(Cth) Expand the Definition of ‘Personal Information’ in the Privacy Act

Abdul Ababneh, Amisha Singh, Benjamin Kelly, Hamish Wallace, Jake Young, Lachlan Mansour, Nicole Brideson & Sara Hamid
2 days ago
10 min read

Author: Abdul Ababneh, Amisha Singh, Benjamin Kelly, Hamish Wallace, Jake Young, Lachlan Mansour, Nicole Brideson & Sara Hamid | Publish date: 12/5/2026

P: In Australia, information that can single out an individual without naming them is not clearly classified as ‘personal information’.
S: The Attorney-General should amend Section 6(1) of the Privacy Act 1988 (Cth) to expand the definition of ‘personal information’ to include: ‘An individual is “reasonably identifiable” if they are capable of being distinguished from all others, even if their identity is not known.’
E: Former NSW Deputy Privacy Commissioner Anna Johnston: ‘The statutory definition of “personal information” needs to clearly state that it includes cases when individuals can be singled out and acted upon, even if their identity is not known.’

Problem Identification:

Section 6(1) of the Privacy Act 1988 (Cth) (the Act) defines ‘personal information’ as ‘information… about an identified individual, or an individual who is reasonably identifiable’. However, Anna Johnston, privacy law expert and former NSW Deputy Privacy Commissioner, has argued that information that can single out an individual without naming them is not clearly classified as ‘personal information’.

Hence, the CSIRO said that this may place individual privacy at risk due to the possibility of re-identifying an individual using de-identified data. Further, Johnston (2023) highlighted that the lack of clear definitions could ‘create confusion’ and ‘[shift] too much compliance burden onto organisations’.

Context:

According to the Office of the Australian Information Commissioner (OAIC), determining whether an individual is ‘reasonably identifiable’ requires a contextual consideration of the particular circumstances of the case. They further stated that this may include the nature and amount of information involved, who has access to it, what additional information is available, and the practical likelihood of identifying the individual.

The OAIC stated that ‘de-identification’ involves processing datasets to remove ‘direct identifiers, such as an individual’s name, address or other directly identifying information’. They outlined that this includes processes like perturbation, rounding data, hashing and data-swapping. They further noted that datasets that are treated as ‘de-identified’ are not considered ‘personal information’ as they no longer relate to ‘an individual who is reasonably identifiable’.

The Privacy Act ‘governs the way in which APP entities (Commonwealth Government agencies, health service providers, and private sector organisations with an annual turnover of $3 million or more) deal with personal information’.

Arguments:

In 2020, the OAIC’s research paper, The Definition of Personal Information, reported that the ability to ‘single out’ individuals can harm their privacy ‘even if that individual’s “identity” is not known’. Research conducted by the CSIRO illustrated this risk, finding that datasets stripped of direct identifiers could still be re-identified by ‘combining even basic details such as gender, birthdate or location’.

In 2019, the Office of the Victorian Information Commissioner (OVIC) released a disclosure of myki travel information, analysing a dataset containing 1.8 billion travel records from 15.1 million myki cards over 3 years. CSIRO’s Data61 found that more than 3 in 5 pairs of trips were ‘unique… [and] more likely to be personally identifiable’ when the time and stop location were known, highlighting that ‘so-called “de-identified” data can still carry re-identification risk especially in linked transactional data’. Chris Culnane from the University of Melbourne stated that ‘with just a handful of pieces of information…it’s possible to get an indication of where they live or work, their regular travel patterns, who they travel with, or if they travel alone’.

Johnston (2023) argued that the lack of definitional clarity has caused ‘an increased compliance burden for organisations, as they struggle to understand the scope of data to which their obligations apply’. In 2022, the Attorney-General’s Privacy Act Review reported that there is ‘considerable confusion and uncertainty about how to interpret the definition’ of ‘personal information’. Although the 2023 Government response suggested ‘an individual may be reasonably identifiable where they are able to be distinguished from all others, even if their identity is not known’, compliance uncertainty was demonstrated in 2023 when the Administrative Appeals Tribunal ‘express[ed] doubts’ whether some datasets constituted ‘personal information’. Further, the Productivity Commission also acknowledged that ‘practical guidance (that data custodians and users can rely on) is required on what sorts of data are covered by the definitions’.

Advice/Solution Identification:

Johnston called for the statutory definition of ‘personal information’ to explicitly include situations where ‘individuals... are capable of being distinguished from all others, even if their identity is not known’. This means that, according to Johnston, the clarification could ‘protect Australians the way they expect, simplify compliance, [and] stop the disingenuous claims by industry’. Likewise, Privacy Foundation Australia also supported a stronger definition of personal information to ensure the definition did not create ‘loopholes or inadequate protection’.

Precedent:

There is domestic and international precedent for adopting privacy laws that treat information that can distinguish an individual from others as personal information, even if their identity is not known. In VIC (from 2014) and QLD (from 2009), the definition of ‘personal information’ includes information that someone could reasonably determine relates to an individual, including one’s sex, race, ethnicity, and not just name-based identifiers. Further, in the EU, data protection law also classifies de-identified data as personal data.

Public Support:

Anna Johnston, Former NSW Deputy Privacy Commissioner

Broad Support:

Attorney-General’s Department (Privacy Act Review) - supports that ‘reasonable identifiability’ could include the ‘practicability of using… information to identify an individual’, but has not explicitly called for the definition proposed by Anna Johnston.
Productivity Commission - they stated the legal definition of ‘personal information’ has ‘an element of uncertainty’ and that ‘practical guidance… is required on what sorts of data are covered by the definitions’, but they have not explicitly called for the definition proposed by Anna Johnston.
Australian Law Reform Commission - supports that the definition of ‘reasonably identifiable’ in the Privacy Act should be amended to include individuals who ‘can be identified from information in the possession of an agency or organisation or from that information and other information the agency or organisation has the capacity to access or is likely to access’. However, they have not explicitly called for the definition proposed by Anna Johnston.
Electronic Frontiers Australia - support for amending the current definition of ‘personal information’, but they have not explicitly called for the definition proposed by Anna Johnston.

Privacy Reform Open Letter: This open letter advocates for reforms to ‘modernise how “personal information” is defined’; however, the letter does not refer to the specific definition that Anna Johnston proposes.

This list reflects publicly stated positions and should not necessarily be taken as endorsement of this specific brief.

News Coverage:

ABC News - “‘Shocking’ myki privacy breach for millions of users in data release”. The article reported that PTV was found to have breached privacy law by publicly releasing over 15 million myki travel records, which researchers showed could be re-identified to track individual movements. By: Mary Gearin | 16 August 2019 - Read the article here.
The Guardian - “Third-party providers a customer data ‘weak spot’, Australian privacy commissioner says”. The article featured comments by Australia’s current privacy commissioner Carly Kind, who expressed concern about the scope of data collected by companies, which they considered ‘personal information’, and stated that Privacy Act reform is ‘overdue’. By: Josh Taylor | 5 May 2024 - Read the article here.
UNSW News - “Long-overdue Australian privacy law reform is here - and it’s still not fit for the digital era”. The piece analysed recent federal privacy law reform, arguing that while changes were introduced, key substantive protections remain outdated and inadequate for modern digital privacy challenges. By: Katharine Kemp | 13 September 2024 - Read the article here.
Corrs Chambers Westgarth - “Australia’s ongoing privacy reforms: bolstering Australia’s privacy regulatory framework”. This analysis discussed the trajectory of Australian privacy law reform and how recent legislative and regulatory changes are strengthening the country’s privacy protections for individuals and businesses. By: James North, Theonie Scott, Isabella Bicego, Tanvi Patel, Clare Mould, Anika Di Pietro and Paul Sigar | 17 June 2025 - Read the article here.
The Guardian - “Meta argues its AI needs personal information from social media posts to learn ‘Australian concepts’”. The article reported on Meta’s submission to an Australian inquiry, where the company argued that its AI development requires the use of personal information from public Facebook and Instagram posts, highlighting tensions in Australia’s evolving privacy law landscape. By: Josh Taylor | 16 July 2025 - Read the article here.

Where to go to learn more:

(2023) Op-ed: To fix the Privacy Act, we need one extra sentence | CHOICE - This article was written by the former NSW Deputy Privacy Commissioner and current founder and Principal of Salinger Privacy, Anna Johnston. It argued for Johnston’s proposal to redefine what is ‘reasonably identifiable’ in the Privacy Act to include when an individual is able to be distinguished from others, even if their identity is not known. View the article here.
(2021) Your privacy rights | Office of the Victorian Information Commissioner - This article provided a straightforward description of Victoria’s privacy rights. This included an expansive definition of personal information, similar to Anna Johnston’s, that goes beyond the Commonwealth’s definition to include information ‘where someone could reasonably work out that it related to you’ - that is, they can single you out as an individual based on the information. View the article here.
(2014) Serious invasions of privacy in the digital era | Australian Law Reform Commission - This report argued that Australian law contained significant gaps in its protection of individuals from serious invasions of privacy in the contemporary digital ecosystem. It recommended a new federal law, granting individuals a right to sue for serious, intentional invasions of privacy, with clear limits and defences to protect free speech and other public interests. View the report here.
(2022) Privacy Act Review | Australian Government Attorney-General’s Department - This statutory review report outlined key gaps in the Privacy Act 1988, assessed options for reform, and provided evidence and recommendations directly informing privacy law reform pathways. View the report here.
(2017) Data Availability and Use | Productivity Commission - This inquiry report analysed Australia’s data sharing and access framework, including privacy safeguards, and contextualised how privacy protections relate to broader data governance and economic policy. View the report here.
(2019) Digital Platforms Inquiry: Final Report | Australian Competition and Consumer Commission - This final report examined the competition, consumer protection and privacy challenges posed by major digital platforms, offering a broader context on the market and regulatory environment in which privacy issues arise. View the final report here.
[n.d.] Re-Identification Risk Quantification | CSIRO Data61 - Information Security and Privacy research - This research portal presented scientific work, publications and initiatives on privacy, security and data governance, providing technical grounding and evidence to support a deeper understanding of digital privacy challenges. View the research here.
Privacy Act 1988 (Cth) - Read the Act here.

Human Perspective:

Content Warning: This story contains mention of eating disorders.

Liam, a 17-year-old student in regional NSW, began receiving targeted advertisements relating to fitness and dieting. He had recently searched for support late at night on his laptop to help deal with his eating disorder, but had not entered his name, age, location, or even created an account. Despite that, over the next few days, advertisements for intense exercise regimes, strict dieting and weight-loss supplements began appearing across multiple platforms, taking advantage of his vulnerable state and worsening his condition. Without Liam’s knowledge, the websites he visited had recorded device identifiers and browsing patterns that allowed data brokers to distinguish his activity from other users. While his name was not attached to the dataset, the profile built around his device persisted even after the browsing session ended. This profile was categorised and sold as part of a behavioural advertising segment. Liam was unaware that his information was being collected and traded. Because he had not been identified by name, the data was not clearly treated as ‘personal information’. He had no practical way of knowing how his information was used, or of seeking correction or removal.

To protect the anonymity of those involved, this is a fictionalised account drawn from an amalgamation of real-life stories, experiences and testimonials gathered during the research process for this brief. Any resemblance to actual individuals is purely coincidental.

Conflict of interest/acknowledgment statement:

N/A

Support

If your organisation would like to add your support to this paper or suggest amendments, please email Info@foreaustralia.com.

Disclaimers

Please review all FORE disclaimers here.

Reference list:

Attorney-General’s Department. (2022). Privacy Act Review Report 2022. https://www.ag.gov.au/sites/default/files/2023-02/privacy-act-review-report_0.pdf

Attorney-General’s Department. (2023). Government Response to the Privacy Act Review Report. https://www.ag.gov.au/sites/default/files/2023-09/government-response-privacy-act-review-report.PDF

Australian Bureau of Statistics. (2021, August 11). Understanding re-identification. https://www.abs.gov.au/about/data-services/data-confidentiality-guide/understanding-re-identification

Australian Competition and Consumer Commission. (2019, June). Digital Platforms Inquiry Final Report. https://www.accc.gov.au/about-us/publications/digital-platforms-inquiry-final-report

Australian Law Reform Commission. (2008). For Your Information: Australian Privacy Law and Practice (ALRC Report 108). https://www.alrc.gov.au/publication/for-your-information-australian-privacy-law-and-practice-alrc-report-108/

Australian Law Reform Commission. (2014). Serious Invasions of Privacy in the Digital Era (ALRC Report 123). https://www.alrc.gov.au/publication/serious-invasions-of-privacy-in-the-digital-era-alrc-report-123/

Baird, L. (2019, August 15). Myki Data Release Could Attract $500,000 Fine. The Australian Financial Review. https://www.afr.com/technology/myki-data-release-found-to-have-breached-privacy-laws-20190815-p52hbo

Bush, C., & Sibley, C. (2024, December 2). Public law essentials: Privacy. Clayton Utz. Accessed 9 April 2026. https://www.claytonutz.com/insights/2024/december/public-law-essentials-privacy

CHOICE. (2023). Privacy Reform Open Letter. https://www.choice.com.au/wp-content/uploads/2026/02/CHOICE-Privacy-Reform-Open-Letter.pdf

CSIRO. (2023, September 11). Re-identification Risk Quantification – Privacy Technology Group. Accessed 12 March 2026. https://research.csiro.au/isp/research/privacy/r4/

Culnane, C. (2019, August 15). Myki privacy derailed: travellers’ movements and identities at risk by public release of “anonymised data”. University of Melbourne. https://www.unimelb.edu.au/newsroom/news/2019/august/myki-privacy-de-railed-travellers-movements-and-identities-at-risk-by-public-release-of-anonymised-data

Donnellan, A. (2019, August 30). Engineering identity from anonymity: Our work on risks of re-identification. CSIRO. https://www.csiro.au/en/news/all/articles/2019/august/engineering-identity-from-anonymity-our-work-on-risks-of-re-identification-3

Electronic Frontiers Australia. (2024, September 12). Electronic Frontiers Australia Demands Urgent Privacy Reform. Electronic Frontiers Australia. Accessed 12 March 2026. https://efa.org.au/electronic-frontiers-australia-demands-urgent-privacy-reform/

European Commission. (n.d.). Data protection explained. Accessed 12 March 2026.

https://commission.europa.eu/law/law-topic/data-protection/data-protection-explained_en

Gearin, M. (2019, August 16). ‘Shocking’ myki privacy breach for millions of users in data release. ABC News. https://www.abc.net.au/news/2019-08-16/myki-data-spill-breaches-privacy-for-millions-of-users/11416616

Information and Privacy Commission NSW. (2025, August 13). Fact Sheet - De-identification of personal information. https://www.ipc.nsw.gov.au/resources/fact-sheet-de-identification-personal information#:~:text=Techniques%20can%20include,information%20about%20individuals.

Johnston, A. (2023, May 4). Op-ed: To fix the Privacy Act, we need one extra sentence. CHOICE. https://www.choice.com.au/data-protection-and-privacy/protecting-your-data/data-laws-and-regulation/articles/op-ed-one-sentence-to-fix-the-privacy-act

Johnston, A. (2023, March 28). Privacy Act reforms – the devil is in the details. Helios Salinger. https://www.heliossalinger.com.au/2023/03/28/privacy-act-reforms/

Kemp, K. (2024, September 13). Long-overdue Australian privacy law reform is here — and it’s still incomplete. UNSW Newsroom. Accessed 25 February 2026. https://www.unsw.edu.au/newsroom/news/2024/09/long-overdue-australian-privacy-law-reform-is-here---and-it-s-st

King & Wood Mallesons. (2023, October). Privacy Annual Update 2023. https://www.kwm.com/content/dam/kwm/insights/download-publication/australia/2023/Privacy-in-Law-Annual-Update-2023.pdf

Office of the Australian Information Commissioner. (2018, March 21). De-identification and the Privacy Act. Accessed 25 February 2026. https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/de-identification-and-the-privacy-act

Office of the Australian Information Commissioner. (2022). Chapter B: Key concepts. Accessed 4 March 2026. https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-b-key-concepts

Office of the Victorian Information Commissioner. (2014). Your privacy rights. Accessed 25 February 2026. https://ovic.vic.gov.au/privacy/for-the-public/your-privacy-rights/

Office of the Victorian Information Commissioner. (2019, August 15). Disclosure of myki travel information Investigation under section 8C(2)(e) of the Privacy and Data Protection Act 2014 (Vic). https://ovic.vic.gov.au/wp-content/uploads/2019/08/Report-of-investigation_disclosure-of-myki-travel-information.pdf

Privacy Foundation Australia. (2022, January 24). Submission to the Attorney-General’s Department Privacy Act Review Discussion Paper. https://privacy.org.au/wp-content/uploads/2022/11/AGD-PActReview-220124.pdf

Privacy Act 1988 (Cth). https://www.legislation.gov.au/C2004A03712/latest/text

Productivity Commission. (2017, March 31). Data Availability and Use Inquiry Report. https://assets.pc.gov.au/inquiries/completed/data-access/report/data-access-overview.pdf#

Queensland Office of the Information Commissioner. (2009). Key privacy concepts - personal and sensitive information. Accessed 25 February 2026. https://www.oic.qld.gov.au/guidelines/for-government/guidelines-privacy-principles/key-privacy-concepts/key-privacy-concepts-personal-information

Salinger Privacy. (2020, February 17). The Definition of Personal Information: Research Paper for the Office of the Australian Information Commissioner. OAIC. https://www.oaic.gov.au/__data/assets/pdf_file/0012/1308/definition-of-pi.pdf.pdf

Taylor, J. (2024, May 5). Third-party providers a customer data ‘weak spot’, Australian privacy commissioner says. The Guardian. https://www.theguardian.com/australia-news/article/2024/may/06/third-party-providers-a-customer-data-weak-spot-australian-privacy-commissioner-says

Taylor, J. (2025, July 16). Meta argues its AI needs personal information from social media posts to learn ‘Australian concepts’. The Guardian. https://www.theguardian.com/australia-news/2025/jul/17/meta-ai-facebook-instagram-personal-information-social-media-posts-learn-australian-concepts