Applicable law

What laws and guidelines govern anonymisation and pseudonymisation?

Commonwealth government agencies and private sector agencies with an annual turnover of AUD 3 million (approx. €1.9 million) or more must comply with the Privacy Act 1988 (Cth) No. 119, 1988 (as amended) ('the Privacy Act'). State and Territory government agencies must comply with their relevant State or Territory privacy laws.

The below table sets out the applicable laws and guidelines. Note, the guidelines are non-binding and published as guidance material only.

Scope

What is the definition of anonymisation/pseudonymisation and/or anonymised/psuedonymised data?

The terms 'anonymisation', 'pseudonymisation', 'anonymised', and 'psuedonymised' are not defined terms under Australian privacy laws.

Guidance published by the OAIC states that the terms 'anonymisation' and 'pseudonymisation' are different concepts. The Guidance states:

• Anonymity requires that an individual may deal with an APP entity without providing any personal information or identifiers. 
• Pseudonymity requires that an individual may deal with an APP entity by using a name, term, or descriptor that is different to the person's actual name⁵.

Is it/when is it considered personal data?

Generally, under Australian privacy laws, information will be considered personal information when the information identifies an individual, or an individual is reasonably identifiable from the information.

Anonymised information is unlikely to be personal information if it does not include any identifying information and an individual cannot be identified or reasonably identifiable from the anonymised information on its own or in combination with other data.

Pseudonymised information may be personal information if the information reveals the identity of an individual or an individual is reasonably identifiable from the information. 

If anonymised or pseudonymised information is combined with other information in a manner that reveals the identity of an individual or enables an individual to be reasonably identifiable, the likelihood the combined information will be personal information about an individual increases.

Permitted uses

Are there any permitted uses of such data (e.g. business analytics, statistical research)?

Generally, under Australian privacy laws, an organisation is permitted to use or disclose the personal information it collects for the primary purpose for which the information was collected or for a permitted secondary purpose.

An organisation must take reasonable steps to de-identify or destroy personal information it holds when it no longer needs the information for any purpose it is permitted to use or disclose the information (see for example, APP 11 of the Privacy Act). 

If personal information is de-identified rendering an individual completely unidentifiable from the information, the de-identified information will no longer be considered personal information.

Australian privacy laws only regulate the collection and handling of personal information and therefore do not apply to de-identified information, provided that information is truly de-identified. Consequently, an organisation can use de-identified information for other purposes such as business analytics, statistical research, and analysis without complying with Australian privacy laws.

Importantly, de-identification of information is a distinct concept to anonymisation and pseudonymisation of data under Australian privacy law.

Anonymisation and pseudonymisation are techniques that can be used to de-identify personal information. However, anonymisation and pseudonymisation of personal information may not render personal information completely unidentifiable. Thus, care must be taken when using anonymised or pseudonymised information to ensure that there is zero risk of an individual being re-identified when using the information for other purposes.

If so, under what circumstances and are there any additional requirements or conditions (e.g. notification to data subjects, security measures)?

Australian privacy laws do not apply to de-identified information. Consequently, requirements such as notice and security measures that apply to personal information do not apply to de-identified information.

Exemptions

Are there any rules which exempt anonymised/psuedonymised data from certain obligations (e.g. exemptions from notifying data breaches or from certain data subject rights)?

Not applicable.

Process for anonymisation and pseudonymisation

Are there any prescribed rules or processes for anonymising/pseudonymising personal data?

There are no prescribed rules or processes for anonymising or pseudonymising personal information under Australian privacy laws.

However, an organisation is generally required to destroy or de-identify personal information when the organisation no longer needs the personal information. The below table sets out the applicable laws.

Process for combining and sharing data

Are there any prescribed rules and processes for combining or sharing anonymised/psuedonymised data (e.g. risk assessments)?

Generally, organisations are not required to comply with prescribed rules or processes for combining or sharing anonymised or psuedonymised data.

Organisations should complete a Privacy Impact Assessment ('PIA') before undertaking data combining or sharing projects to properly assess the privacy impacts the project may have on individuals, especially if there is a risk the project may result in the re-identification of individuals by combining or sharing data.

Under the Privacy (Australian Government Agencies - Governance) APP Code 2017, Australian Government Agencies must complete a PIA for all high-risk projects or initiatives.

The Data Availability and Transparency Act 2022 (Cth) establishes a framework for Commonwealth, State, and Territory government departments and agencies to share data. The scheme covers all types of data.

Enforcement

Are they any penalties or liability attached to violating the above?

Under the Privacy Act, civil penalties apply where an APP entity engages in serious or repeated interferences with the privacy of one or more individuals (Section 13G).   The maximum penalties for privacy breaches under the Privacy Act are the greater of:

• AUD 50 million (approx. €32 million);
• three times the value of any benefit obtained through the misuse of information; or
• 30% of a company's adjusted turnover in the relevant period⁶.

Lisa Fitzgerald Partner
[email protected]
Keely O'Dowd Senior Associate
[email protected]
Lander & Rogers, Melbourne

1. See: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-2-app-2-anonymity-and-pseudonymity
2. See: https://ovic.vic.gov.au/book/ipp-8-anonymity/
3. See: https://www.oic.qld.gov.au/guidelines/for-government/guidelines-privacy-principles/anonymity
4. See: https://infocomm.nt.gov.au/privacy/collection-of-information
5. See: https://www.oaic.gov.au/__data/assets/pdf_file/0009/1125/app-guidelines-july-2019.pdf
6. Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) received royal assent on 12 December 2022.