Office of the Privacy Commissioner | Care is needed with data anonymisation
Privacy Commissioner Michael Webster says agencies using data anonymisation and de-identification techniques are accountable for making sure they protect people’s privacy.
The Privacy Act allows anonymised information to be disclosed if it doesn’t risk revealing personal details about identifiable people. The Commissioner’s expectation is that information would be successfully anonymised and there be no reasonable likelihood of re-identification.
Care is needed because the inadvertent release of personal information through re-identification may result in serious harm to individuals.
Protective steps that can be taken include:
- Ensuring a Privacy Impact Assessment (PIA) is done for any significant project that uses people’s personal information to fully understand the scope of how personal information could be re-identified.
- Removing any information that could potentially be used to re-identify an individual.
- Where information is being provided to a third party, ensure you and they understand and comply with their privacy obligations.
OPC has had privacy concerns raised with us from members of the public about IRD’s use of taxpayers’ personal information and hashing. OPC has contacted IRD for information so we can assess if this practice raises issues under the Privacy Act.