What Is Personal Information Under the Australian Privacy Act?

If your business collects customer details, runs a mailing list, uses CCTV, or even tracks website analytics, you’re likely handling “personal information.”

Understanding what counts as personal information under Australian law is essential. It drives what you can collect, how you must store it, and when you can use or share it.

In this guide, we’ll break down the definition of personal information, common grey areas, exemptions that may apply to small businesses, and the practical steps to stay compliant without slowing down your growth.

What Is “Personal Information” For Australian Businesses?

Under Australia’s Privacy Act, personal information is broadly defined. In plain English, it’s information or an opinion about an identified person, or a person who is reasonably identifiable-whether the information is true or not, and whether it’s recorded in a database, written on a sticky note, or just captured in audio or video.

That broad definition is intentional. It captures the many ways modern businesses handle data: forms, emails, customer chats, loyalty programs, cookies and pixels, support tickets, and even internal notes about a customer or lead.

Importantly, personal information isn’t limited to obvious identifiers like names or phone numbers. If a piece of data can be combined with other information to pinpoint a specific person, it can be personal information.

Personal information also includes a special category-“sensitive information”-which covers things like health data and biometrics. You’ll need stronger protections and clearer consent for that kind of data (more on this below).

What Counts As Personal Information?

To make this real, here are concrete examples that frequently show up in small businesses:

• Contact details like name, email, phone number and address.
• Customer account details such as usernames, unique IDs, purchase history and support records.
• Identifiers tied to devices or browsing, including IP addresses, cookie IDs and device fingerprints (especially when combined with other data that singles out a user).
• Financial details such as partial card details or bank account numbers (if you handle them) and transaction records linked to a person.
• Location information like delivery addresses or GPS data associated with a customer.
• Images, audio or video that identify a person, including CCTV footage at your premises and recorded customer service calls.
• Opinions about a person, for example, internal notes about a customer complaint or a staff note recorded in the CRM.

What Is “Sensitive Information”?

Sensitive information is a subset of personal information that attracts higher protections. It includes:

• Health information and genetic data.
• Biometric data (like facial recognition templates or fingerprints).
• Racial or ethnic origin, political opinions, religious beliefs, sexual orientation and similar categories.

If your business handles sensitive information-for example, offering a wellness service that stores health notes-you typically need express consent and robust security controls. You’ll also need a clear, transparent Privacy Policy that explains what you collect and why.

What Doesn’t Count (And Common Grey Areas)

Some data looks “non-personal” at first glance but becomes personal when combined with other information.

• Truly de-identified data: If data is irreversibly anonymised so no individual can be identified, it’s not personal information. But if it’s reasonably possible to re-identify a person-now or with information you hold elsewhere-it may still be personal information.
• Business contact details: Generic business information (like a public company address) is not personal information. However, a sole trader’s work email that uses their name, or a direct line tied to a person can be personal information.
• Publicly available data: Information found on a public website or social media can still be personal information if you collect and use it in your business.
• Pseudonymised records: Replacing names with unique codes helps, but if you can link the code back to a person within your systems, it’s still personal information.

Grey areas often arise with marketing tools, analytics, and cross-device tracking. As a practical rule of thumb: if your systems can single out a person or combine the data to reasonably identify them, treat it as personal information.

Are There Any Exemptions For Small Businesses?

Australia’s Privacy Act currently contains a small business exemption for some businesses with an annual turnover of $3 million or less. However, many small businesses are still covered. You may be caught by the Privacy Act if you:

• Provide health services and hold health information.
• Trade in personal information (for example, selling or purchasing customer lists).
• Operate as part of a larger group of entities over the threshold.
• Are a credit reporting body or handle certain types of tax file number data.
• Contract with the Commonwealth or handle regulated information under specific legislation.

Even if an exemption might apply, there are two important reasons many small businesses still adopt privacy best practices:

• Trust and customer expectations: Customers expect a professional business to handle data responsibly, transparently and securely.
• Contractual and platform requirements: Enterprise customers, payment providers, ad networks and marketplaces often require you to meet privacy standards regardless of legal exemptions.

There are also proposals to reform Australia’s privacy laws. Keeping your privacy foundations in place now will make any transition easier later.

What About The Employee Records Exemption?

Private sector employers have an “employee records” exemption for certain acts done directly in relation to current or former employees’ records. Two key caveats:

• It’s narrower than many businesses realise. It generally does not cover job applicants, contractors or data unrelated to the employment relationship.
• Other laws may still apply. Workplace surveillance, discrimination, workplace health and safety and state or territory privacy laws can still be relevant.

If you use technology like time-and-attendance apps, call monitoring or CCTV, it’s wise to assess those activities under privacy and surveillance rules together. For example, check your approach against business call recording laws and security camera laws to ensure your processes, signage and notices are compliant.

How To Handle Personal Information Lawfully

Here’s a practical framework to get privacy right in a small business without overcomplicating things.

1) Map What You Collect (And Why)

List the personal information you collect across the customer journey-enquiries, sales, delivery, support, and marketing. Include staff, contractors and suppliers if you collect their personal information too.

For each data point, document why you need it and how you will use it. This helps ensure collection is lawful, necessary and proportionate, and makes drafting your Privacy Policy faster and more accurate.

2) Be Transparent From The Start

When you collect personal information, let people know what you’re collecting, why, and who you might share it with.

On your website or at the point of collection, use a clear Privacy Collection Notice alongside your Privacy Policy. Keep it concise and in plain English. If you rely on consent for certain activities (especially for sensitive information or optional marketing), make sure it’s specific and can be withdrawn easily.

3) Limit Collection To What You Need

Collect the minimum personal information needed to run your business. Avoid collecting sensitive information unless it’s essential and you have clear, documented consent and robust security measures.

Where practicable, allow people to use pseudonyms or remain anonymous for low-risk interactions. This won’t always be feasible (for example, for delivery), but it’s good practice where risks are low.

4) Secure It Properly

Implement reasonable security safeguards for the personal information you hold. This includes access controls, encryption at rest and in transit where appropriate, password hygiene and basic cybersecurity hygiene for staff.

Document your approach. Many businesses adopt an Information Security Policy and train staff regularly. If a data breach does occur, a prepared Data Breach Response Plan can significantly reduce harm and help you meet notification obligations where they apply.

5) Use And Share Responsibly

Only use personal information for the purposes you stated at collection (or for related purposes your customers would reasonably expect). If you change your use later-like training an AI model on customer support transcripts-assess whether you need updated notices or fresh consent.

If you engage third-party suppliers (for example, a marketing platform, CRM, payment processor or offshore back-office support), ensure your contracts limit their use of data and include privacy protections. A tailored Data Processing Agreement helps set out security, access, sub-processing and breach notification terms.

6) Be Careful With Direct Marketing And Tracking

Direct marketing and digital tracking are hot spots for compliance issues. Make opt-outs simple and make sure your email and SMS practices align with email marketing laws.

If you use cookies or ad pixels, be transparent about tracking, provide controls where practicable, and ensure your privacy disclosures cover those technologies clearly.

7) Respect Access And Correction Rights

People generally have the right to access personal information you hold about them and to request corrections. Create an internal process to verify identity and respond within reasonable timeframes.

If your team knows where data is stored and how to retrieve it, you’ll reduce the time and cost of responding to these requests.

8) Plan For Retention And Deletion

Hold personal information only for as long as you need it (or as long as the law requires). Then securely delete or de-identify it.

Having a retention schedule and a simple process for deletion or de-identification is not only good practice-it also reduces your exposure if a breach occurs. For guidance on timeframes and practical steps, see your obligations around data retention laws in Australia.

What Legal Documents Should You Have?

Getting your privacy paperwork in order doesn’t have to be complicated. Focus on a short set of core documents, tailored to what your business actually does with data.

• Privacy Policy: Explains what personal information you collect, how you use and share it, security measures and people’s rights. Publish it on your website and keep it up to date.
• Privacy Collection Notice: A concise notice at the point of collection (e.g. forms, sign-up pages, in-store) that points to the Privacy Policy and covers the essentials.
• Data Processing Agreement: Contractual terms with service providers who handle personal information on your behalf, covering security, permitted use and breach notification.
• Data Breach Response Plan: A playbook for identifying, containing, assessing and reporting data breaches.
• Website Terms of Use: Rules for using your site or app, separate from privacy disclosures but often reviewed together during a website refresh.
• Acceptable Use Policy (where relevant): Sets boundaries for how customers or staff can use your systems, especially for SaaS and online platforms.

If your business uses CCTV on the premises or records calls for training and quality assurance, ensure your notices and internal procedures align with security camera laws and business call recording laws. Your privacy documentation should mirror what actually happens in your business-no more, no less.

Bringing It All Together In Practice

Most small businesses can implement privacy in a week or two by:

• Auditing data flows (what you collect, from where, and why).
• Finalising an accurate Privacy Policy and the right collection notices.
• Tidying vendor contracts with a Data Processing Agreement where needed.
• Training staff on privacy do’s and don’ts, including phishing awareness.
• Setting up a simple, internal process for access requests and complaints.
• Documenting your breach response plan and key contacts.

If you handle sensitive information, operate across borders, or plan to train internal AI models on customer data, it’s wise to get tailored advice early so your set-up scales with your growth.

Key Takeaways

• Personal information in Australia covers any information or opinion that identifies, or can reasonably identify, a person-across forms, systems, images, audio and analytics.
• Sensitive information (like health or biometric data) needs higher protections and clear consent before collection and use.
• Some small businesses fall under exemptions, but many are still covered-and customers and contractors often expect privacy best practice regardless.
• Build privacy into your operations: be transparent at collection, minimise what you collect, secure it, and limit use to what people would reasonably expect.
• Core documents like a Privacy Policy, Privacy Collection Notice, Data Processing Agreement and Data Breach Response Plan help you manage risk and meet legal and contractual obligations.
• If you use CCTV, call recordings, cookies or direct marketing tools, check that your notices and opt-out processes align with Australian law and your actual practices.

If you’d like a consultation on defining personal information in your business and setting up compliant privacy documents, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.