Asia-Pacific privacy authorities publish data anonymisation guide

How to achieve Practical Anonymisation?

Anonymisation is the process of converting personal data into data that can no longer be used to identify an individual, either alone or in combination with other information. The Anonymisation Guide provides organisations with a practical, standards-aligned framework to implement anonymisation strategies for data. While written from a technical perspective, the Anonymisation Guide is globally relevant and intentionally non-prescriptive to accommodate legal variations across jurisdictions. It works as a practical guidance and reference to organisations seeking to gain insights from data while still while providing privacy protection to data subjects, particularly those in the healthcare, finance, marketing, and AI development sectors.

The publication complements legal obligations under existing data protection laws such as the APPI (Japan), PDPA (Singapore), PIPA (South Korea), etc. It also refers out to the ‘Information Security, Cybersecurity and Privacy Protection – Privacy Enhancing Data De-identification Framework’ (ISO/IEC 27559:2022) (the “ISO Standard”), which recognises that anonymisation must be tailored to the context in which data is shared and used as well as the governance practices in place within an organisation.

Key Framework: The Five-Step Process

The Anonymisation Guide offers a five-step approach that organisations can tailor to their specific operational and legal contexts:

1. Know Your Data: Data has varying levels of identifiability and sensitivity to an individual. Organisations should classify attributes as direct (e.g., name) , indirect (e.g., birth date), or target identifiers (e.g., an individual’s health diagnosis) based on identifiability and sensitivity.
2. Remove Direct Identifiers: Eliminate direct identifiers such as names or ID numbers, and if necessary, assign robust pseudonyms, meaning that the pseudonym should not contain identifiable information and should not be reversible by guessing the original direct identifier values.
3. Apply Anonymisation Techniques: Implement strategies including masking (replacing original data with fictitious but realistic looking values), generalisation (reducing the precision of data to make it less identifiable e.g., ‘23’ becomes ’20-30’), sampling (using a subset of the data instead of the full dataset), and data swapping (exchanging values between records e.g., swapping ZIP codes between two individuals) to ensure that the indirect identifiers cannot be combined with other datasets to re-identify the individual. Organisations should deliberately choose methods they determine to be appropriate to the data's structure and its intended use.
4. Assess Re-identification Risk: Use methods and tools like k-anonymity and Special Unique Detection Algorithms (SUDA), then conduct a ‘motivated intruder’ test to evaluate the residual risk of re-identification. The ‘motivated intruder test’ considers if individuals can be re-identified from anonymised data by someone who is motivated, reasonably competent, has access to public or private linkable information (e.g., commercially or publicly available datasets) and employs standard investigative techniques (e.g. inferences).
5. Manage Re-identification Risk: Apply technical, contractual, and governance safeguards such as access controls, usage restrictions, and audit trails to mitigate any residual risk of re-identification after anonymization techniques have been applied to data.

If after Step 5, the risk of re-identification is not low enough for the data to be considered anonymised, then the data would still be considered identifiable and data protection laws would continue to apply to the data. In certain jurisdictions, applying mitigation measures may be viewed as a condition of rendering the data ‘pseudonymised’ (i.e., where personal data with identifying details like names are replaced with identifiers such as codenames or serial numbers, which could be reversed by someone who has access to the information that links the fake identifiers back to real identities), as opposed to ‘anonymised’, while other jurisdictions may consider the application of such mitigation measures as part of a collective risk-based approach to anonymisation. Organisations should consult their respective jurisdictions’ regulations for the appropriate interpretation.

This iterative 5-step model reinforces that anonymisation is not a one-time transformation but rather a risk-guided process requiring continuous monitoring. Periodic reviews which account for evolving technologies and techniques should be conducted to ensure the risk of re-identification remains low over time.

Annex B of the Anonymisation Guide provides a hypothetical case study illustrating the application of the five steps above, which acts as helpful guidance for organisations looking to implement the Anonymisation Guide.

Jurisdictional and Industry Relevance

The Anonymisation Guide acknowledges that definitions of "anonymised" and "pseudonymised" data may differ by legal system. For instance, some privacy regimes require organisations to treat pseudonymised data as still within the scope of personal data. The publication addresses jurisdictional variance this by offering adaptable principles grounded in technical best practices from across international standards, including:

• The ISO/IEC 27559 – Privacy Enhancing Data De-Identification Framework: This standard provides useful considerations for conducting context assessments (i.e., evaluating the environment data is made available to recipients in), data assessments (i.e., understanding the features of the data and modelling potential attacks that could exploit vulnerabilities), identifiability assessments and mitigation measures (e.g., reconfiguring the environment or transforming the data), and governance (i.e., establishing principles, policies, and procedures to manage data processing activities and ensure compliance with data security).
• The ISO/IEC 20889:2018 – Classification of De-Identification Techniques: The standard classifies de-identification techniques according to their characteristics and their applicability for reducing the risk of re-identification.

Regional endorsements further strengthen the Anonymisation Guide’s applicability. Authorities in Hong Kong and Macao have translated it into Chinese to facilitate adoption, while the Anonymisation Guide echoes and aligns with local pseudonymisation frameworks in Australia and South Korea, such as Australia’s Privacy Principle 2 on anonymity and pseudonymity, and South Korea’s Guidelines on Processing Pseudonymized Data.

Implications for Clients Globally

Organisations operating across borders can leverage the Anonymisation Guide to:

• Reduce regulatory risk when sharing or processing data internationally;
• Ensure responsible AI deployment with anonymised training data; and
• Design privacy governance programs consistent with evolving privacy laws.

Conclusion

The Anonymisation Guide signals a collective regulatory effort to support organisation’s data use while still safeguarding privacy. It bridges the gap between the technical implementation of and legal compliance with key privacy concepts such as anonymisation, de-identification, pseudonymisation and more, by offering clear techniques for organisations to safely and robustly anonymise personal data.

Should you need assistance or have enquiries about whether and how this new Advisory affects your organisation, please reach out to your usual contact at Hogan Lovells or the authors.