Personal Information under the Australian Privacy Act 1988
The Australian Privacy Act 1998 regulates how APP (Australian Privacy Principles) entities handle personal information.
Although in most cases it ought to be clear whether information is personal information, the Act’s definition is broad and there is room for interpretation in certain circumstances.
This page aims to help APP entities determine whether information is personal information under the Act.
What is personal information under the Australian Privacy Act?
The Australian Privacy Act defines personal information as:
“Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not”.
In addition to this broad definition, certain types of information are explicitly recognised as personal information under the Act, including:
- Sensitive information;
- Health information;
- Credit information;
- Employee record information; and
- Tax file number information.
Other legislation also explicitly recognises certain types of information as personal information. For example, Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5‑1A of that Act.
What is sensitive personal information?
Sensitive information is defined as information or an opinion – that is also personal information – about an individual’s health, genetic or biometric information, or their:
- Racial or ethnic origin;
- Political opinions;
- Membership of a political association;
- Religious beliefs or affiliations;
- Philosophical beliefs;
- Membership of a professional or trade association;
- Membership of a trade union;
- Sexual orientation or practices; or
- Criminal record.
Examples of personal information
Personal information can be in any format, can relate to more than one person, and does not have to be correct.
It might include:
- Information about an individual’s private life, for example their name, date of birth, medical information, address, email address and bank account information;
- Employment details and business information, including their work contact details, salary and job title; or
- Opinions about an individual, including referees’ comments about job applicants, trustees’ opinions about bankrupts, opinions about individuals’ attributes that are based on other information about them, and opinions about individuals based on their activities, such as their purchasing habits or web browsing history.
Whether or not information is personal information is subject to change: some information might not be considered personal information on its own, but will be when combined with other information that an entity holds or has access to. The question then is whether the individual is reasonably identifiable.
When is an individual ‘reasonably identifiable’?
A person is identified when they can be distinguished from a group by the information, but determining when they are ‘reasonably identifiable’ depends on the context in which the information is handled.
For example, even if it might not be possible to identify them from the information being handled, it might be possible to do so by combining that information with other available information.
Decisions relating to whether information is personal information under the Act should therefore be made on a case-by-case basis.
How to decide whether information is personal information
To determine whether information is personal information under the Act, consider whether the information:
- Is demonstrably about a specific individual – that is, can the person be identified using that information?
- Can be combined with other information to identify the individual. Consider the context in which the information is processed, taking account of the nature and amount of information, who will hold and access it, and the feasibility of using any other available information to identify an individual.
If in doubt, it is better to err on the side of caution and afford the information the protection you would apply to information you know to be personal.
Speak to an expert
Please contact us for further information or to speak to an expert.