Guide to Getting Started with Anonymisation
In June of this year, my Office, together with eight privacy or data protection authorities from the Asia-Pacific region, released the “Guide to Getting Started with Anonymisation” (the “Anonymisation Guide”), which offers practical guidance to organisations on how to anonymise personal data. The Anonymisation Guide is available at the following link:
https://www.pcpd.org.hk/english/resources_centre/publications/files/appa_anonymisation_
guide072025.pdf.
“Anonymisation” generally refers to the process of converting personal data such that it can no longer be used to identify an individual. If data is fully anonymised to an extent that it is not reasonably practicable to directly or indirectly ascertain the identity of an individual therefrom, it no longer constitutes “personal data” under the Personal Data (Privacy) Ordinance (the “PDPO”). The processing of such anonymised data therefore falls outside the scope of the PDPO.
Currently there are various anonymisation techniques, the main objective of such techniques is to reduce the risk of re-identification, i.e., the ability to link anonymised data to a specific individual, while preserving the utility of the data for crucial applications, such as statistical and research purposes.
From the perspective of protecting personal data privacy, anonymisation plays a pivotal role in minimising the amount of personal data involved in artificial intelligence (“AI”) models, especially in the contexts of customisation and deployment. As detailed in the “Artificial Intelligence: Model Personal Data Protection Framework” published by my Office last year, organisations as data users are encouraged to apply anonymisation techniques at different stages of the data lifecycle to protect the personal data in their possession.
For instance, Data Protection Principle 3 of the PDPO states that personal data should not be used for purposes other than the original purpose of collection, or any directly related purposes. Therefore, if the use of personal data to train and/or customise an AI model is incompatible with the original purpose, organisations should either obtain express and voluntary consent from the data subject or anonymise personal data before feeding it into the AI model for such purposes.
As revealed in compliance checks conducted by my Office earlier this year, 80% of the organisations examined used AI in their day-to-day operations; among them, 50% collected and/or used personal data through AI systems. Given the growing prevalence of AI adoption in Hong Kong, anonymisation is expected to become a viable solution for organisations to protect the privacy rights of individuals while maintaining data utility.
Key Takeaways from the Anonymisation Guide
The Anonymisation Guide introduces basic anonymisation concepts and outlines five recommended steps for organisations to follow when anonymising personal data. They are:
Step one: Know your data
Before performing anonymisation, organisations must identify the nature of the data in question, including:
Step two: Remove direct identifiers
Upon categorising the data, organisations should remove direct identifiers, such as names, from the dataset.
Step three: Apply anonymisation techniques
Organisations should apply anonymisation techniques to indirect identifiers to prevent the identities of the individuals concerned from being ascertained by combining the indirect identifiers with other data.
It is important to choose techniques that are appropriate to the dataset and aligned with the purposes for which the data will be used. Organisations seeking available anonymisation techniques may refer to well-established international standards, such as ISO/IEC 20889.
Step four: Assess re-identification risks
Organisations should then assess whether the anonymised data contains any further risk of identifying the individuals concerned and determine whether the anonymisation is sufficient based on the assessment results. If the relevant requirements are not met, organisations may need to repeat the above steps or adjust their anonymisation technique(s).
Step five: Manage re-identification risks
Lastly, to address any residual risk following the application of anonymisation techniques, organisations should implement corresponding risk mitigation measures, such as restricting both the use of data to the intended purposes and access to data by the intended personnel.
In an age where data is the new currency, organisations routinely handle vast amounts of personal data in their operations. Their responsibilities have gradually evolved from mere compliance to meeting public expectations of accountability and robust safeguards around data security and AI security. As the race to adopt AI and other emerging technologies accelerates, so are organisations’ responsibilities to implement effective measures to manage any privacy risks that may arise. Although anonymisation is only one of the possible measures to reduce privacy risks, organisations are encouraged to get started with anonymisation in order to remove or reduce the amount of personal data involved when they deploy or customise AI models in business operations.