Reading time: 6 minutes

When your business collects personal information from your customers, various privacy obligations and restrictions accompany that data. Under the Privacy Act, you need to take reasonable steps to protect and secure any personal information you hold, whether it be that of your:

  • customers; 
  • employees; or
  • general members of the public.

Indeed, the reason you protect personal data against the possibility of a privacy breach is so that unauthorised people do not get access to it. As such, one of these protections is to anonymise or de-identify the personal data you hold. However, this may not be the appropriate protection measure in some cases or may not be available for certain kinds of information. Therefore, this article will explain when you should anonymise your New Zealand business’ data.

What Is Anonymisation?

Personal information is any data about an identifiable individual. Therefore, using this data, whether by itself or in combination with other data to identify a living person, qualifies as personal information.

Anonymisation refers to the process of removing all aspects of the data that can identify a person. Consequently, a third party cannot use a piece of anonymised data to backtrack and discover who the data is about.

For example, if you want to anonymise customer feedback forms, you would destroy all identifying aspects from the form. These can include their: 

  • name;
  • the location they shopped at; and 
  • anything identifying in the feedback they provide.

Also, note the difference between data anonymisation and data de-identification. The table below sets out their differences.

Anonymisation

This is a more intensive process involving cross-referencing the entire dataset using broader thinking to ensure it is impossible to reverse the anonymisation process. Anonymisation involves a transformation to prevent re-identification.

De-Identification

This refers to the more straightforward process of removing or hiding data elements that can identify a person from a particular piece of data.

For instance, say you have a company report that only refers to your employees by role to not identify them. However, you only have one “Social Media Manager” at your company, whose identifying details a quick Google or LinkedIn search of your company could easily reveal. Therefore, you have not sufficiently anonymised this data.

How Does Anonymisation Improve Privacy?

When you remove any identifying data from personal information and prevent re-identification, third parties cannot use it to trace back to an identifiable individual. Consequently, if you lose this information in a data breach, there is less risk of individuals suffering serious harm from the said data breach. In addition, the lost data cannot identify them, so malicious actors cannot target them.

Under the Privacy Act, when you secure personal information, you need to do so in a way that is appropriate in the context. For example, more sensitive or high-risk information needs more intensive security measures. But, if you have already anonymised the information, you may not need to invest extensive time into alternate security measures, depending on your circumstances.

Should I Anonymise My Business’ Data?

Anonymising your data has numerous benefits, including:

  • being an effective security measure to protect the personal information your business stores;
  • helping you comply with your privacy law obligations;
  • reducing the potential spread of harm from a data breach; and
  • offering an alternative to disposing of personal data when you do not need it anymore.

When you anonymise personal data, it is no longer identifiable. Therefore, it does not come under legal rules for limiting the storage period of personal information. However, when you de-identify or anonymise instead of disposing personal data, you need to note this and detail how you are sufficiently preventing re-identification.

While the process has its benefits, true anonymisation can be difficult to achieve. Unsurprisingly, this is especially true now since parties can easily spread and dissect data online. Therefore, once you have anonymised your personal data, you cannot become complacent and assume your process is foolproof. Test your anonymisation, and update it as time goes on. 

In some cases, it may not be possible to anonymise. In these cases, you will need to identify other security measures or dispose of the personal data when you no longer need it.

How Can I Anonymise My Business Data?

Anonymising data involves removing all possible forms of re-identification from a piece of data. This process will depend on:

  • the kind of data it is;
  • how someone would use the data;
  • how someone would search for the data; and
  • the context in which someone would share the data.

The efficacy of your data anonymisation depends on the risk of identification. If this risk is minute, then you have likely successfully have anonymised your data.

The anonymisation process itself will involve:

  • determining all possible identifiers;
  • removing those identifiers through methods such as suppression, generalisation, or aggregation; 
  • applying your removal technique; and
  • evaluating your anonymisation efficacy.

For example, generalisation involves generalising specific identifying data, such as changing an exact birth date to a broader birth year. Different methods yield different results, so you need to look into what is appropriate for your situation. An IT consultant can help you with this process.

Key Takeaways

Data anonymisation refers to the process where you remove all possible ways a third party can identify who a piece of data is about. You need to confirm that the risk of identification is low enough to enjoy the benefits of anonymised data, such as increased security. If you would like more information, or help with your business’ data anonymisation, contact LegalVision’s data, privacy, and IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is personal information?

Personal information is any data you can use to identify a living individual, whether on its own or in combination with additional information. Examples include names or physical addresses. You may also know personal information as personally identifiable information.

What is anonymised data?

Anonymised data is information that you have removed all identifiers from. A third party cannot use these identifiers to find out who the data was originally about. Some data protection laws require anonymisation of personal data where practical.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards