Personal Information under the Australian Privacy Act

Share

The Privacy Act of 1988 in Australia governs the collection and processing of personal information. The Act defines personal information as any information or opinion about an identified or reasonably identifiable individual, regardless of its truth or form. 

However, ongoing reviews have led to proposed changes in the definition and scope of personal information.

Privacy Act and personal information

Under the current Privacy Act, personal information pertains to information or opinions about individuals. This includes their name, signature, address, telephone number, date of birth, medical records, bank account details, employment details, and any commentary or opinion about them. Notably, personal information only applies to living individuals and excludes deceased individuals.

Determining whether an individual is “reasonably identifiable” from certain information depends on several factors. These include the nature and amount of the information, the circumstances of its receipt, access granted to it, other available information, and the possibility of identification by the entity holding it. If a reasonable public member can identify an individual based on publicly released information, it would be considered personal information.

Meanwhile, business information such as a business name, address, and general contact details are not considered personal under the Privacy Act. However, specific contact details of individual employees, even if publicly available, may be categorised as personal information like the employee’s direct email address or phone number.

Privacy Act reforms

As part of the ongoing Privacy Act review, the Australian government has proposed reforms to broaden the definition of personal information. The proposed changes would align the definition with the European Union’s General Data Protection Regulation (GDPR) and include technical information like IP addresses, device identifiers, location data, and online identifiers. The aim is to enhance the protection of inferred personal information.

Additionally, the proposed reforms seek to bring de-identified information under the ambit of the Privacy Act. De-identified information, which carries a risk of re-identification, would be subject to reasonable protection measures. For instance, organisations must safeguard de-identified information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Re-identifying de-identified information collected in such a state would be prohibited.

While these reforms are still being considered, businesses should stay informed about potential changes to ensure compliance with the evolving privacy landscape in Australia. If you have any questions or require assistance regarding personal information and Privacy Act compliance, it is advisable to seek guidance from privacy and data protection experts.