Contact

Ch. Ch. Ch. Changing Definitions in Australian Privacy: Privacy Act Review Deep Dive

Published
18 Apr 2023
Read time
6 min read
Category
Privacy, Law, Opinion

We’re continuing our deep dive into the Privacy Act Review Report. You can read our earlier coverage here 

There are a number of key terms that have been redefined in the Privacy Act Review Report, as well as one new definition – namely:  

  • Personal information. 
  • De-identified information.  
  • Collects. 
  • Sensitive information.  
  • Consent.  

We’ll explore each of the proposed changes in this coverage. 

Personal Information: Proposed Changes Under the Privacy Act Review 

The Existing Definition of Personal Information 

Personal Information is currently defined in section 6 of the Privacy Act as follows: 

“Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:  

  1. whether the information or opinion is true or not; and  
  2. whether the information or opinion is recorded in a material form or not.  

Individual is defined as a ‘natural person’.” 

Issues With the Existing Definition 

Information must essentially pass a two-pronged test under the existing criteria to be considered personal information:  

Prong 1: It must be about an individual; and   

Prong 2: An individual is identified or reasonably identifiable.  

The word ‘about’ has caused issues. As a result, the Privacy Act Review report suggests replacing ‘about’ with ‘that refers to’. This change in language makes it clear that inferred information and technical information that relates to an individual can be personal information.  

To be clear, the new definition would read:  

“Personal information means information or an opinion that refers to an identified individual, or an individual who is reasonably identifiable:  

  1. whether the information or opinion is true or not; and  
  2. whether the information or opinion is recorded in a material form or not.  

Individual is defined as a ‘natural person’.” 

The report also proposes to include a non-exhaustive list of categories of information that may be personal information. The proposed categories include the following:  

  • A name. 
  • Identification numbers.  
  • Location data.  
  • Online identifiers.  
  • One or more factors specific to the physical, physiological, genetic, mental, behavioural, economic, cultural or social identity or characteristics of that person.  

Defining “De-Identified Information 

The Privacy Act Reform report also seeks to clarify ‘prong 2’ of the two-pronged test for determining if information is personal information (above). This relates to whether a person is identifiable or reasonably identifiable from information.  

A crucial aspect of the proposed reform includes defining de-identification in a way that makes it clear that whether information could properly be considered ‘de-identified’ may change based on context. The reform also suggests creating protections for de-identified information that are proportionate to the risk of the information being re-identified.  

Proposed Changes to the Definition of ‘Collects’ 

While the concept of ‘collection’ applies broadly already, the Privacy Act Review report proposes to update the definition of ‘collection’ to include information that is inferred or generated. It also makes clear that inferred or generated information is collected at the point at which the inference is made, or the generation occurs.  

Sensitive Information: Proposed Changes Under the Privacy Act Review 

Sensitive information is currently defined as “information or an opinion (that is also personal information) about an individual’s: 

  • racial or ethnic origin 
  • political opinions 
  • membership of a political association 
  • religious beliefs or affiliations 
  • philosophical beliefs 
  • membership of a professional or trade association 
  • membership of a trade union 
  • sexual orientation or practices, or 
  • criminal record. 

Health, genetic, and biometric information about an individual are also considered sensitive information.  

Given that sensitive information poses a risk to the dignity of the individual if it is mishandled, it is afforded a higher level of protection under existing Australian Privacy law. 

Proposed Changes to the Definition of Sensitive Information 

The Privacy Act Review report makes three suggested changes relating to the definition of sensitive information. They are: 

  1. To include ‘genomic’ information as a category of sensitive information. (Privacy 108 was cited as a source supporting this change!) 
  2. To replace ‘about’ with ‘relates to’, in line with the proposed change to the definition of personal information above. 
  3. To clarify that inferred information can be sensitive information if the inference is about a category of sensitive information. It should be made clear that inferences can be sensitive information even if they are made based on information that is not sensitive information. 

Consent: Proposed Changes Under the Privacy Act Review 

Australia’s existing law only requires consent to be given for a limited range of collections, uses, and disclosures for personal information. That consent can be express or implied.  

The collection and use of sensitive information has more stringent consent requirements.    

Proposed Changes to the Consent Requirements 

To bring Australia’s definition in line with many other jurisdictions, including the EU, the Privacy Act Review proposes to amend the definition of consent such that it must be:  

  1. Voluntary; 
  2. Informed;  
  3. Current;  
  4. Specific; and 
  5. Unambiguous.  

This change will likely have a significant impact on organisations – particularly those that have relied on implied consent in the past. It places an increased burden on the organization to gather consent and ensure that consents are valid. 

However, it is worth noting that the reforms do not require that consent be evidenced by positive, affirmative action, leaving open the possibility of relying on opt-out consent. 

What do the proposed changes mean for you? 

It’s probably a good idea to start considering how these proposed changes may impact your organisation. 

Some steps you can take to prepare for the possible introduction of these changes: 

1. Review the information you are treating as personal information, and consider whether you need to extend your privacy program 

2. In particular, consider how you treat the following: 

    • Location data 
    • Online identifiers 
    • Inferred data

3. Review the way you are handling ‘de-identified’ information. Are you considering that it is now outside the operation of the Privacy Act or is de-identification an important privacy risk mitigator? 

4. Where you are relying on consent, ensure that consent meets the new definition of being voluntary, informed, current, specific and unambiguous.  Is it time to renew consents you are relying on to ensure they are current? 

How can we help? 

If your organisation needs assistance developing a ‘plan of attack’ to respond to Australia’s changing privacy laws, reach out. Our privacy team would love to assist.  

 

Ready to turn insight into action?
Connect with Privacy 108.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Privacy 108 collects your name and contact details to respond to your enquiry and communicate with you about it. If you do not provide this information, we may be unable to respond. We do not disclose this information to third parties. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Talk to us?
Looking to take your business to the next level? Speak with our experts today!
Contact us
Related articles
  • 1300 41 20 50
  • Level 3, 240 Queen St, Brisbane QLD 4000
  • Ground Floor Reception, 3 Spring St, Sydney NSW 2000
  • PO Box 3295, Yeronga QLD 4104
  • Follow us on LinkedIn
Services
Privacy Risk Management Privacy Impact Assessments AI Governance Privacy Legal Services Research and Policy
Company
About Privacy 108 Our Team Careers Insights Contact Us Privacy Policy Terms & Conditions
Subscribe to our newsletter
Subscribe
Privacy 108 Consulting Pty Ltd ABN 52 600 425 885 is an incorporated legal practice registered with the Queensland Law Society. Liability limited by a scheme approved under Professional Standards Legislation.
We respectfully acknowledge the Traditional Owners of the land we work on and pay our respects to their Elders past, present and future in maintaining the culture, country and their spiritual connection to the land.
© 2026 by Privacy 108 Consulting Pty Ltd. ABN 52 600 425 885
Website by DeeperLook
Subscribe to our Newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.