Skip to content
LegalVision

What is ‘Personal Information’ Under Australian Privacy Law?

Avatar photo

By Maddison Zahra
Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn

In Short

  • Personal information is any data that can identify an individual, such as names, contact details, or health information.
  • Australian businesses must comply with privacy laws when collecting, storing, and using personal information.
  • Failing to meet privacy obligations can lead to serious penalties, including fines and reputational damage.

Tips for Businesses

Make sure your business has clear processes in place for handling personal information. Always get consent before collecting data and ensure it’s stored securely. Review your privacy policies regularly to stay compliant with the latest laws. Training staff on privacy procedures can also reduce the risk of non-compliance.

Summarise with: ChatGPT logo ChatGPT Claude logo Claude Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

The Privacy Act, which includes the Australian Privacy Principles (APPs), forms the foundation of Australian privacy law. It regulates the collection, use and disclosure of personal information in Australia. But what is personal information? Is it any information that someone gives you? Is it business information that only relates to their business? This article explains what ‘personal information’ means under Australian privacy law.

Who Needs to Comply With the APPs?

The Australian Privacy Principles apply to you if you are an APP entity. Businesses with an annual turnover of $3 million or over are APP entities (including charities and not-for-profits). Generally, private sector organisations with an annual turnover of $3 million or less do not need to comply with the APPs unless they:

  • provide health services and hold health information;
  • disclose personal information for a benefit, service, or advantage;
  • provide services under a Commonwealth contract;
  • are a credit reporting body; or
  • operate a residential tenancy database.

However, even if your business is not an APP entity, it is best practice to set up your business so that you comply with the Privacy Act and to have a privacy policy that sets out how your business will collect, use and disclose customers’ personal information. This can help build trust with customers and lead to more business.

What is Personal Information?

The Privacy Act defines personal information as information or an opinion about an identified individual or a reasonably identifiable individual:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not.

Examples of information commonly considered to be personal information are a person’s:

  • name;
  • address;
  • date of birth and age;
  • profession; 
  • photographic identification;
  • marketing and communications preferences (e.g. opting in/out to receive marketing emails);
  • technical and analytics data of individuals when they access websites, including login data, IP addresses and web browser usage; and 
  • bank or credit card details.

Other types of less obvious personal information are:

  • Metadata: Information associated with images, such as the time and location taken, can also be personal information if linked to an identifiable individual.
  • Reasonable Identifiability: You do not need to immediately identify someone from the information itself. If combining it with other available details makes identification possible, it is treated as personal information.
  • Aggregated Data: Even when an organisation lacks direct identifying details like names, combining multiple pieces of information that could lead to identification qualifies as personal information.
  • Future Identifiability: Information that does not identify an individual immediately but could do so later (for instance, due to technological advancements) may also be considered personal information.
Continue reading this article below the form
Loading form

What is Sensitive Information?

Sensitive information is personal information that includes information or an opinion about an individual’s:

  • race or ethnic origin;
  • political opinions or membership of a political organisation;
  • religious beliefs and affiliations;
  • philosophical beliefs;
  • membership of a professional association or trade union;
  • sexual preferences and orientation;
  • criminal record;
  • health information;
  • genetic information; or
  • biometric information.

Generally, sensitive information is a subset of personal information that is given higher protection under the Australian Privacy Principles. 

How Can an Individual Be Reasonably Identifiable?

Information that can reasonably identify a person may also be personal information. Therefore, you need to consider the context of the information you have and whether, as a whole, that information could reasonably identify the person.

Whether or not a person is reasonably identifiable depends on who has access to that information. For example, you should consider whether that personal information is being used internally within your business or if you are releasing that information to the public.

It is also worth noting that for a person to be reasonably identifiable, it is not only about whether they can identify the individual specifically. It is also about whether they can be distinguished amongst a group. In simple terms, someone can be “identifiable” if the information about them can be combined with other details to figure out who they are. 

For example, if you are collecting geographical information about your customers but not customer names, it is possible that someone living in a very remote area (where only one person lives) could be reasonably identified just by collecting information about their geographical location.

Information such as pictures of a person is considered personal information because certain software, such as artificial intelligence, can identify that person within a group. Even if an organisation claims it cannot directly identify individuals from the data it collects, the information might still qualify as personal. This applies especially when the data could be used to single out specific individuals, particularly when combined with other details or analysed with technology like facial recognition software.

What is Not Personal Information?

Generally, information that relates to a business is not personal information. This information includes a business name, address, and Australian Business Number (ABN). However, if a sole trader carries on a business, that business information can be reasonably identifiable as personal information. Either way, you should be careful.

Furthermore, information is not personal information if it is de-identified information. Information can be de-identified using technology to remove anything from that information that can reasonably identify a person. The Office of the Australian Information Commissioner (OAIC) recommends obtaining specialist assistance to successfully de-identify personal information because the process can be challenging.

Can Individuals Access and Correct Their Personal Information?

Individuals have the right to access and correct your business’ personal information. To access this information, individuals can submit a request to you, and you must provide them with the information within a reasonable timeframe and at minimal or no cost. If the information is inaccurate or incomplete, they can request corrections, which you must respond to within a reasonable period. You should make any requested corrections within 30 days of the request. 

Tips for Protecting Personal Information

Protecting customers’ personal information is crucial for your business. Ensure you regularly review your data collection and storage and use practices to identify potential privacy risks. It is essential that you make sure customer personal information is secure from unauthorised access or misuse.  

Having a well-drafted and up-to-date privacy policy is important. A privacy policy is a document that explains how your business handles personal information. It should act as a guide for how your business collects, holds, uses and discloses personal information.

Staff training is also vital – ensure that all employees who handle personal information understand your privacy policies and procedures. Staying ahead of privacy issues helps build customers’ trust and your business reputation. 

If you suffer a data breach, exposing the personal information of your customers or clients can lead to severe consequences. The risks you might face are fines, costly litigation, customer trust, and reputational damage to your business. You should put in place proactive measures to protect personal and sensitive information and mitigate any risks associated with data breaches involving personal data. 

Front page of publication
2024 Key Data and Privacy Developments

The Australian Government is changing the law to protect consumer privacy after a series of high-profile data breaches and to bring the law into line with the safer and more protective laws in other regions. This fact sheet outlines what is expected in 2024.

Download Now

Key Takeaways

The definition of personal information under Australian privacy law is broad. For example, a person’s name, phone number, address and date of birth will generally be personal information because that information can identify a person. Information that can ‘reasonably identify’ a person is considered personal information. This means details that set someone apart from a larger group, even without their name, may also qualify as personal information. Additionally, sensitive information is a subset of personal information that requires more privacy than other personal information. 

If you have any questions about how your business should safely and legally handle personal information, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

What rights do individuals have to their personal information?

Individuals have a few key rights concerning their personal information. They have the right to access the personal information you may have stored about them. They also have the right to correct personal information if they think it is wrong.

What must a privacy policy cover?

Your privacy policy should include your business name and contact details, the types of personal information you collect and store, and the reasons and methods for collecting it. It should explain how personal information is used and disclosed, including whether it will be shared with overseas entities. You should also describe how individuals can access or correct their personal information and make a complaint.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Maddison Zahra

Maddison Zahra

Lawyer | View profile

Maddison is a Lawyer at LegalVision, working in the Corporate and Commercial Team. She has particular expertise in commercial contracts, data and privacy and regulatory compliance advice for small businesses and startups within the Australian landscape. She also has previous experience in Government and Property Law, where she worked with a variety of clients, from small to medium businesses to large corporate and Government clients.

Qualifications:  Bachelor of Laws, Bachelor of International Studies, University of New South Wales.

Read all articles by Maddison

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Privacy Laws: Your Obligations as a Business

Is an IP Address Considered Personal Information?

Differences Between the EU General Data Protection Regulation (GDPR) and the Australian Privacy Principles (APPs)

Am I Legally Required to Have a Privacy Policy for My Business?

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards