In Short
- Personal information is any data that can identify an individual, such as names, contact details, or health information.
- Australian businesses must comply with privacy laws when collecting, storing, and using personal information.
- Failing to meet privacy obligations can lead to serious penalties, including fines and reputational damage.
Tips for Businesses
Make sure your business has clear processes in place for handling personal information. Always get consent before collecting data and ensure it’s stored securely. Review your privacy policies regularly to stay compliant with the latest laws. Training staff on privacy procedures can also reduce the risk of non-compliance.
Table of Contents
- Who Needs to Comply With the APPs?
- What is Personal Information?
- What is Sensitive Information?
- How Can an Individual Be Reasonably Identifiable?
- What is Not Personal Information?
- Can Individuals Access and Correct Their Personal Information?
- Tips for Protecting Personal Information
- Key Takeaways
- Frequently Asked Questions
The Privacy Act, which includes the Australian Privacy Principles (APPs), forms the foundation of Australian privacy law. It regulates the collection, use and disclosure of personal information in Australia. But what is personal information? Is it any information that someone gives you? Is it business information that only relates to their business? This article explains what ‘personal information’ means under Australian privacy law.
Who Needs to Comply With the APPs?
The Australian Privacy Principles apply to you if you are an APP entity. Businesses with an annual turnover of $3 million or over are APP entities (including charities and not-for-profits). Generally, private sector organisations with an annual turnover of $3 million or less do not need to comply with the APPs unless they:
- provide health services and hold health information;
- disclose personal information for a benefit, service, or advantage;
- provide services under a Commonwealth contract;
- are a credit reporting body; or
- operate a residential tenancy database.
What is Personal Information?
The Privacy Act defines personal information as information or an opinion about an identified individual or a reasonably identifiable individual:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
Examples of information commonly considered to be personal information are a person’s:
- name;
- address;
- date of birth and age;
- profession;
- photographic identification;
- marketing and communications preferences (e.g. opting in/out to receive marketing emails);
- technical and analytics data of individuals when they access websites, including login data, IP addresses and web browser usage; and
- bank or credit card details.
Other types of less obvious personal information are:
- Metadata: Information associated with images, such as the time and location taken, can also be personal information if linked to an identifiable individual.
- Reasonable Identifiability: You do not need to immediately identify someone from the information itself. If combining it with other available details makes identification possible, it is treated as personal information.
- Aggregated Data: Even when an organisation lacks direct identifying details like names, combining multiple pieces of information that could lead to identification qualifies as personal information.
- Future Identifiability: Information that does not identify an individual immediately but could do so later (for instance, due to technological advancements) may also be considered personal information.
What is Sensitive Information?
- race or ethnic origin;
- political opinions or membership of a political organisation;
- religious beliefs and affiliations;
- philosophical beliefs;
- membership of a professional association or trade union;
- sexual preferences and orientation;
- criminal record;
- health information;
- genetic information; or
- biometric information.
Generally, sensitive information is a subset of personal information that is given higher protection under the Australian Privacy Principles.
How Can an Individual Be Reasonably Identifiable?
Information that can reasonably identify a person may also be personal information. Therefore, you need to consider the context of the information you have and whether, as a whole, that information could reasonably identify the person.
Whether or not a person is reasonably identifiable depends on who has access to that information. For example, you should consider whether that personal information is being used internally within your business or if you are releasing that information to the public.
It is also worth noting that for a person to be reasonably identifiable, it is not only about whether they can identify the individual specifically. It is also about whether they can be distinguished amongst a group. In simple terms, someone can be “identifiable” if the information about them can be combined with other details to figure out who they are.
Information such as pictures of a person is considered personal information because certain software, such as artificial intelligence, can identify that person within a group. Even if an organisation claims it cannot directly identify individuals from the data it collects, the information might still qualify as personal. This applies especially when the data could be used to single out specific individuals, particularly when combined with other details or analysed with technology like facial recognition software.
What is Not Personal Information?
Generally, information that relates to a business is not personal information. This information includes a business name, address, and Australian Business Number (ABN). However, if a sole trader carries on a business, that business information can be reasonably identifiable as personal information. Either way, you should be careful.
Furthermore, information is not personal information if it is de-identified information. Information can be de-identified using technology to remove anything from that information that can reasonably identify a person. The Office of the Australian Information Commissioner (OAIC) recommends obtaining specialist assistance to successfully de-identify personal information because the process can be challenging.
Can Individuals Access and Correct Their Personal Information?
Individuals have the right to access and correct your business’ personal information. To access this information, individuals can submit a request to you, and you must provide them with the information within a reasonable timeframe and at minimal or no cost. If the information is inaccurate or incomplete, they can request corrections, which you must respond to within a reasonable period. You should make any requested corrections within 30 days of the request.
Tips for Protecting Personal Information
Protecting customers’ personal information is crucial for your business. Ensure you regularly review your data collection and storage and use practices to identify potential privacy risks. It is essential that you make sure customer personal information is secure from unauthorised access or misuse.
Staff training is also vital – ensure that all employees who handle personal information understand your privacy policies and procedures. Staying ahead of privacy issues helps build customers’ trust and your business reputation.
If you suffer a data breach, exposing the personal information of your customers or clients can lead to severe consequences. The risks you might face are fines, costly litigation, customer trust, and reputational damage to your business. You should put in place proactive measures to protect personal and sensitive information and mitigate any risks associated with data breaches involving personal data.

The Australian Government is changing the law to protect consumer privacy after a series of high-profile data breaches and to bring the law into line with the safer and more protective laws in other regions. This fact sheet outlines what is expected in 2024.
Key Takeaways
The definition of personal information under Australian privacy law is broad. For example, a person’s name, phone number, address and date of birth will generally be personal information because that information can identify a person. Information that can ‘reasonably identify’ a person is considered personal information. This means details that set someone apart from a larger group, even without their name, may also qualify as personal information. Additionally, sensitive information is a subset of personal information that requires more privacy than other personal information.
If you have any questions about how your business should safely and legally handle personal information, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
Individuals have a few key rights concerning their personal information. They have the right to access the personal information you may have stored about them. They also have the right to correct personal information if they think it is wrong.
Your privacy policy should include your business name and contact details, the types of personal information you collect and store, and the reasons and methods for collecting it. It should explain how personal information is used and disclosed, including whether it will be shared with overseas entities. You should also describe how individuals can access or correct their personal information and make a complaint.
We appreciate your feedback – your submission has been successfully received.