When your business deals with personal information in New Zealand, you qualify as an agency under privacy law. All agencies must comply with the Privacy Act and take steps to maintain their privacy obligations to anyone whose personal information they hold. This responsibility includes protecting personal information against misuse, loss or unauthorised disclosure. One way to potentially protect personal data is de-identification. You may use this security method to protect the information your business holds, but it is not a foolproof safeguard. Therefore, you need to consider various factors when you engage in this process. This article will explain data de-identification and its relevance for meeting your business’ privacy obligations.
What is Data De-Identification?
When you remove or disguise aspects of your business’ data that could identify a living person, then you have de-identified it. As a result, if another party were to look over this de-identified data, they would not be able to spontaneously recognise who it was about.
For example, say that you ask customers for their feedback about your business. When you report this feedback to your staff, you remove the customer’s name or the store they shopped at. Therefore, your staff cannot initially identify who placed the relevant feedback.
Is De-Identified Data Personal Information?
The Privacy Act in New Zealand defines personal information as anything about an identifiable individual. Therefore, if you can use your data to identify a living person, it qualifies as personal information, and you need to comply with the laws that protect it.
As a broad definition, this could cover de-identified data. It will depend on:
- how effective your de-identification methods are;
- the factual context;
- the nature of the dataset; and
- what other data is available about the relevant individual.
Even if you cannot identify who the data is about at first glance, as soon as someone combines it with another piece of data, they may be able to do so.
Continue reading this article below the formData De-Identification at Your Business
While de-identified data may still qualify as personal information, de-identification is an effective security method for sensitive data. One of your obligations as an agency under privacy law is to secure the personal information you hold. Accordingly, data de-identification can qualify as an appropriate safeguard under this duty because it can hinder or delay re-identification. In a data breach, this can be especially useful for protecting any lost data.
To err on the side of caution, where there is still a risk of identification, you should treat your de-identified data as personal information. Therefore, you need to make sure you:
- only collect necessary information for a lawful purpose;
- tell people you collect their personal information;
- only store data for as long as you need; and
- do not use personal information for purposes outside of what you told people at collection.
Additionally, you can only handle de-identified data outside of these restrictions if you are certain that there is a low risk of a third party identifying who the information is about.
You will need to balance de-identification with still being able to use the relevant data. So, how you use this security method will depend on your business’ unique circumstances.
How Do I De-Identify Information?
How you de-identify information will depend on the:
- nature of the data elements; and
- what resources your business has available.
You may be able to anonymise data completely and reduce all chances of re-identification. Alternatively, you may use other measures of de-identification that can hinder or delay this instead. Note that what you need to do may vary depending on the kind of information, such as needing more intensive security measures for protected health information. The table below sets out possible methods of de-identification.
|
Suppression |
You remove identifying information, such as names or gender markers, for privacy protection. |
|
Generalisation |
You alter the identifying details to be broader and more generalised, such as changing a specific town name to a general region. |
|
Aggregation |
You combine the raw identifying data of individuals into a summary of statistics, such as sorting customers into ‘satisfied’ or ‘unsatisfied’. You must remove the original identifying datasets. |
|
Pseudonymisation |
You alter the data in some way so that you cannot identify who it is about on its own, but you can with other data. Encryption is a form of pseudonymisation. |
Key Takeaways
Data de-identification is a security method that you can use to remove or hide a piece of data’s identifying details. However, if the risk of identification is low enough, as it may be if you anonymise the data, you may not need to comply with all of your privacy law obligations. If you would like more information or help with data de-identification at your business, contact LegalVision’s data, privacy, and IT lawyers on 0800 005 570 or fill out the form on this page.
Frequently Asked Questions
Data de-identification refers to the process where you remove or hide the personal identifiers of a dataset so that you cannot immediately identify who the original data was about. You can use de-identification as a security method for your business’ personal information.
Encryption refers to an online security process that scrambles your data and presents it in an unreadable format. Only your business with the key can read that data.
We appreciate your feedback – your submission has been successfully received.
