Because Australian privacy law uses the defined term “personal information” in the Privacy Act 1988 and the Australian Privacy Principles (APPs), not “PII,” using “PII” signals a different legal framework and can misstate obligations under Australian law. “PII” is a US-centric term (e.g., NIST SP 800-122) with a different scope, so it often narrows the conversation in ways that are inaccurate for Australia, which annoys privacy and legal professionals who need precise statutory language.​

Use the correct term

In a recent conversation with Chris Brinkworth, Managing Partner at Civic Data, he re-iterated that PII in Australian law has a different meaning that what most, including ourselves use in our language. To help understand the difference we created this post to help our Australian audience.

The Privacy Act defines “personal information” as “information or an opinion about an identified individual, or an individual who is reasonably identifiable,” and this is the cornerstone concept used by OAIC and the APPs across all compliance activities. Australian regulators and guidance consistently apply “personal information” (and the subset “sensitive information”), so substituting “PII” implies reliance on foreign definitions instead of the Australian statute and guidance.​

Scope differences matter

Australian “personal information” covers any information or opinion that is about an individual and makes them identified or reasonably identifiable, including technical data (like IP addresses) and inferred opinions, which many people using “PII” mistakenly treat as out of scope. By contrast, US definitions of “PII” typically focus on information that distinguishes or traces identity or is linked or linkable, which can lead teams to under-classify Australian-relevant data types if they import that framing.​

Practical risks of saying “PII”

• It can cause teams to overlook opinions and inferences as regulated data, even though OAIC guidance makes clear those can be personal information when they are about a person and that person is reasonably identifiable.​
• It can lead to underestimating obligations for technical identifiers (e.g., IP addresses or device-related data) that may be personal information in context under the Australian test.​
• It can muddle stricter rules for “sensitive information,” which is a defined subset with higher protections in Australia, not a concept typically captured by generic “PII” usage.​
• It can misjudge de-identification, because Australia’s “reasonably identifiable” and re-identification risk analysis are context-specific and central to whether information is still personal information.​
• It can misalign policies, notices, contracts, and APP controls, which must map to APP requirements keyed to “personal information” rather than a foreign “PII” construct.​

What to say instead

Use “personal information” when referring to regulated data under the Privacy Act, and “sensitive information” when the stricter subset applies, aligning with OAIC guidance and APP terminology. When discussing anonymization or pseudonymization, anchor on OAIC’s definitions of de-identification and the “reasonably identifiable” test rather than importing US “PII” heuristics.​

Quick examples

• An IP address or location trail can be personal information if, in context, an individual is reasonably identifiable to the entity handling it, so treating it as “not PII” would be the wrong frame in Australia.​
• An opinion about a person (e.g., a referee comment) or preferences inferred from browsing or purchases can be personal information, and ignoring that because it’s “not PII” misses the Australian definition.​

About Civic Data

Civic Data are assisting businesses to collect, organise, analyse and activate data for Privacy First Marketing and Communications initiatives. Civic Data are assisting businesses to collect, organize, analyse and activate data for Privacy First Marketing and Communications initiatives, in line with current and future Australian Privacy Principles.  They call this 'Compliant Growth'. Contact Civic Data