Skip to content
LegalVision New Zealand

Should I Anonymise My NZ Business’ Data?

Avatar photo

By Emma Lindblom

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

When your business collects personal information from your customers, various privacy obligations and restrictions accompany that data. Under the Privacy Act, you need to take reasonable steps to protect and secure any personal information you hold, whether it be that of your:

  • customers; 
  • employees; or
  • general members of the public.

Indeed, the reason you protect personal data against the possibility of a privacy breach is so that unauthorised people do not get access to it. As such, one of these protections is to anonymise or de-identify the personal data you hold. However, this may not be the appropriate protection measure in some cases or may not be available for certain kinds of information. Therefore, this article will explain when you should anonymise your New Zealand business’ data.

What Is Anonymisation?

Personal information is any data about an identifiable individual. Therefore, using this data, whether by itself or in combination with other data to identify a living person, qualifies as personal information.

Anonymisation refers to the process of removing all aspects of the data that can identify a person. Consequently, a third party cannot use a piece of anonymised data to backtrack and discover who the data is about.

For example, if you want to anonymise customer feedback forms, you would destroy all identifying aspects from the form. These can include their: 

  • name;
  • the location they shopped at; and 
  • anything identifying in the feedback they provide.

Also, note the difference between data anonymisation and data de-identification. The table below sets out their differences.

Anonymisation

This is a more intensive process involving cross-referencing the entire dataset using broader thinking to ensure it is impossible to reverse the anonymisation process. Anonymisation involves a transformation to prevent re-identification.

De-Identification

This refers to the more straightforward process of removing or hiding data elements that can identify a person from a particular piece of data.

For instance, say you have a company report that only refers to your employees by role to not identify them. However, you only have one “Social Media Manager” at your company, whose identifying details a quick Google or LinkedIn search of your company could easily reveal. Therefore, you have not sufficiently anonymised this data.

How Does Anonymisation Improve Privacy?

When you remove any identifying data from personal information and prevent re-identification, third parties cannot use it to trace back to an identifiable individual. Consequently, if you lose this information in a data breach, there is less risk of individuals suffering serious harm from the said data breach. In addition, the lost data cannot identify them, so malicious actors cannot target them.

Under the Privacy Act, when you secure personal information, you need to do so in a way that is appropriate in the context. For example, more sensitive or high-risk information needs more intensive security measures. But, if you have already anonymised the information, you may not need to invest extensive time into alternate security measures, depending on your circumstances.

Continue reading this article below the form

Should I Anonymise My Business’ Data?

Anonymising your data has numerous benefits, including:

  • being an effective security measure to protect the personal information your business stores;
  • helping you comply with your privacy law obligations;
  • reducing the potential spread of harm from a data breach; and
  • offering an alternative to disposing of personal data when you do not need it anymore.

When you anonymise personal data, it is no longer identifiable. Therefore, it does not come under legal rules for limiting the storage period of personal information. However, when you de-identify or anonymise instead of disposing personal data, you need to note this and detail how you are sufficiently preventing re-identification.

While the process has its benefits, true anonymisation can be difficult to achieve. Unsurprisingly, this is especially true now since parties can easily spread and dissect data online. Therefore, once you have anonymised your personal data, you cannot become complacent and assume your process is foolproof. Test your anonymisation, and update it as time goes on. 

In some cases, it may not be possible to anonymise. In these cases, you will need to identify other security measures or dispose of the personal data when you no longer need it.

How Can I Anonymise My Business Data?

Anonymising data involves removing all possible forms of re-identification from a piece of data. This process will depend on:

  • the kind of data it is;
  • how someone would use the data;
  • how someone would search for the data; and
  • the context in which someone would share the data.

The efficacy of your data anonymisation depends on the risk of identification. If this risk is minute, then you have likely successfully have anonymised your data.

The anonymisation process itself will involve:

  • determining all possible identifiers;
  • removing those identifiers through methods such as suppression, generalisation, or aggregation; 
  • applying your removal technique; and
  • evaluating your anonymisation efficacy.

For example, generalisation involves generalising specific identifying data, such as changing an exact birth date to a broader birth year. Different methods yield different results, so you need to look into what is appropriate for your situation. An IT consultant can help you with this process.

Key Takeaways

Data anonymisation refers to the process where you remove all possible ways a third party can identify who a piece of data is about. You need to confirm that the risk of identification is low enough to enjoy the benefits of anonymised data, such as increased security. If you would like more information, or help with your business’ data anonymisation, contact LegalVision’s data, privacy, and IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is personal information?

Personal information is any data you can use to identify a living individual, whether on its own or in combination with additional information. Examples include names or physical addresses. You may also know personal information as personally identifiable information.

What is anonymised data?

Anonymised data is information that you have removed all identifiers from. A third party cannot use these identifiers to find out who the data was originally about. Some data protection laws require anonymisation of personal data where practical.

Register for our free webinars

Responsible AI Use: Practical Tips For Businesses

Online
Learn how your business can manage AI’s legal risks effectively. Register for our free webinar.
Register Now

Redundancies and Restructuring: Understanding Your Employer Obligations

Online
Understand your obligations during redundancies and restructuring to protect your business. Register for our free webinar.
Register Now

Tips to Help Your Business Avoid Going to Court

Online
Learn how to resolve disputes efficiently and avoid costly court battles. Register for our free webinar.
Register Now

Supercharging Your Brand: How to Protect Your Brand And Drive Growth

Online
Build a stronger brand by protecting and using your trade marks effectively. Register for our free webinar.
Register Now
See more webinars >
Emma Lindblom

Emma Lindblom

Read all articles by Emma

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

How to Respond to a Privacy Access Request

4 Legal Tips for NZ Businesses Required to Keep Personnel Files and Other Records

4 Mistakes to Avoid When Managing Project Privacy Risks

4 Questions to Ask a Lawyer About Complying With NZ Privacy Laws

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards