Reading time: 6 minutes

When your business deals with personal information in New Zealand, you qualify as an agency under privacy law. All agencies must comply with the Privacy Act and take steps to maintain their privacy obligations to anyone whose personal information they hold. This responsibility includes protecting personal information against misuse, loss or unauthorised disclosure. One way to potentially protect personal data is de-identification. You may use this security method to protect the information your business holds, but it is not a foolproof safeguard. Therefore, you need to consider various factors when you engage in this process. This article will explain data de-identification and its relevance for meeting your business’ privacy obligations.

What is Data De-Identification? 

When you remove or disguise aspects of your business’ data that could identify a living person, then you have de-identified it. As a result, if another party were to look over this de-identified data, they would not be able to spontaneously recognise who it was about.

For example, say that you ask customers for their feedback about your business. When you report this feedback to your staff, you remove the customer’s name or the store they shopped at. Therefore, your staff cannot initially identify who placed the relevant feedback.

Note that de-identification is not as intensive a process as data anonymisation. If a third party actively put in the effort to re-identify a person from a relevant dataset, then de-identification may not be enough to prevent this.

Is De-Identified Data Personal Information?

The Privacy Act in New Zealand defines personal information as anything about an identifiable individual. Therefore, if you can use your data to identify a living person, it qualifies as personal information, and you need to comply with the laws that protect it.

As a broad definition, this could cover de-identified data. It will depend on:

  • how effective your de-identification methods are;
  • the factual context;
  • the nature of the dataset; and
  • what other data is available about the relevant individual.

Even if you cannot identify who the data is about at first glance, as soon as someone combines it with another piece of data, they may be able to do so. 

For instance, say that you de-identify a client so that their only attached information is ‘antique store owner’ and their general location. However, they are the only antique store owner in the general location that you give. Therefore, it is not unreasonable that someone could identify who they are using the information you give.

Data De-Identification at Your Business

While de-identified data may still qualify as personal information, de-identification is an effective security method for sensitive data. One of your obligations as an agency under privacy law is to secure the personal information you hold. Accordingly, data de-identification can qualify as an appropriate safeguard under this duty because it can hinder or delay re-identification. In a data breach, this can be especially useful for protecting any lost data.

To err on the side of caution, where there is still a risk of identification, you should treat your de-identified data as personal information. Therefore, you need to make sure you:

  • only collect necessary information for a lawful purpose;
  • tell people you collect their personal information;
  • only store data for as long as you need; and
  • do not use personal information for purposes outside of what you told people at collection.

Additionally, you can only handle de-identified data outside of these restrictions if you are certain that there is a low risk of a third party identifying who the information is about. 

For example, if the risk of re-identification is low, you may be able to keep de-identified data after it has met its purpose. If it does not qualify as personal information, you do not need to follow privacy law rules around information disposal.

You will need to balance de-identification with still being able to use the relevant data. So, how you use this security method will depend on your business’ unique circumstances.

How Do I De-Identify Information?

How you de-identify information will depend on the: 

  • nature of the data elements; and
  • what resources your business has available.

You may be able to anonymise data completely and reduce all chances of re-identification. Alternatively, you may use other measures of de-identification that can hinder or delay this instead. Note that what you need to do may vary depending on the kind of information, such as needing more intensive security measures for protected health information. The table below sets out possible methods of de-identification.

Suppression

You remove identifying information, such as names or gender markers, for privacy protection.

Generalisation

You alter the identifying details to be broader and more generalised, such as changing a specific town name to a general region.

Aggregation

You combine the raw identifying data of individuals into a summary of statistics, such as sorting customers into ‘satisfied’ or ‘unsatisfied’. You must remove the original identifying datasets.

Pseudonymisation

You alter the data in some way so that you cannot identify who it is about on its own, but you can with other data. Encryption is a form of pseudonymisation.

Key Takeaways

Data de-identification is a security method that you can use to remove or hide a piece of data’s identifying details. However, if the risk of identification is low enough, as it may be if you anonymise the data, you may not need to comply with all of your privacy law obligations. If you would like more information or help with data de-identification at your business, contact LegalVision’s data, privacy, and IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is data de-identification?

Data de-identification refers to the process where you remove or hide the personal identifiers of a dataset so that you cannot immediately identify who the original data was about. You can use de-identification as a security method for your business’ personal information.

What is encryption?

Encryption refers to an online security process that scrambles your data and presents it in an unreadable format. Only your business with the key can read that data.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards
  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation – Finalist – Australasian Law Awards 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice – Winner – Australasian Lawyer 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards