De-Identifying Data: What Australian Businesses Need to Know About Privacy and Compliance

As a business owner in Australia, you probably know how valuable data has become – whether it’s customer information, employee records, or even supplier details. At the same time, privacy regulations like the Privacy Act 1988 (Cth) are getting stricter, and the risks of mishandling personal details are growing.

If you’re looking for ways to use, analyse, or even share information while staying compliant, you’ve likely come across the concept of de-identifying data. But what does “de-identifying” really mean for your business? How do you do it the right way? And what are your ongoing obligations?

In this guide, we’ll walk you through what de-identifying data involves, why it matters for privacy and compliance in Australia, and how to implement best practices. We’ll also answer some common questions about data security, legal documents, and whether de-identified data is truly risk-free. Whether you run an online store, a tech startup, or a traditional retail business, understanding de-identification can help you build trust with your customers and avoid costly mistakes. Let’s dive in.

What Does “De-Identifying Data” Mean in Australia?

“De-identifying” information means removing or altering details from a data set so that individuals can no longer be “reasonably” identified. Under Australian privacy law, this typically involves two key concepts:

• Removing personal identifiers: such as names, addresses, phone numbers, and any unique IDs.
• Altering data to reduce risk of re-identification: for example, aggregating information or masking details so that no single person can be picked out.

According to the Office of the Australian Information Commissioner (OAIC), data is only considered “de-identified” when it is not “about” an identifiable individual and no reasonable steps could be taken to re-identify someone from the information or “other information” available.

Why does this matter? Legally, once data is truly de-identified, it’s no longer “personal information” under the Australian Privacy Principles (APPs) and the Privacy Act. That changes your obligations – but as we’ll see, the bar for true de-identification is high and the risks are real if you get it wrong.

Why Should Australian Businesses Care About De-Identifying Data?

If your business collects, stores, or processes any customer details, de-identifying data can bring several benefits:

• Enhance Privacy & Trust: Customers are increasingly wary of giving out personal details. Showing you care about privacy can set your brand apart.
• Legal Compliance: De-identification can help you comply with the Privacy Act (and related laws) when using or sharing data for secondary purposes, analytics, or research.
• Data Sharing & Innovation: De-identified data is often used for things like benchmarking, machine learning, or sharing insights with partners – without breaching privacy rules.
• Reduced Risk of Breach: Even if a data leak occurs, de-identified information is less likely to result in serious harm or regulatory penalties.

However, there are two sides to this – improper or careless de-identification can actually increase your risk, especially if someone is later able to re-identify individuals (intentionally or otherwise). That’s why it’s crucial to approach de-identification with care and follow legal best practices.

What Are the Legal Requirements for De-Identifying Data in Australia?

Australian businesses need to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) when handling personal information. Here are your key obligations:

• Australian Privacy Principles (APPs): These principles apply to any “personal information” collected or held by most Australian businesses. You must have a clear and compliant Privacy Policy, and disclose how you collect, use, and store data.
• De-identification Under the Law: De-identified information is exempt from some requirements, but only if it’s genuinely non-identifiable. The OAIC warns that de-identification is a “process, not a fixed state” – so you need to keep reviewing whether de-identified data could be matched with other data and re-identified.
• Data Breach Reporting: Under the Notifiable Data Breaches (NDB) scheme, you are required to notify affected individuals and the OAIC if a breach is likely to cause serious harm – unless the data was de-identified and there’s no risk of identification.
• Other Regulations: In certain industries (such as health, finance, or government contracts), sector-specific privacy rules may apply. Always check for additional requirements.

It’s important to note: Not all businesses are covered by the Privacy Act, but most companies with annual revenue over $3 million, or those that trade in personal information (including online businesses), are automatically included.

To learn about your privacy obligations and when you need a Privacy Policy, check out our dedicated guide.

How Do You Properly De-Identify Data?

There’s no “one size fits all” approach to de-identifying data, as the risks and techniques depend on your data, your business, and how the information may be used. However, here is a practical process most Australian businesses can follow:

1. Assess What Needs De-Identifying

Start by listing all the types of personal information your business collects or stores. This includes customer records, email addresses, purchase histories, demographic details, and any analytics data. Think broadly – even indirect identifiers (like locations or unique behaviours) can put privacy at risk.

2. Choose Your De-Identifying Methods

There are a few standard techniques used to de-identify data:

• Masking or Redacting: Removing or scrambling direct identifiers like names, addresses, membership numbers, etc.
• Aggregation: Summarising or grouping data so specific individuals can’t be singled out (e.g., reporting sales by suburb instead of by customer).
• Pseudonymisation: Replacing identifiers with a code or pseudonym (but remember: if you keep a “key” that matches codes to individuals, the data might still be personal information).
• Data Perturbation: Adding small noise or changes to obscure precise information (common in analytics or machine learning datasets).

It’s wise to combine several methods for extra safety, and always test whether a “motivated intruder” (someone with access to other public data) could re-identify individuals in your data set.

3. Review and Test for Re-Identification Risk

Just removing names and emails often isn’t enough. Think about what other data could combine with your de-identified set to “rebuild” identities. For example, could someone match birth dates, zip codes, and purchase dates to re-identify a customer?

The OAIC encourages regular risk assessments for re-identification, especially if data sets are to be publicly released or shared with third parties.

4. Document Your Process and Controls

Keep written records of what information was removed, how the data was altered, and any tests you used to check for re-identification risk. This shows you’ve taken “reasonable steps” and can be helpful if you ever need to explain your actions to regulators or in the event of a complaint.

If you’re unsure about your approach, speak with a legal expert – we can help you assess risk and build reliable de-identification procedures.

When Is De-Identified Data Still “Personal Information”?

This is a tricky area where many Australian businesses get caught out. Data is only truly de-identified if “no individual is reasonably identifiable.” But if it’s technically possible to match your de-identified records with other data (even outside your organisation), then those records may still be considered “personal information.”

For example:

• If you replace names with codes but anyone in your business can link those codes to customer profiles, the information is not “de-identified.”
• If your dataset includes rare combinations of demographic details (like a very specific job title and suburb), someone could potentially pinpoint the individual behind each record.

In practice, whether data is truly de-identified depends on the context, the data, and the safeguards you apply. The OAIC (and courts) will look closely at whether you took “reasonable steps” to protect privacy.

Data Breach Risks and Ongoing Compliance

With privacy compliance on the rise, Australian businesses face real risks if their de-identified data is later involved in a breach or is re-identified. Here’s what you need to know for ongoing compliance:

• Implement Strong Security Measures: Just because data is de-identified doesn’t mean you can relax your cyber security. Hackers or internal actors can sometimes restore identifying details, especially if other business systems are compromised. Refer to our guide on storing credit card details and business security.
• Review Regularly: As new technology and data sources emerge, the risk of re-identification changes. Regularly review your data processes and update them as needed.
• Enable Limited Access: Only allow staff who truly need access to the data to see even de-identified sets, and have clear internal policies for data handling.
• Be Transparent in Your Policies: Update your Privacy Policy and collection notices to explain how you de-identify and use data. Transparency builds trust and helps avoid misunderstandings with customers.
• Respond Quickly to Breaches: If a de-identified dataset is used in a way that could put privacy at risk, you may need to take remedial steps or notify affected individuals (and the OAIC), under the data breach notification scheme.

The safest approach is to treat de-identification as an ongoing commitment, not a one-time fix.

What Legal Documents and Procedures Should You Have in Place?

To manage de-identification and privacy risks effectively, it’s important to put the right legal documents and procedures in place. Here are some essentials for most Australian businesses:

• Privacy Policy: Clearly state if, how, and why you de-identify data, and what steps you take to ensure privacy protection. This is legally required for most businesses collecting personal information. See our guide on Privacy Policies in Australia.
• Data Breach Response Plan: Set out step-by-step actions in case of a breach, including who must be notified and what remedial actions to take. Having a documented plan can limit liability and help you comply with notifiable breach requirements.
• Confidentiality and Non-Disclosure Agreements (NDAs): Use these when sharing potentially sensitive or de-identified data with contractors, partners, or third-party service providers. Learn more about NDAs and why they matter.
• Employee Data Handling Policy: Internal policies explaining staff responsibilities, security steps, and training on de-identifying and protecting data.
• Data Processing Agreement: If you contract third-party vendors to process data (for hosting, analytics, marketing, etc.), include strict terms about de-identification, security, and notification obligations.
• Access Request Forms: Make it easy for customers to request details of data held about them, or to make corrections, in line with your transparency obligations.

Not every business will need every one of these documents, but most will require several. If you’re unsure which contracts and policies apply, speak with a legal expert to have them tailored for your needs.

Best Practices for De-Identifying Data in Your Business

Going beyond the bare legal minimum can spare you from headaches down the road (and help you stand out as a privacy-first brand). Here are some practical tips:

• Minimise Data Collection: Only collect information you actually need. The less you hold, the less you have to de-identify and secure.
• Stay Up-To-Date: Privacy laws, customer expectations, and technology are constantly changing. Review your de-identification approach regularly and seek advice on upcoming privacy changes in Australia.
• Educate Your Team: Train staff on privacy risks and procedures for de-identifying information and responding to requests or breaches.
• Test Your Processes: Periodically attempt to re-identify records as a quality check. Consider working with privacy professionals to “red team” your data before sharing it externally.
• Build Privacy by Design: Integrate privacy and de-identification into your product or service from day one, not as an afterthought. This might include technical safeguards, access controls, and regular monitoring.

Frequently Asked Questions About De-Identifying Data

Can De-Identified Data Become “Personal Information” Again?

Yes – if data can be linked with other information (now or in the future) and a person can be “reasonably” identified, it is still personal information. This risk is why ongoing reviews are essential.

Is De-Identification Enough to Avoid Data Breach Obligations?

Not always. If a breach occurs and affected information could be re-identified, reporting obligations under the NDB scheme may still apply. Always err on the side of caution and seek advice if unsure.

Do I Need Consent to De-Identify Customer Data?

Generally, you don’t need further consent to de-identify information for security or compliance purposes, but you should be transparent in your Privacy Policy about how you use and anonymise data.

Can I Share or Sell De-Identified Data?

Sharing de-identified data for analytics, research, or commercial purposes can be legal, but only if the risk of re-identification is adequately managed. Include strong NDAs and review any third-party arrangement carefully.

Key Takeaways

• De-identifying data means removing or altering details so individuals can’t reasonably be identified, which helps you meet privacy law requirements in Australia.
• Proper de-identification combines several methods and requires regular reviews for re-identification risks.
• Once data is truly de-identified, it’s usually no longer regulated as “personal information” under the Privacy Act – but the bar for this is high.
• Your business still needs essential legal documents like a Privacy Policy, NDAs, and a Data Breach Response Plan to manage ongoing risk.
• It’s wise to train your staff, regularly review your processes, and seek tailored legal advice to stay up to date with privacy compliance.

If you’d like a consultation on de-identifying data and privacy compliance for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.