So what actually is personal information?

Prepared by Julia Winzar

The Office of the Australian Information Commissioner has recently released some updated guidance to assist entities that are subject to the Australian Privacy Principles (contained in the Privacy Act) (APPs) to determine when they are dealing with ‘personal information’.

If you are a business with annual revenue of more than $3M you will need to comply with the APPs. The APPs require you to handle any ‘personal information’ you collect and hold in accordance with 13 principles reflecting the information lifecycle.

‘Personal information’ is any information (or an opinion) about a reasonably identifiable individual, whether the information is true or not.  For information to be ‘personal information’ it does not necessarily have to identify the individual by name. For example, the individual may be identified by an image or a detailed description of the individual’s physical features.

The OAIC’s guidance shows that whilst in most cases determining whether information is ‘personal information’ is straightforward, there are some scenarios where it can be a little more complex.

The key questions a business should ask itself are:

  1. Is the information ‘about’ an individual? Information will be ‘about’ an individual if there is a connection between the information and the person or it reveals a fact or opinion about the individual.
  2. Is the relevant individual reasonably identifiable? If the individual is not directly identified (i.e. by name etc.), can they be identified depending on the type and amount of information that is available to the business?  For example, can the individual be identified using other information held by the business or using any publicly available information that is available to the business.

Some common examples of ‘personal information’ include name, email address, signature, date of birth, telephone number, bank account details and information or an opinion inferred from an individual’s web browsing history.

Some key things that businesses may not realise include:

  • Publicly available information can still be ‘personal information’. ‘Personal information’ includes both confidential and publicly available information.
  • Some information when considered by itself may not be ‘personal information’ but when considered together with other information held by the business will be ‘personal information’ if it together allows the business to identify an individual.
  • ‘Personal information’ is not limited to information that is recorded in writing. For example, ‘personal information’  can be information that is in verbal, digital or sound form.
  • ‘Personal information’ of one individual can also be the ‘personal information’ of another person.
  • Some business information may also be ‘personal information’ if it is about a sole trader. For example, an ABN, or loan information if the borrower is a sole trader.

If you are unsure whether information falls within the ‘personal information’ definition you should treat it as personal information.

The key takeaway from this is that you may be collecting and holding more personal information than you think! If you fall into this category, you should update your privacy policy promptly. It is also important to continually review your information handling procedures, including any changes to the types of personal information you collect and update your privacy policy and internal privacy compliance procedures accordingly.