Does Data De-Identification Interact With These Obligations?

You will be able to avoid the application of many of these privacy principles if you anonymise the data that you collect. This will reduce the: 

  • technical and operational burden on your business; and 
  • risk of complaints or disciplinary action, such as fines. 

Alternatively, you can collect identifiable information and later anonymise that data, to reduce the ongoing burden and risk to your business.

For example, after you have finished using the identifiable data collected from a customer through your online business, you could anonymise the data and keep it for future analytics.

In each instance, data anonymisation will reduce the number of privacy principles that apply to your business. However, you will still need to consider some of the core principles, including how you:

  • use and disclose personal information;
  • disclose personal information overseas; and 
  • ensure the security of personal information.

These principles still apply because re-identification could occur if someone takes the data from its anonymised form into another context.

If you disclose de-identified data to a third party, that third party may have other information which may make it identifiable. This includes situations where you disclose the data outside Australia. 

For example, your business might collect anonymised data about the health and wellbeing of your employees. A third-party could potentially re-identify this information with a separate list of your employees by matching their age and gender.

Additionally, if a data breach occurs, that data may also be at risk of re-identification if a third party views that information and links it with another data set. 

How Does the Risk of Re-Identification Affect My Privacy Obligations?

You must consider the possibility of re-identification when assessing the risk of failing to meet your privacy obligations. Indeed, you can only consider the data anonymised where there is a very low risk of re-identification.

Even where the risk is very low, you must continue to keep the APPs in mind. This is because unexpected obligations may arise due to circumstances outside your control. 

For example, a data breach may: 

  • affect your data; and 
  • trigger your obligation to notify the regulator and individuals of the data breach, despite the data being de-identified. 

Privacy Impact Assessment

If you intend to rely on the anonymisation of data as a means to reduce your privacy compliance requirements, you should undertake a privacy impact assessment to comprehensively assess the risk of re-identification. You can use a privacy impact assessment to: 

  • identify how you intend to use personal information for a particular purpose; and 
  • identify and mitigate the associated privacy risks.

Key Takeaways

You can reduce your business’ privacy obligations by de-identifying data through anonymisation techniques. However, anonymisation requires a careful assessment of the risk that the data could be re-identified. When considering your privacy obligations, you should be aware of your responsibilities when disclosing personal information, including overseas. You should also note that your security obligations may continue to apply, such as notifying government regulators and the affected individuals of a data breach. If you would like legal advice concerning your privacy obligations, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page.


Redundancies and Restructuring: Understanding Your Employer Obligations

Thursday 7 July | 11:00 - 11:45am

If you plan on making a role redundant, it is crucial that you understand your employer obligations. Our free webinar will explain.
Register Now

How to Sponsor Foreign Workers For Your Tech Business

Wednesday 13 July | 11:00 - 11:45am

Need web3 talent for your tech business? Consider sponsoring workers from overseas. Join our free webinar to learn more.
Register Now

Advertising 101: Social Media, Influencers and the Law

Thursday 21 July | 11:00 - 11:45am

Learn how to promote your business on social media without breaking the law. Register for our free webinar today.
Register Now

Structuring for Certainty in Uncertain Times

Tuesday 26 July | 12:00 - 12:45pm

Learn how to structure to weather storm and ensure you can take advantage of the “green shoots” opportunities arising on the other side of a recession.
Register Now

Playing for the Prize: How to Run Trade Promotions

Thursday 28 July | 11:00 - 11:45am

Running a promotion with a prize? Your business has specific trade promotion obligations. Join our free webinar to learn more.
Register Now

Web3 Essentials: Understanding SAFT Agreements

Tuesday 2 August | 11:00 - 11:45am

Learn how SAFT Agreements can help your Web3 business when raising capital. Register today for our free webinar.
Register Now

Understanding Your Annual Franchise Update Obligations

Wednesday 3 August | 11:00 - 11:45am

Franchisors must meet annual reporting obligations each October. Understand your legal requirements by registering for our free webinar today.
Register Now

Legal Essentials for Product Manufacturers

Thursday 11 August | 11:00 - 11:45am

As a product manufacturer, do you know your legal obligations if there is a product recall? Join our free webinar to learn more.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Jacqueline Gibson
Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards