Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Australia: A guide to anonymisation and pseudonymisation
In Australia, Federal, State, and Territory privacy laws govern anonymisation and pseudonymisation of personal information. Lisa Fitzgerald and Keely O'Dowd, from Lander & Rogers, provide an overview of the laws and guidance governing anonymisation and pseudonymisation in Australia, as well as a look at the scope and permitted uses for such data.
Applicable law
What laws and guidelines govern anonymisation and pseudonymisation?
Commonwealth government agencies and private sector agencies with an annual turnover of AUD 3 million (approx. €1.9 million) or more must comply with the Privacy Act 1988 (Cth) No. 119, 1988 (as amended) ('the Privacy Act'). State and Territory government agencies must comply with their relevant State or Territory privacy laws.
The below table sets out the applicable laws and guidelines. Note, the guidelines are non-binding and published as guidance material only.
Jurisdiction | Legislation | Summary | Guidelines |
Commonwealth | The Privacy Act | Under Australian Privacy Principle ('APP') 2, an individual must have the option of dealing anonymously or using a pseudonym with an APP entity | The Office of the Australian Information Commissioner ('OAIC') APP Guidelines: Chapter 2: APP 2 – Anonymity and pseudonymity1 |
New South Wales | The Privacy and Personal Information Protection Act 1998 No. 133 | No specific law | No specific guidance |
Victoria | The Privacy and Data Protection Act 2014 (No. 60 of 2014) | Under Information Privacy Principle ('IPP') 8, where lawful and practicable, an individual must have the option of not identifying themselves when entering transactions with an organisation | The Office of the Victorian Information Commissioner IPP Guidelines: IPP 8 - Anonymity2 |
Queensland | The Information Privacy Act 2009 | Under National Privacy Principle ('NPP') 8, where lawful and practicable individuals must have the option of not identifying themselves when entering into transactions with a health agency | Office of the Information Commissioner Queensland Guidelines: Anonymity3 |
South Australia | The Premier and Cabinet Circular 012 ('PC 012') - Information Privacy Principles ('IPPS') Instructions | No specific law | No specific guidance |
Tasmania | The Personal Information Protection Act 2014 | Under the Personal Information Protection Principle ('PIPP') 8, where lawful and practicable an individual should have the option of not identifying themselves when transacting with a personal information custodian | No specific guidance |
Western Australia | No specific law | No specific law | No specific guidance |
Northern Territory | The Information Act 2002 | A public sector organisation must give an individual entering transactions with the organisation the option of not identifying themselves unless it is required by law or it is not practicable that the individual is not identified (IPP 8) | Office of the Information Commissioner Northern Territory: Privacy guidance4 |
Australian Capital Territory | The Information Privacy Act 2014 | Under Territory Privacy Principle ('TPP') 2, individuals must have the option of not identifying themselves, or using a pseudonym, when dealing with a public sector agency in relation to a particular matter | No specific guidance |
Scope
What is the definition of anonymisation/pseudonymisation and/or anonymised/psuedonymised data?
The terms 'anonymisation', 'pseudonymisation', 'anonymised', and 'psuedonymised' are not defined terms under Australian privacy laws.
Guidance published by the OAIC states that the terms 'anonymisation' and 'pseudonymisation' are different concepts. The Guidance states:
- Anonymity requires that an individual may deal with an APP entity without providing any personal information or identifiers.
- Pseudonymity requires that an individual may deal with an APP entity by using a name, term, or descriptor that is different to the person's actual name5.
Is it/when is it considered personal data?
Generally, under Australian privacy laws, information will be considered personal information when the information identifies an individual, or an individual is reasonably identifiable from the information.
Anonymised information is unlikely to be personal information if it does not include any identifying information and an individual cannot be identified or reasonably identifiable from the anonymised information on its own or in combination with other data.
Pseudonymised information may be personal information if the information reveals the identity of an individual or an individual is reasonably identifiable from the information.
If anonymised or pseudonymised information is combined with other information in a manner that reveals the identity of an individual or enables an individual to be reasonably identifiable, the likelihood the combined information will be personal information about an individual increases.
Permitted uses
Are there any permitted uses of such data (e.g. business analytics, statistical research)?
Generally, under Australian privacy laws, an organisation is permitted to use or disclose the personal information it collects for the primary purpose for which the information was collected or for a permitted secondary purpose.
An organisation must take reasonable steps to de-identify or destroy personal information it holds when it no longer needs the information for any purpose it is permitted to use or disclose the information (see for example, APP 11 of the Privacy Act).
If personal information is de-identified rendering an individual completely unidentifiable from the information, the de-identified information will no longer be considered personal information.
Australian privacy laws only regulate the collection and handling of personal information and therefore do not apply to de-identified information, provided that information is truly de-identified. Consequently, an organisation can use de-identified information for other purposes such as business analytics, statistical research, and analysis without complying with Australian privacy laws.
Importantly, de-identification of information is a distinct concept to anonymisation and pseudonymisation of data under Australian privacy law.
Anonymisation and pseudonymisation are techniques that can be used to de-identify personal information. However, anonymisation and pseudonymisation of personal information may not render personal information completely unidentifiable. Thus, care must be taken when using anonymised or pseudonymised information to ensure that there is zero risk of an individual being re-identified when using the information for other purposes.
If so, under what circumstances and are there any additional requirements or conditions (e.g. notification to data subjects, security measures)?
Australian privacy laws do not apply to de-identified information. Consequently, requirements such as notice and security measures that apply to personal information do not apply to de-identified information.
Exemptions
Are there any rules which exempt anonymised/psuedonymised data from certain obligations (e.g. exemptions from notifying data breaches or from certain data subject rights)?
Not applicable.
Process for anonymisation and pseudonymisation
Are there any prescribed rules or processes for anonymising/pseudonymising personal data?
There are no prescribed rules or processes for anonymising or pseudonymising personal information under Australian privacy laws.
However, an organisation is generally required to destroy or de-identify personal information when the organisation no longer needs the personal information. The below table sets out the applicable laws.
Jurisdiction | Legislation | Summary |
Commonwealth | The Privacy Act
| An APP entity must take such steps as are reasonable in the circumstances to destroy or de-identify personal information it holds when it no longer needs the information for any purpose for which the information may be used or disclosed and it is not required by law to retain the information (APP 11) |
New South Wales | The Privacy and Personal Information Protection Act | A public sector agency must not keep personal information it holds for longer than is necessary and must securely dispose of the information (IPP 12) |
Victoria | The Privacy and Data Protection Act | An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose (IPP 4.2) |
Queensland | The Information Privacy Act | If a health agency no longer needs personal information for any purpose for which the information may be used or disclosed under NPP 2, the agency must take reasonable steps to ensure that an individual can no longer be identified from the personal information (NPP 4) |
South Australia | PC 012 - IPPS Instructions | No specific law |
Tasmania | The Personal Information Protection Act | A personal information custodian must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose (PIPP 4) |
Western Australia | No specific law | No specific law |
Northern Territory | The Information Act 2002 | A public sector organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose (IPP 4.2) |
Australian Capital Territory | The Information Privacy Act | An agency must take such steps as are reasonable in the circumstances to destroy or de-identify personal information it holds when it no longer needs the information for any purpose for which the information may be used or disclosed and it is not required by law to retain the information (TPP 11) |
Process for combining and sharing data
Are there any prescribed rules and processes for combining or sharing anonymised/psuedonymised data (e.g. risk assessments)?
Generally, organisations are not required to comply with prescribed rules or processes for combining or sharing anonymised or psuedonymised data.
Organisations should complete a Privacy Impact Assessment ('PIA') before undertaking data combining or sharing projects to properly assess the privacy impacts the project may have on individuals, especially if there is a risk the project may result in the re-identification of individuals by combining or sharing data.
Under the Privacy (Australian Government Agencies - Governance) APP Code 2017, Australian Government Agencies must complete a PIA for all high-risk projects or initiatives.
The Data Availability and Transparency Act 2022 (Cth) establishes a framework for Commonwealth, State, and Territory government departments and agencies to share data. The scheme covers all types of data.
Enforcement
Are they any penalties or liability attached to violating the above?
Under the Privacy Act, civil penalties apply where an APP entity engages in serious or repeated interferences with the privacy of one or more individuals (Section 13G). The maximum penalties for privacy breaches under the Privacy Act are the greater of:
- AUD 50 million (approx. €32 million);
- three times the value of any benefit obtained through the misuse of information; or
- 30% of a company's adjusted turnover in the relevant period6.
Lisa Fitzgerald Partner
[email protected]
Keely O'Dowd Senior Associate
[email protected]
Lander & Rogers, Melbourne
1. See: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-2-app-2-anonymity-and-pseudonymity
2. See: https://ovic.vic.gov.au/book/ipp-8-anonymity/
3. See: https://www.oic.qld.gov.au/guidelines/for-government/guidelines-privacy-principles/anonymity
4. See: https://infocomm.nt.gov.au/privacy/collection-of-information
5. See: https://www.oaic.gov.au/__data/assets/pdf_file/0009/1125/app-guidelines-july-2019.pdf
6. Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) received royal assent on 12 December 2022.