Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Hong Kong
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Appa issues practical guide on data anonymisation

08 Jul 2025 APAC 8 min read

On 11 June 2025, the Asia Pacific Privacy Authorities (“APPA”), a forum of data protection and privacy regulators from Australia, Canada, Hong Kong, Macao, Japan, New Zealand, Singapore, and South Korea, published the Guide to Getting Started with Anonymisation (“Guide”). Developed by the APPA Technology Working Group, this Guide is a practical, entry-level resource aimed at organisations beginning their anonymisation journey, especially those working with structured, textual, and non-complex datasets.

The Guide is non-binding and serves as a best-practice framework, not a legal requirement. It is particularly useful for data protection officers, compliance professionals, IT and data governance teams, and anyone responsible for handling personal data in the Asia Pacific region. The Guide demystifies anonymisation, provides step-by-step instructions, and references both international standards and local regulatory guidance, making it accessible to those with limited prior experience.

Why this Guide is Useful

  • Beginner-Friendly: Designed for those new to anonymisation, with clear explanations and practical steps.
  • Non-Binding but Instructive: Developed by respected privacy authorities, offering credible and practical guidance.
  • Comprehensive and Practical: Includes a stepwise process, real-world examples, and further resources.
  • Jurisdictionally Relevant: References local laws and guidance, helping users adapt recommendations to their own regulatory context.

Overview of Anonymisation

The Guide defines anonymisation (or de-identification under some countries’ data protection laws), at a technical level, as “the process of converting personal data into data that can no longer be used to identify an individual, either alone or in combination with other information, by taking reasonable measures that reflect the current state of the art”.

The Guide emphasises that proper anonymisation requires both a thorough understanding of the data context and technical competency. Organisations are encouraged to engage specialists where anonymisation of personal data is complex or the organisation lacks the necessary expertise.

The Anonymisation Process

The Guide outlines a five-step anonymisation process, designed to assist organisations in systematically reducing the risk of re-identification while preserving the utility of the data:

  • Know Your Data:  Identify which data attributes are direct identifiers (e.g., name), indirect identifiers (e.g., birth date, gender, postal code), and target attributes (the main utlity of the dataset, such as health diagnosis).
     
  • Remove Direct Identifiers: Delete all direct identifiers from the dataset. If needed, assign pseudonyms that cannot be easily reversed.
     
  • Apply Anonymisation Techniques:  Use methods like data suppression, masking, generalisation, adding noise, sampling, or data swapping on indirect identifiers. Choose techniques that fit the dataset and its intended use.
     
  • Assess Re-identification Risks:  Measure the risk of someone being re-identified using methods like k-anonymity (where a higher k means lower risk). The Guide suggests aiming for a k value of at least 5 and using other tools if needed. It also recommends a “motivated intruder” test to see if a determined person could re-identify someone. The Guide also suggests repeating steps 1-3 iteratively until the data is sufficiently anonymised. 
     
  • Manage Re-identification Risks:  Address any remaining risks with technical, contractual, and governance measures such as access controls, usage restrictions, and keeping records of the anonymisation process.

Ongoing Governance and Review

The Guide stresses the need for ongoing governance, namely:

  • Setting up policies and procedures for data processing activities and compliance.
  • Conducting regular reviews to ensure anonymisation remains effective.
  • Keeping detailed records of the anonymisation process and safeguards implemented.

International Standards and Further Resources

The Guide references international standards (ISO/IEC 20889:2018 and ISO/IEC 27559:2022) and provides an annex of resources and regulatory guidance from APPA member jurisdictions. This helps organisations align their practices with both global and local requirements.

Comparison of this Guide and the ASEAN Guide on Data Anonymisation (“ASEAN Guide”)

The Guide distinguishes itself from the ASEAN Guide in several ways, while still serving a similar purpose of supporting organisations in their anonymisation efforts:

  • Practicality and Accessibility: The Guide is designed to be highly practical and accessible for beginners. It provides a clear, step-by-step process, real-world case studies, and practical examples, making it easier for organisations with limited experience to implement anonymisation. In contrast, the ASEAN Guide tends to be more conceptual and less focused on hands-on application, which may be less approachable for those new to the topic.
     
  • Focus on Residual Risk and Governance: The Guide places strong emphasis on managing residual re-identification risks through technical, contractual, and governance measures. It advocates for ongoing governance, regular reviews, and detailed record-keeping to ensure anonymisation remains effective over time. The ASEAN Guide, while recognising the importance of risk management, generally provides less detailed guidance on ongoing governance and practical risk mitigation.
     
  • Jurisdictional Flexibility and Legal Nuance: The Guide acknowledges the differences in legal definitions and requirements across Asia-Pacific jurisdictions. It encourages users to consult local regulatory guidance and adapt the recommended practices accordingly. The ASEAN Guide, by comparison, is more general in its legal approach and may not address jurisdiction-specific nuances as thoroughly.
     
  • Use of International Standards: The Guide references and discusses the limitations of international standards such as ISO/IEC 20889 and ISO/IEC 27559, helping users understand how these fit within local legal frameworks. The ASEAN Guide also references international standards but does not provide as much practical advice on their application or limitations.
     
  • Comprehensive Resources and Tools: The Guide includes an extensive annex of further reading, tools, and regulatory resources from APPA member jurisdictions, supporting organisations in finding additional, locally relevant guidance. The ASEAN Guide’s resource section is generally less comprehensive.
     
  • Collaborative Multi-Jurisdictional Approach: The Guide is the product of collaboration among multiple privacy authorities across the Asia-Pacific, reflecting a broad range of perspectives and regulatory environments. This multi-jurisdictional approach is evident in its practical recommendations and its encouragement to consult local guidance. The ASEAN Guide, while regionally focused for ASEAN member states, is less explicit in addressing the diversity of legal and regulatory contexts.

Notable Case Studies

There are various consequences of failing to properly anonymise personal data, which can include significant fines, reputational damage and loss of trust. We set out below some notable case studies in the Asia-Pacific region to highlight the importance of anonymising personal data:

  • SingHealth Data Breach (Singapore): In 2018, the personal data of 1.5 million patients and the outpatient prescription records of nearly 160,000 patients were impacted in a data breach. The personal data in this case, which included government-issued identifiers and sensitive health data, was fully identifiable and not anonymised. This case study demonstrates the importance of anonymisation to prevent re-identification and protect sensitive personal data.
     
  • OrangTee & Tie Data Breach (Singapore): In 2023, Singapore’s data protection regulator (PDPC) fined OrangeTee & Tie Pte Ltd in relation to a data breach affecting more than 250,000 individuals. The regulator noted that the organisation used ‘live’ personal data, including names, bank account numbers, and government-issued identification numbers, for internal development/testing and that the safer practice would have been to use anonymised data.  This case underscores the importance of using anonymised or synthetic data in test environments, as the use of live personal data significantly increases the risk of unintended re-identification or exposure. It highlights that anonymisation is essential even within internal systems.
     
  • Kakao Corporation Data Breach (Korea): In 2023, Kakao was investigated by South Korea’s data protection regulator (PIPC) after a data breach involving over 65,000 users. The PIPC concluded that Kakao had failed to properly de-identify user data and used insecure methods to generate anonymised identifiers. This enabled linkage attacks, where motivated attackers could infer users’ real identities by combining leaked IDs with other available information. This case illustrates that superficial or weak anonymisation can be easily reversed when combined with publicly accessible interfaces. It serves as a textbook example of the “motivated intruder” test: if a reasonably skilled adversary can re-identify individuals using available tools and auxiliary data, anonymisation has failed.

Conclusion

The Guide offers a practical, risk-based framework for organisations seeking to protect personal data while enabling data sharing and innovation. By promoting best practices, standardising approaches, and providing detailed technical and governance recommendations, the Guide aims to foster a secure and privacy-respecting data environment across the Asia Pacific region. As data-driven technologies continue to evolve, these guidelines will play a critical role in helping organisations navigate the complexities of data anonymisation and privacy protection.

Click here to refer to the APPA Guide on Data Anonymisation.

Click here to refer to our previous article referring to the ASEAN Guide on Data Anonymisation.

The information provided above does not, and is not intended to, constitute legal advice pertaining to the Guide; information, content, and materials stipulated above is based on our reading of the amendments and are for general informational purposes only.

More insights

Explore more

Event Hong Kong SAR, China

IP Insights webinar series 2026

28 Apr 2026
Expert Guide International

International arbitration law and rules in Hong Kong

48 min read
Publication Hong Kong SAR, China

CMS Arbitration Atlas

20 Mar 2026 3 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.