In an age where significant amounts of personal information are passed through online systems, it is critical for organisations to have an effective de-identification process in place to ensure that their privacy obligations are met under the Privacy Act 1988.
Every day Aussie businesses and others across the globe collect details, personal information and an array of private information that needs to be handled securely. For example, voice-altering technology.
What is Data De-Identification?
The term ‘de-identification’ can have different meanings. It can refer to the process of removing or altering information, e.g. deleting information that directly identifies individuals, such as names and addresses or dates of birth. Alternatively, it can mean reaching a state where individuals can no longer be ‘reasonably identified’ from the information.
Information is considered to be de-identified (and is therefore not personal information) when it no longer relates to an identifiable individual or an individual who can be reasonably identified from the information.
What Are the Privacy Obligations?
The Australian Privacy Principles (APPs) set out your privacy obligations within Australia. These principles outline some basic requirements for the collection, disclosure and security of personal information. The rules must be followed by:
- entities with an annual turnover of more than $3 million;
- entities collecting sensitive health information; and
- businesses that sell or purchase personal information.
As a result, many small businesses are exempt from the requirement to comply with Australian privacy laws. However, even if you are not legally required to comply with these obligations, it is generally best practice to do so. This can help build trust with customers and avoid damage to your reputation.
With effective de-identification procedures in place, organisations can minimise the risks associated with potential breaches of these privacy principles. Once data has been sufficiently transformed to a degree that it no longer constitutes personal information, it ceases to be subject to the Privacy Act and can be utilised with greater freedom. It is important to ensure that it cannot be reasonably re-identified and connected with an individual. How, then, can data be appropriately de-identified?
Implementing Data De-identification
There are different levels of de-identification to consider: anonymisation and pseudonymisation.
- Anonymisation is the removal of identifying elements, making the information unattributable to any person.
- Pseudonymisation converts information into a state that is unattributable to any person without access to additional information. Such additional information must be kept separate and secure.
Ultimately, data de-identification processes should be actively managed and re-evaluated on an ongoing basis. Protocols like encrypting sensitive information, restricting who can access it and destroying personal information when it is no longer required should form part of your business’ privacy controls. With robust procedures for de-identifying data in place, your business’s privacy obligations can be dramatically reduced, minimising exposure to potential liability and increasing reputability with your clientele.
Not sure if you comply? Contact Clearpoint Legal for a free, 15-minute discovery call.