How Does the Law Define Personal Information?

Understanding what ‘personal information’ means legally is crucial for any business whose operations include receiving, storing and utilising customer information. This is because the Privacy Act 1988 (Cth) places certain obligations on entities regarding their handling of personal information. This law applies to certain entities within Australia or with a sufficient Australian link.

What is Personal Information?


‘Personal Information’ is information about an identifiable individual, whether or not true and whether or not recorded in material form. Common types of identifiable information stated by law include;

  • Sensitive Information – includes information about racial background, political stance, religion, sexual orientation and criminal record
  • Health information – information about your health or disability
  • Credit information – card details, information commonly shared with financial institutions
  • Employee records – includes pay rates, performance, leave, employment terms and conditions
  • Tax file number (TFN) information
  • Metadata – provides information about internet activity

Personal information can take many forms, such as images, text, and sound recordings. This list is non-exhaustive, and personal information may extend to any information that is capable of reasonably identifying an individual. Overall, a person is identified when they are distinguished from others. Information that is not concerned with or capable of identifying an individual is not personal information.

Australian Privacy Principles (APPs)

The Privacy Act places obligations on specific entities to handle personal information in a responsible manner. These obligations are contained within 13 Australian Privacy Principles (APPs). The core focus of the APPs is the transparent, responsible and ethical handling of information capable of identifying individuals. For example, APP 1 requires entities to have a clearly expressed privacy policy. APP 7 places obligations on entities regarding direct marketing, and APP 11 concerns information security.

Concerned entities

Not all businesses are subject to these laws. The specific entities dealt with include government agencies and organisations with revenue turnover of more than $3 million annually. If your business has annual turnover below $3 million but deals with sensitive information or collects and uses information for commercial advantage, it is likely you are also subject to the above obligations. Businesses that do not meet these characteristics may also voluntarily submit to obligations as a matter of good practice.

Personal Information Online

If your online business collects data from European Union users, the General Data Protection Regulation (GDPR) may apply. The GDPR places additional responsibilities on businesses regarding the handling of customer information. In particular, the GDPR generally requires businesses to obtain informed, freely given and specific consent prior to the collection of customer data. A GDPR Privacy Policy may ensure compliance in the EU. To find out if you may be subject to this foreign law, contact a lawyer.

Considerations for your Privacy Policy

Even if your business does not fall within the scope of privacy legislation, responsible management of customer information is good business practice. Customers have an expectation that businesses will not exploit them for their provided information. Generally, they also expect their personal information will not be used for undisclosed purposes. Managing customer intentions with respect to information privacy has become even more important with the growth of e-commerce. A privacy policy from Lawpath informs customers how their personal information is collected, used, stored, and managed. Get your privacy policy here. If you are unsure whether laws regarding the handling of personal information apply to you or your business, visit the OAIC website for more information.

Most Popular Articles
You may also like
Recent Articles

Get the latest news

By clicking on 'Sign up to our newsletter' you are agreeing to the Lawpath Terms & Conditions


Register for our free live webinar today!

Essential Strategic Planning for the New Financial Year

12:00pm AEDT
Thursday 11th July 2024

By clicking on 'Register for webinar' you are agreeing to the Lawpath Terms & Conditions

You may also like

The 2024 Federal Budget has unveiled a comprehensive package of measures designed to support small to medium enterprises (SMEs) in Australia, while also laying the groundwork for a "Future Made in Australia."
Default interest clauses can help protect lenders' interests, but sometimes they will not be enforceable. Find out more here.
Lying on your resume to get a job is never a good idea. In fact obtaining employment through fraud can actually land you in jail.

Thank you!

Your registration is confirmed. Keep an eye on your inbox for an email with details on how to watch the webinar.