What is ‘Personal Information’ Under Australian Privacy Law?

Summary

• Australian Privacy Law defines personal information broadly, any information that identifies or could reasonably identify an individual, including names, contact details, and online identifiers.
• Businesses with an annual turnover above $3 million AUD are generally bound by the Privacy Act 1988 (Cth), though some smaller businesses may also be covered.
• The Australian Privacy Principles (APPs) govern how businesses collect, store, use, and disclose personal information, with serious breaches potentially attracting significant penalties.
• This article is a plain-English guide to personal information under Australian privacy law, written for business owners operating in Australia.
• It has been produced by LegalVision, a commercial law firm that specialises in advising clients on privacy and data protection compliance.

Tips for Businesses

Audit what personal information your business collects and why. Update your privacy policy to reflect actual data practices. Train staff on handling personal information correctly. If you suffer an eligible data breach, notify the Office of the Australian Information Commissioner promptly to meet your legal obligations.

Summarise with:

ChatGPT Gemini Perplexity Microsoft Copilot

Open now

---

On this page

• Who Needs to Comply With the APPs?
• What is Personal Information?
• What is Sensitive Information?
• How Can an Individual Be Reasonably Identifiable?
• What is Not Personal Information?
• Can Individuals Access and Correct Their Personal Information?
• Tips for Protecting Personal Information
• Key Takeaways
• Frequently Asked Questions

Under Australian privacy law, ‘personal information’ is any information or opinion that identifies a person or makes them reasonably identifiable. The definition is broader than most businesses realise, covering everything from names and addresses to metadata, aggregated data, and even information that may only enable identification in the future. This article explains what ‘personal information’ means under Australian privacy law.

Who Needs to Comply With the APPs?

The Australian Privacy Principles apply to you if you are an APP entity. Businesses with an annual turnover of $3 million or over are APP entities (including charities and not-for-profits). Generally, private sector organisations with an annual turnover of $3 million or less do not need to comply with the APPs unless they:

• provide health services and hold health information;
• disclose personal information for a benefit, service, or advantage;
• provide services under a Commonwealth contract;
• are a credit reporting body; or
• operate a residential tenancy database.

What is Personal Information?

The Privacy Act defines personal information as information or an opinion about an identified individual or a reasonably identifiable individual:

• whether the information or opinion is true or not; and
• whether the information or opinion is recorded in a material form or not.

Examples of information commonly considered to be personal information are a person’s:

• name;
• address;
• date of birth and age;
• profession; 
• photographic identification;
• marketing and communications preferences (e.g. opting in/out to receive marketing emails);
• technical and analytics data of individuals when they access websites, including login data, IP addresses and web browser usage; and 
• bank or credit card details.

Other types of less obvious personal information are:

• Metadata: Information associated with images, such as the time and location taken, can also be personal information if linked to an identifiable individual.
• Reasonable Identifiability: You do not need to immediately identify someone from the information itself. If combining it with other available details makes identification possible, it is treated as personal information.
• Aggregated Data: Even when an organisation lacks direct identifying details like names, combining multiple pieces of information that could lead to identification qualifies as personal information.
• Future Identifiability: Information that does not identify an individual immediately but could do so later (for instance, due to technological advancements) may also be considered personal information.

What is Sensitive Information?

Sensitive information is personal information that includes information or an opinion about an individual’s:

• race or ethnic origin;
• political opinions or membership of a political organisation;
• religious beliefs and affiliations;
• philosophical beliefs;
• membership of a professional association or trade union;
• sexual preferences and orientation;
• criminal record;
• health information;
• genetic information; or
• biometric information.

Generally, sensitive information is a subset of personal information that is given higher protection under the Australian Privacy Principles. 

How Can an Individual Be Reasonably Identifiable?

Information that can reasonably identify a person may also be personal information. Therefore, you need to consider the context of the information you have and whether, as a whole, that information could reasonably identify the person.

Whether or not a person is reasonably identifiable depends on who has access to that information. For example, you should consider whether that personal information is being used internally within your business or if you are releasing that information to the public.

It is also worth noting that for a person to be reasonably identifiable, it is not only about whether they can identify the individual specifically. It is also about whether they can be distinguished amongst a group. In simple terms, someone can be “identifiable” if the information about them can be combined with other details to figure out who they are. 

Information such as pictures of a person is considered personal information because certain software, such as artificial intelligence, can identify that person within a group. Even if an organisation claims it cannot directly identify individuals from the data it collects, the information might still qualify as personal. This applies especially when the data could be used to single out specific individuals, particularly when combined with other details or analysed with technology like facial recognition software.

What is Not Personal Information?

Generally, information that relates to a business is not personal information. This information includes a business name, address, and Australian Business Number (ABN). However, if a sole trader carries on a business, that business information can be reasonably identifiable as personal information. Either way, you should be careful.

Furthermore, information is not personal information if it is de-identified information. Information can be de-identified using technology to remove anything from that information that can reasonably identify a person. The Office of the Australian Information Commissioner (OAIC) recommends obtaining specialist assistance to successfully de-identify personal information because the process can be challenging.

Can Individuals Access and Correct Their Personal Information?

Individuals have the right to access and correct your business’ personal information. To access this information, individuals can submit a request to you, and you must provide them with the information within a reasonable timeframe and at minimal or no cost. If the information is inaccurate or incomplete, they can request corrections, which you must respond to within a reasonable period. You should make any requested corrections within 30 days of the request. 

Tips for Protecting Personal Information

Protecting customers’ personal information is crucial for your business. Ensure you regularly review your data collection and storage and use practices to identify potential privacy risks. It is essential that you make sure customer personal information is secure from unauthorised access or misuse.  

Staff training is also vital – ensure that all employees who handle personal information understand your privacy policies and procedures. Staying ahead of privacy issues helps build customers’ trust and your business reputation. 

If you suffer a data breach, exposing the personal information of your customers or clients can lead to severe consequences. The risks you might face are fines, costly litigation, customer trust, and reputational damage to your business. You should put in place proactive measures to protect personal and sensitive information and mitigate any risks associated with data breaches involving personal data. 

2025 Key Data and Privacy Developments

This factsheet outlines the Australian Government’s strengthened consumer privacy laws in 2025 following major data breaches and their alignment with global standards.

Download Now

Key Takeaways

The definition of personal information under Australian privacy law is broad. For example, a person’s name, phone number, address and date of birth will generally be personal information because that information can identify a person. Information that can ‘reasonably identify’ a person is considered personal information. This means details that set someone apart from a larger group, even without their name, may also qualify as personal information. Additionally, sensitive information is a subset of personal information that requires more privacy than other personal information. 

LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced privacy lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 1300 544 755 or visit our membership page.

Frequently Asked Questions