Consider the alternative when asking for personal information

If your business collects personal information from its customers or clients, you’re required to protect that information from misuse, interference and loss.

You can help your business to meet these obligations and minimise privacy risks by collecting de-identified information as an alternative to collecting personal information, where appropriate.

Personal information is ‘de-identified’ if an individual can no longer be reasonably identified from the information.

De-identification involves two steps:

  1. Removing direct identifiers; and
  2. Either i) removing or altering other information that could potentially be used to re-identify an individual, and/or ii) using controls and safeguards to prevent re-identification.

If the information your business has collected is no longer needed, you must take reasonable steps to securely destroy or de-identify that information, unless it is necessary for a record-keeping or legal purpose.

For more information on de-identified information head to