Many businesses and researchers collect and retain personal information and data. De-identifying that information in an information asset may enable the business or researcher to share or publish it without compromising individual privacy. This can be important, as organisations face strong pressures in a data driven economy to maximise the utility and value of information assets by sharing and publishing information and data.
Businesses and researchers that are an ‘organisation’ for the purposes of the Privacy Act 1988 are required to destroy or de-identify personal information in some circumstances.
For example, the Privacy Commissioner’s Tax File Number Guidelines issued under s 17 of the Privacy Act require reasonable steps to securely destroy or permanently de-identify tax file number information where it is no longer required by law to be retained or no longer necessary for a purpose under taxation law, personal assistance law or superannuation law (including the administration of such law).
Organisations are also required under National Privacy Principle (NPP) 4 to take reasonable steps to destroy or permanently de-identify personal information that is no longer needed for any purpose for which the information may be used or disclosed under NPP 2. From 12 March 2014 the NPPs will be replaced by the Australian Privacy Principles (APPs), which include new de-identification obligations in APPs 4 and 11. New de-identification obligations for credit reporting bodies will also apply from this date.