The Privacy Act, which includes the Australian Privacy Principles (APPs), forms the foundation of Australian privacy law. It regulates the collection, use and disclosure of personal information in Australia. But what is personal information? Is it any information that someone gives you? Is it business information that only relates to their business? This article explains what precisely Australian privacy law means when it refers to ‘personal information’.
Who Needs to Comply With the APPs?
If you are an APP entity, the APPs apply to you. APP entities are:
- entities with an annual turnover of more than $3 million, including charities and not-for-profit organisations;
- health service providers, including gyms;
- some small businesses, including businesses that sell or purchase personal information; and
- entities that ‘opt-in’ and choose to comply with the APPs.
What is Personal Information?
Personal information is defined in the Privacy Act as information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
Examples of information commonly considered to be personal information are a person’s:
- phone number;
- date of birth;
- bank or credit card details; and
- medical records.
However, the answer to what is personal information is not so straightforward. The Office of the Australian Information Commissioner (OAIC), which has a range of privacy regulatory powers, encourages APP entities to ‘err on the side of caution’ and treat information as personal information in accordance with the APPs if there is any doubt.
How Can an Individual Be Reasonably Identifiable?
Information that can reasonably identify a person may also be personal information. Therefore, you need to consider the context of the information you have and whether, as a whole, that information could reasonably identify the person.
Whether or not a person is reasonably identifiable depends on who has access to that information. For example, you should think about whether that personal information is being used internally within your business, or if you are releasing that information to the public.
What is Not Personal Information?
Generally, information that relates to a business is not personal information. This information includes a business’ name, address, and Australian Business Number (ABN). However, if a business is carried out by a sole trader, or only one person, that business information can be reasonably identifiable as personal information. Either way, you should be careful.
Furthermore, information is not personal information if it is de-identified information. Information can be de-identified using technology to remove anything from that information that can reasonably identify a person. The OAIC recommends obtaining specialist assistance to successfully de-identify personal information because the process can be challenging.
The definition for personal information under Australian privacy law is broad. Therefore, it is often difficult to ascertain whether the information you have collected is personal information.
Some cases are relatively clear-cut. For example, a person’s name, phone number, address and date of birth will generally be personal information because that information can identify a person. However, other information such as a person’s religion, ethnicity and work details may also identify a person. If you have any questions, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.
Was this article helpful?
We appreciate your feedback – your submission has been successfully received.