Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- Why The Definition Matters For Small Businesses (Even If You Think The Privacy Act Doesn’t Apply)
Practical Steps To Handle Personal Information Properly In Your Business
- 1) Map What You Collect (And Why You Collect It)
- 2) Be Clear At Collection Time
- 3) Put The Right Public-Facing Policies In Place
- 4) Treat Security As Part Of Customer Service
- 5) Plan For Access Requests And Corrections
- 6) Consider Deletion Requests (With Proper Qualifications)
- 7) Be Careful With Third Parties And Overseas Tools
- 8) Have A Data Breach Plan (So You’re Not Making It Up Under Pressure)
- Key Takeaways
If you run a small business in Australia, you’re probably collecting more customer (and supplier) data than you realise.
It might be a name and email for a newsletter, a delivery address for online orders, CCTV footage in your shop, or even a customer’s complaint that references their health situation. In many cases, these details can fall under the Privacy Act 1988 (Cth) as “personal information”.
And here’s the part that catches many business owners out: the definition is broader than you might think. Understanding the Privacy Act definition of “personal information” helps you work out what you need to protect, what documents you should have in place, and where you might be taking on risk without meaning to.
Below, we break down what “personal information” means for Australian businesses, the most common examples, the grey areas that cause confusion, and practical steps you can take to stay on track.
What Is The Privacy Act Definition Of Personal Information?
Under the Privacy Act, personal information is broadly “information or an opinion” about an individual who is:
- identified, or
- reasonably identifiable
Importantly, the definition includes information or opinions that are:
- true or not true (for example, a mistaken note that a customer has a certain medical condition can still be personal information), and
- written down or not written down (it doesn’t need to be stored in a formal database to count).
This is why people often search for the Privacy Act definition of personal information (or the “personal information” definition in the Privacy Act) when they’re trying to build (or fix) their privacy compliance.
“Reasonably Identifiable” Is The Key Phrase
Many small businesses assume personal information only covers direct identifiers like a person’s full name.
But “reasonably identifiable” means the information can still be personal information if someone could work out who the person is, even indirectly.
For example, if you’re a small business with a niche customer base (say, a specialist clinic, boutique service provider, or local community organisation), it may be easier to identify someone from partial details than you’d expect.
Sensitive Information Is A Higher-Risk Category
The Privacy Act also recognises a special category called sensitive information, which generally includes things like health information, biometric information, racial or ethnic origin, political opinions, religious beliefs, union membership and sexual orientation (among other categories).
For businesses, this matters because sensitive information typically has stricter handling expectations and often requires higher levels of care when collecting and storing it.
Why The Definition Matters For Small Businesses (Even If You Think The Privacy Act Doesn’t Apply)
Many Australian small businesses have heard of the “small business exemption” and assume they can ignore privacy compliance.
In practice, privacy issues still come up for small businesses because:
- you may not actually fall within the exemption (depending on what you do and how you operate);
- you may deal with personal information in ways that create other legal and commercial risks (even beyond the Privacy Act);
- partners, platforms, payment providers, insurers, and enterprise customers may require you to have privacy documentation and minimum security standards; and
- a privacy incident can damage trust quickly, especially for local and relationship-driven businesses.
From a practical risk-management perspective, it’s usually worth treating personal information carefully from day one.
Having the right documents in place (like a Privacy Policy) and adopting sensible processes can save you major time and stress later.
Common Examples Of Personal Information In A Business Setting
To apply the Privacy Act definition of personal information to your business, it helps to think in terms of real-world examples.
Personal information can include obvious identifiers, but also operational data you may not think of as “privacy-related”.
Customer and Client Details
- Name
- Email address
- Phone number
- Billing and delivery address
- Date of birth
- Customer account logins
Financial and Transaction Data
- Invoices linked to a person
- Purchase history attached to an individual profile
- Partial payment information (even if you don’t store full card numbers)
If you do store payment information, you should be especially cautious about security and access controls. Payment details can be extremely sensitive from a risk perspective, even when you’re trying to make things convenient for customers. This is a common compliance pain point for growing businesses that use subscriptions, memberships, or saved checkouts. If this applies to you, storing credit card details is an area worth reviewing carefully.
Online Identifiers and Device Data
- IP addresses (especially where they can be linked back to an individual account)
- Device identifiers
- Cookie identifiers
- Location data (depending on accuracy and context)
Even if you’re just running website analytics or online advertising, you may still be dealing with data that can identify individuals, particularly when combined with other data sources.
Images, Video, and Audio
- CCTV footage where a person is identifiable
- Photos used for testimonials or marketing
- Audio recordings (for example, customer service calls or training recordings)
As a business owner, it’s easy to focus on why you’re collecting this information (security, service quality, proof of delivery, marketing) and forget that it may still be personal information because it identifies someone.
Employment and Contractor Information
- Employee contact details
- Emergency contact details
- Payroll details
- Performance notes that identify a staff member
- Contractor onboarding details and compliance checks
Depending on your circumstances, parts of the Privacy Act may apply differently to employee records once they’re held in an employment relationship (and some small businesses may be exempt from the Act altogether). Even so, from a business risk and culture standpoint, it’s still smart to handle staff personal information carefully and transparently.
“Opinions” And Internal Notes
A big trap is assuming personal information only means “facts”. Under the Privacy Act definition, an opinion about an individual can still be personal information.
Examples include:
- a CRM note that a customer is “difficult” or “likely to complain”;
- a support ticket describing a customer’s personal circumstances;
- internal notes about a staff member’s health or conduct; or
- a comment left in a shared Slack/Teams channel that identifies a person.
What Is Not “Personal Information” (And Where Businesses Get Caught In The Grey Areas)
Not every piece of information your business holds will be personal information. But the grey areas are where mistakes happen.
Truly Anonymous Data (But Be Careful)
Generally, information that is truly anonymous (meaning it cannot identify an individual and cannot reasonably be re-identified) is not personal information.
However, “anonymous” is a high bar. If data can be combined with other information you hold (or other information reasonably available) to identify someone, it may still become personal information.
Business Contact Details Can Still Be Personal Information
A common misconception is: “If it’s a work email address, it’s not personal information.”
In many cases, business contact details can still be personal information if they identify an individual (for example, firstname.lastname@company.com, or a direct work mobile number linked to a specific person).
This is especially relevant for B2B businesses that store supplier and client contact lists.
Information About A Company (Not A Person)
Information about a company (for example, a company ABN, a business address not linked to an individual, or a generic enquiries@ address) won’t usually be personal information.
But as soon as you link it to an identifiable person (director name, personal email, direct phone number, ID documents), you’re back in personal information territory.
Privacy vs Confidentiality (They’re Not The Same Thing)
Another area that causes confusion is assuming privacy and confidentiality are interchangeable.
They overlap, but they’re not the same. Privacy is about handling personal information properly. Confidentiality is about protecting information that is confidential (which could include trade secrets, pricing, commercial strategy, or other sensitive business information).
Understanding the difference helps you build clearer policies and contracts, especially when you’re dealing with customer data and proprietary business information at the same time. If you’re sorting through this internally, difference between privacy and confidentiality is a useful distinction to keep in mind.
Practical Steps To Handle Personal Information Properly In Your Business
Once you understand the Privacy Act definition of personal information, the next step is turning that definition into practical habits and documentation.
Here are the steps we typically recommend businesses think about.
1) Map What You Collect (And Why You Collect It)
Start with a simple audit. List out:
- what personal information you collect;
- where it comes from (website forms, email, in-store, third-party tools);
- why you collect it (delivery, billing, marketing, account management);
- where it is stored (CRM, spreadsheets, email inboxes, cloud drives); and
- who has access (staff, contractors, outsourced IT, virtual assistants).
This sounds basic, but it’s the foundation for everything else. If you don’t know what you hold, it’s hard to protect it.
2) Be Clear At Collection Time
Many privacy issues come down to a customer feeling surprised by what you did with their information.
Where possible, you want to be upfront at the moment you collect personal information. For example, if you’re collecting emails for marketing, say so. If you’re collecting ID for compliance checks, explain why.
Depending on how your business operates, you may want a privacy collection notice that matches your actual processes (not just a generic statement copied from somewhere else).
3) Put The Right Public-Facing Policies In Place
If you’re collecting personal information online (or even offline as part of your service delivery), it’s often a good idea to have a clear, accurate privacy policy that reflects what you actually do.
A well-drafted Privacy Policy is not just a box-ticking exercise. It can also help with:
- building customer trust;
- setting expectations for how you handle data;
- reducing complaints and misunderstandings; and
- meeting the requirements of platforms, payment providers, and commercial partners.
The key is accuracy. If your policy says you “never share information”, but you use cloud marketing tools or outsource customer support, that mismatch can cause problems quickly.
4) Treat Security As Part Of Customer Service
Personal information protection isn’t just “IT stuff”. It’s part of your business’s customer experience and reputation.
Practical security measures might include:
- unique logins for staff (avoid shared passwords);
- two-factor authentication on email and cloud tools;
- limiting access to only staff who need it;
- using secure payment systems (and being cautious about storing card details);
- regular software updates; and
- clear offboarding when staff leave (removing access promptly).
If you’ve ever dealt with a customer complaint about a hacked account, you’ll know that even small issues can become time-consuming and expensive.
5) Plan For Access Requests And Corrections
If your business is covered by the Privacy Act (for example, because you’re an APP entity), individuals may ask for access to the personal information you hold about them, or ask you to correct it.
Even if you’ve never had a request before, it helps to have a basic internal process, so you’re not scrambling when it happens. This is especially important if personal information is stored across multiple systems (email, spreadsheets, accounting platforms, CRMs).
6) Consider Deletion Requests (With Proper Qualifications)
Businesses often ask: “Can a customer make us delete everything?”
Australia doesn’t have a simple, general “right to be forgotten” in the same way some other jurisdictions do. Whether you can (or must) delete information will depend on the context, and other laws may require you to keep certain records (for tax, financial reporting, employment, or dispute resolution reasons).
That said, it’s still wise to think ahead about how you’ll handle deletion or removal requests, especially if you run an online business or host public-facing content. In this area, right to be forgotten is a concept businesses often come across (even though the legal position in Australia is more nuanced).
7) Be Careful With Third Parties And Overseas Tools
Many small businesses rely on third-party providers for:
- email marketing;
- website hosting;
- cloud storage;
- customer support ticketing;
- payments and subscriptions; and
- analytics.
That’s completely normal, but it means personal information may be handled outside your direct control, and sometimes outside Australia.
As a practical step, it’s worth keeping a list of the key tools you use and having a general understanding of what information flows through them.
8) Have A Data Breach Plan (So You’re Not Making It Up Under Pressure)
Even with good security, incidents can happen - a lost laptop, a phishing email, a misdirected invoice, or a compromised password.
When that happens, your response time matters. Having a plan makes it easier to act quickly and consistently, including working out whether notifications are required and what you should say to affected customers.
If your business is covered by the Privacy Act, you may also need to consider the Notifiable Data Breaches (NDB) scheme, which can require notification to the OAIC and affected individuals in certain situations. Depending on your situation, you may need a data breach notification approach as part of your overall incident response planning.
Key Takeaways
- The Privacy Act definition of personal information is broad: it includes information or opinions about an identified or reasonably identifiable individual, whether true or not true, and whether recorded or not.
- Personal information isn’t limited to names - it can include email addresses, purchase history, device identifiers, images, audio recordings, and internal notes that relate to a person.
- “Reasonably identifiable” is often where small businesses get caught out, especially in niche industries or small communities where partial details can identify someone.
- Sensitive information (like health information) is higher risk and should be handled with extra care.
- Practical privacy compliance starts with mapping what you collect, being transparent at collection time, having accurate policies, and using sensible security controls.
- If your business is covered by the Privacy Act, it’s worth planning ahead for access/correction requests and potential data breaches, so you can respond quickly and confidently.
If you’d like help reviewing what personal information your business collects and putting the right documents and privacy processes in place, contact Sprintlaw on 1800 730 617 or email team@sprintlaw.com.au for a free, no-obligations chat.
