Understanding The Privacy Act 1988 - A Simple Guide for Your Business

Written By FiveSeven

Why Data Classification Matters

The Privacy Act 1988 is Australia’s main law about protecting information about people.

To follow the law, you first need to label your data correctly. The Act separates information into Personal Information and Sensitive Information. Getting this wrong is more than a paperwork issue1it can increase your legal risk and lead to large penalties. Once you know what type of data you have, you can apply the right Australian Privacy Principles (APPs).

 

What is Personal Information?

Personal information is information (or an opinion) about a person who is identified, or who could reasonably be identified.

Two important points people often miss:

  • Opinions count too: It covers facts (like an address) and opinions (like a manager’s view about performance). Both are treated as personal information.

  • It doesn’t have to be true or written down: The rules can apply even if the information is wrong, and even if it is not formally recorded (for example, spoken notes or information held in someone’s head).

Identification information (a specific subset)

In some contexts (like credit reporting or identity checks), the Act also refers to “identification information”, such as:

  • Full name (including previous names or aliases)

  • Date of birth

  • Sex

  • Current or last known address (and up to two previous addresses)

  • Current or last known employer

  • Driver’s licence number (if applicable)

What is Sensitive Information?

Sensitive information is personal information that is considered higher risk. It needs extra care and usually stronger consent. These categories only count as “sensitive” if they can be linked to an identifiable person.

  • Personal attributes: racial or ethnic background, political opinions, religious beliefs/affiliations, philosophical beliefs, sexual orientation or practices, criminal record

  • Memberships/associations: political associations, professional or trade associations, trade unions

  • Biometrics: biometric information used for automated identification/verification, and biometric templates

  • Health and genetics: health information (as defined in the Act) and genetic information

Health information (more than medical records)

Health information has the highest level of protection. It can include:

  • Information or opinions about someone’s physical or mental health, illness, disability, or injury (past, present, or future)

  • Someone’s stated wishes about future health services

  • Personal information collected to provide (or while providing) a health service

  • Information collected about donating (or intending to donate) body parts, organs, or body substances

  • Genetic information: genetic data is “sensitive information”, and it is treated as “health information” if it is (or could be) predictive of someone’s health (or the health of a genetic relative)

What counts as a “health service”?

A health service is any service that assesses, maintains, improves, or manages a person’s health. This includes things like managing treatment and dispensing prescription medicines.

De-identified information (and the re-identification risk)

Information is only “de-identified” if it is no longer about a person who can be identified, or reasonably identified.

Practical warning: De-identification is hard to do properly. If there is a reasonable chance someone could work out who the data relates to (either from the dataset itself, or by combining it with other data), then it is still personal information and the Australian Privacy Principles still apply.

Quick summary: key differences (and why it matters)

  • Personal information is the broad category: anything about a person who can be identified.

  • Sensitive information is a smaller, higher-risk category of personal information.

  • Sensitive information usually needs stronger consent and tighter handling.

Penalties and “serious” breaches (Section 13G)

The Act allows higher penalties where a privacy breach is considered “serious”. Courts may consider things like:

  • How sensitive the information is

  • Actual or likely impact on the person

  • How many people are affected

  • Whether the affected person is a child or otherwise vulnerable

  • Whether the organisation failed to put proper privacy practices and systems in place

Financial risk (for corporations): For a serious interference with privacy, the maximum penalty can be very large. The Act sets the maximum as the greatest of: $50,000,000, 3× the value of any benefit obtained, or $302,500,000.

Practical Best Practices

To reduce risk and handle information properly:

When in doubt, treat it as personal information: If it relates to a person and someone could reasonably identify them, protect it.

Spot sensitive information early (privacy by design): Build checks into your intake/processes so sensitive data is flagged and handled with stronger controls from the start.

Test your de-identification: Regularly review whether people could be re-identified. If they could, treat the data as personal information.

Have clear privacy processes: Document how you collect, store, use, share, and delete data. Missing or weak processes can make a breach look more “serious” and increase penalties.

The information above forms part of our Understanding Your Award series and provides a high-level overview only. Further obligations may apply depending on your business and workforce. This Information is current at the time of publication March 2026. Workplace laws and awards may change.

FiveSeven https://www.fiveseven.com.au
Next

Understanding our National Employment Standards (NES) - A Simple Guide for Your Business