Personal Information: Examples in Australia and What Counts

If you run a small business in Australia, you’re almost certainly collecting personal information every day - from names and emails to CCTV footage and support tickets.

Understanding exactly what “personal information” covers isn’t just a nice-to-have. It’s essential for complying with the Privacy Act 1988 (Cth), building trust with your customers, and avoiding costly mistakes if something goes wrong.

In this guide, we’ll walk through clear personal information examples relevant to everyday business operations, explain the extra care required for sensitive information, and outline the practical steps and key documents you’ll need to handle that information lawfully and safely.

What Is Personal Information In Australia?

Under Australia’s Privacy Act, “personal information” is information or an opinion about an identified individual, or an individual who is reasonably identifiable. That definition is broad. What matters is whether a person can be identified, directly or indirectly - not whether the data seems harmless on its own.

Think of it as a spectrum. A first name on its own might not identify someone. But a first name plus suburb, mobile number or a unique customer ID could make them reasonably identifiable. Context is key.

Common Personal Information Examples

• Contact details: names, emails, phone numbers, physical or postal addresses.
• Identifiers: dates of birth, driver’s licence numbers, Medicare numbers, membership or loyalty IDs, customer numbers.
• Online identifiers and usage data: IP addresses, device IDs, cookie IDs, login details, account activity, browser or app telemetry linked to a user profile.
• Transactional records: order histories, invoices, delivery details, support tickets tied to a customer account.
• Audio-visual data: CCTV footage, voice call recordings, video interviews, photographs where a person can be identified.
• Biometric data: facial recognition templates, fingerprints or voiceprints used for authentication.
• Location data: GPS coordinates or check-in information linked to an individual’s movements.

If the information is about a person and you (or someone else) could reasonably figure out who they are, treat it as personal information.

Personal Information You’re Probably Collecting Already

Most small businesses collect personal information across several touchpoints - sometimes without realising it. Mapping your data flows is a great first step to compliance.

Sales, Marketing And Customer Accounts

• Lead forms and mailing lists with names and emails.
• Customer accounts with contact details, order history and preferences.
• Promotions and competitions capturing entrants’ details and social handles.

Website, Apps And Analytics

• Account logins, IP addresses, device IDs, and cookie identifiers tied to user sessions.
• Support chat transcripts and contact forms linked to a user or email.
• Feedback surveys and product reviews containing identifiable details.

Payments And Fulfilment

• Billing addresses, delivery addresses and contact numbers.
• Masked payment tokens and transaction references stored in your systems.
• Third-party payment processors exchanging personal data to complete a sale.

People And HR

• Job applications with resumes, qualifications, referees and right-to-work documents.
• Employee records containing contact, tax and super details (note: certain “employee records” held by employers are exempt from parts of the Privacy Act, but other obligations can still apply, so treat them with care).

Physical Premises And Security

• Visitor sign-in logs with names, phone numbers and arrival times.
• CCTV footage covering entrances, point-of-sale areas or warehouses.

If you use surveillance, make sure you also understand security camera laws in Australia - signage, purpose, storage and access requests all matter.

Customer Support And After-Sales

• Emails and call recordings tied to customer accounts.
• Warranty claims with proof of identity and purchase details.
• Complaint handling data that may contain sensitive details provided by the customer.

Even if you don’t think of your business as “data heavy,” these everyday activities likely involve collecting, using and disclosing personal information - which means the Privacy Act and the Australian Privacy Principles (APPs) may apply.

Sensitive Information, Health And Financial Data: Extra Care Required

Some information is considered “sensitive information” under the Privacy Act. It includes health information, biometric information, racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, and certain union membership details.

Examples you might handle:

• Health information: medical certificates, disability information provided for workplace adjustments, or client health data if you provide health services.
• Biometric templates: facial recognition or fingerprint scans used for secure access.
• Criminal record checks: for roles that require screening.

Generally, you need a higher standard of consent and protection for sensitive information, and stricter rules apply to how you collect, use and disclose it.

Financial information like payment card numbers also attracts heightened risk (for example, PCI DSS obligations apply to how you handle card data), even though it isn’t classified as “sensitive information” under the Privacy Act. Treat it with the highest level of security and only store what you genuinely need.

What Doesn’t Usually Count As Personal Information?

Not everything you handle will be “personal information.” Knowing the difference helps you minimise risk and reduce compliance burdens.

• Truly anonymised data: data that has been irreversibly de-identified so no individual is reasonably identifiable from the dataset or in combination with other data.
• Aggregated statistics: summaries that do not relate to an identifiable person (e.g. “25% of visitors converted” without any ability to drill down to an individual).
• Generic business information: a company’s ABN or a generic business email like info@company.com is not personal information - but remember that a sole trader’s business details can still be personal if they identify the individual.

Be careful: “pseudonymised” data (where identifiers are replaced with codes) can still be personal information if someone could re-identify the individual by linking datasets.

What Laws And Documents Do Small Businesses Need To Comply?

In Australia, many businesses with an annual turnover over $3 million are “APP entities” and must comply with the Privacy Act and the APPs. Some smaller businesses must also comply regardless of turnover - for example, health service providers, those trading in personal information, or those handling Tax File Numbers.

Even if you’re below the $3 million threshold, privacy compliance is becoming an expectation from customers, partners and platforms. It’s wise to adopt best-practice privacy measures from the start.

Core Legal Documents To Put In Place

• Privacy Policy: Explains what personal information you collect, why you collect it, how you use and disclose it, and how people can access or correct their data.
• Privacy Collection Notice: The “just-in-time” notice you show at the point of collection, telling people what you’ll do with their information and who you’ll share it with.
• Data Processing Agreement: Sets privacy and security obligations with vendors and service providers that process personal information on your behalf (e.g. cloud, CRM, marketing platforms).
• Information Security Policy: Outlines how your team protects data (access controls, encryption, device management, incident handling) and sets expectations for staff and contractors.
• Data Breach Response Plan: A playbook for identifying, assessing and managing data incidents, including when to notify the OAIC and affected individuals under the Notifiable Data Breaches scheme.

Depending on how your business collects data, you may also need to tighten consents and cookie practices on your digital channels. For example, if you use analytics or remarketing tools, your website should clearly explain this and give users meaningful choices. Your obligations will differ based on the tools you use and where your customers are located, but your public-facing disclosures should be clear and consistent with your internal practices.

Practical Steps To Map, Minimise And Protect Personal Information

Good privacy practice is about being intentional with the data you collect, limiting it to what you need, and protecting it at every step. Here’s a practical roadmap you can action now.

1) Map Your Data Flows

• List out where personal information enters your business (forms, checkout, phone, in-person) and where it goes (CRM, email marketing, cloud storage, support platforms).
• Identify who you share it with (payment processors, couriers, analytics tools, outsourced support) and what each party can access.
• Note the countries where data is stored or accessed - cross-border disclosures have specific requirements under the APPs.

2) Limit Collection To What You Need

• Only collect personal information that is reasonably necessary for your functions or activities.
• Avoid collecting sensitive information unless it’s essential and you have clear consent.
• Design forms to minimise free-text fields that might invite over-collection.

3) Be Clear, Open And Accountable

• Ensure your Privacy Policy accurately reflects your current practices (not what you plan to do later).
• Present a concise Privacy Collection Notice at the point of collection, especially online and at physical sign-ins.
• Set up a simple process for access and correction requests and keep a log of how you handle them.

4) Protect Personal Information In Practice

• Adopt an Information Security Policy covering passwords, MFA, device security, backups and staff onboarding/offboarding.
• Put role-based access controls in place so staff only see what they need to do their job.
• Use encryption at rest and in transit where appropriate, and choose reputable vendors with strong security certifications.

5) Manage Third Parties And Overseas Transfers

• Review your vendor list and sign a robust Data Processing Agreement with processors that handle personal information on your behalf.
• Conduct due diligence on where data is stored and processed - ensure adequate protections for overseas disclosures.
• Align your public disclosures with what these vendors actually do.

6) Minimise Retention And Dispose Securely

• Set sensible retention periods for different data types and stick to them.
• Securely delete or de-identify data that’s no longer needed, in line with best practice and data retention laws in Australia.

7) Prepare For Incidents Before They Happen

• Train your team to spot phishing and report suspected incidents quickly.
• Keep your Data Breach Response Plan handy, test it with tabletop exercises, and review it after any incident.
• Know your notification thresholds under the Notifiable Data Breaches scheme and be ready to act within tight timeframes.

8) Keep Privacy Front-Of-Mind As You Grow

• Run privacy impact checks when you launch new features, use new tools, or expand into new markets.
• Refresh your staff training and internal processes at least annually.
• Make privacy part of your brand promise - it’s a trust and loyalty driver, not just a compliance task.

Personal Information Vs Confidentiality: Why The Difference Matters

Privacy and confidentiality overlap, but they’re not the same. Privacy law focuses on how you collect, use and disclose personal information about individuals. Confidentiality is broader and can cover business information, trade secrets and agreements to keep things private between parties.

If you’re handling customer data and proprietary business information, you’ll need to manage both areas. It helps to understand the difference between privacy and confidentiality so you can set the right policies, contracts and team training.

Key Takeaways

• Personal information in Australia covers any information about an identifiable person - from contact details and online identifiers to CCTV and support records.
• Sensitive information (like health or biometric data) requires extra care, clear consent and stronger protections under the Privacy Act.
• Map your data flows, collect only what you need, protect it with technical and organisational measures, and delete it when it’s no longer required.
• Put essential documents in place - a clear Privacy Policy, a practical Privacy Collection Notice, strong vendor controls via a Data Processing Agreement, an Information Security Policy, and a tested Data Breach Response Plan.
• Privacy compliance isn’t just for big companies - customers and partners expect it from small businesses too, and it’s key to building trust.

If you’d like a consultation on handling personal information in your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.