Applicable law What laws and guidelines govern anonymisation and pseudonymisation? Commonwealth government agencies and private sector agencies with an annual turnover of AUD 3 million (approx. €1.9 million) or more must comply with the Privacy Act 1988 (Cth) No. 119, 1988 (as amended) ('the Privacy Act'). State and Territory government agencies must comply with their relevant State or Territory privacy laws. The below table sets out the applicable laws and guidelines. Note, the guidelines are non-binding and published as guidance material only. Jurisdiction Legislation Summary Guidelines Commonwealth The Privacy Act Under Australian Privacy Principle ('APP') 2, an indiv
Insight
Australia: A guide to anonymisation and pseudonymisation
February 21, 2023
Summary
In Australia, anonymisation and pseudonymisation of personal information are governed by Federal, State, and Territory privacy laws, with the Privacy Act 1988 being applicable to Commonwealth government agencies and private sector agencies with an annual turnover of AUD 3 million or more. Anonymisation allows individuals to deal with entities without providing personal information, while pseudonymisation involves using a different name or descriptor. De-identified information can be used for purposes like business analytics without complying with privacy laws, but care must be taken to ensure no risk of re-identification. There are no prescribed rules for anonymisation or pseudonymisation, but organisations must destroy or de-identify personal information when no longer needed, and civil penalties apply for serious privacy breaches.