Fact Sheet - IP addresses and Privacy

Read the document below or download it here: Fact Sheet - IP addresses and privacy February 2026

Who is this information for? This fact sheet has been developed to provide NSW agencies and members of the public with general privacy information about IP addresses. 
Why is this information important to them? It is intended to assist in understanding how IP addresses can become personal information.

The Privacy and Personal Information Protection Act 1998 (PPIP Act) set out the rules for how personal information is to be managed by NSW Public Sector Agencies[1]. The PPIP Act sets out the requirements for collecting, using, storing, disclosing and securing personal informaion. There are 12 Information Protection Principles (IPPs) which govern the management of personal information.[2]

What is personal information?

Section 4 of the PPIP Act defines ‘personal information’ as:

“…information or an opinion (including information or an opinion forming part of a database and whether or not in a recorded form) about an individual whose identity is apparent or can be reasonably be ascertained from the information or opinion”. 

For information to be personal information, it does not necessarily need to be written down and nor does it need to be of a particular type or category such as “sensitive” or “important” information.

The definition of personal information is broad and includes information where an individual can be directly identified from the information or whose identity can be reasonability ascertained by reference to other information.

What is an IP address?

An IP (Internet Protocol) address is a unique string of numbers separated by decimal points assigned to every device when it connects to the internet or a local network[3]. It is the identifier that allows information to be sent between devices on a network. It allows data to be sent to and from the correct device. An example of an IP address is 209.85.220.41.

Every device that connects to the internet gets an IP address. 

There are two main types of IP addresses that are generally assigned by an Internet Service Provider (ISP). They are a Dynamic IP address  a temporary address that changes regularly or a Static IP Address  a permanent address that stays the same over time. 

Is an IP address visible?

Yes, an IP address is generally visible to any website visited by the internet user. An IP address will be collected and stored by many websites on a permanent or temporary basis but generally only an ISP can link the IP address to an individual account holder. 

Is an IP address personal information?

An IP address can be personal information if it can be used to identify an individual, or it can be combined with other information in order to do so such as login details, email addresses, and device identifiers for example.

Although any website may collect and hold IP addresses, generally only an ISP can link it to the name of an individual account holder.[4] Because of this inability to link an IP address to an identifiable individual, there are a number of cases in jurisdictions outside NSW that express the view that an IP address in isolation is not personal information.[5]

The IPC shares the view that an IP address, in the absence of any information enabling it to be connected with an identifiable individual, is not personal information within the meaning of section 4 of the PPIP Act. 

However, if an IP address is linked to other information which would allow an individual to be reasonably identified, or their identity to be ascertained, then it will become personal information and subject to the privacy principles, including the obligations limiting its disclosure out of Australia.

Does it matter if an IP address is personal information?

Yes. If an IP address is personal information then agencies are required to protect it in the same way they protect other personal information under the PPIP Act. This means that all of the information protection principles (IPPs) will apply from collection, to storage, to use, disclosure and security and retention.

Will an IP Address Lookup make it personal information?

There are a number of IP address locator or lookup websites which will provide the name and geographical location of the entity to whom an IP address is registered. Because most internet users access the internet through an ISP, the locator or look up will reveal information about the ISP and not the individual internet user or individual. 

What should agencies do?

In collecting personal information, agencies should be purposeful and deliberate about what they collect, why they collect it and how they safeguard it. 

Agencies can take positive steps in protecting the privacy of individuals and the information, that it holds about individuals including IP addresses by:

  • updating privacy policies and privacy management plans to ensure they are clear and explain the personal information collected, including IP addresses.
  • making policies clear and specific about why IP addresses are collected, how they are used and in what circumstances it will be disclosed.
  • understanding your data flows, where IP addresses enter systems, and where they intersect with other data points.
  • recording where data is stored, who has access and how long it needs to be kept for.
  • reviewing storage periods consistent with record keeping requirements. If the personal information is no longer required for a legal purpose, securely delete it.
  • limiting the personal information collected and retained to only that which is required to undertake agency functions.
  • securing the personal information collected, with both technical and administrative controls including limiting access to only those who need access.
  • monitoring for unauthorised access and where appropriate using encryption at rest and in transit.
  • ensuring that a Data Breach Policy and Response Plan are in place, with clear roles and responsibilities assigned including regularly testing the policy.
  • reviewing arrangements in place with service providers who process IP addresses for the agency, including where they are stored and what security safeguards are in place.

 

For more information

Contact the Information and Privacy Commission NSW (IPC):

Freecall:           1800 472 679
Email:              ipcinfo@ipc.nsw.gov.au 
Website:           www.ipc.nsw.gov.au 

NOTE: The information in this fact sheet is to be used as a guide only. Legal advice should be sought in relation to individual circumstances.

The development of this fact sheet is based on, and informed by, material from guidance developed by the Office of the Information Commissioner – Queensland.

 

[1] Section 3 PPIP Act

[3] See Ellis v Office of the Victorian Information Commissioner [2024] VCAT 809

[4] State v. Reid (2008) 194 N.J. 386, 954 A.2d 503.

5. See Ellis v Officer of the Victorian information Commissioner [2024] VCAT 809; GMW v Victoria Legal Aid (Human Rights)

[2022] VCAT 922

How easy did you find it to understand this resource?
Have you used the information in this resource to assist you?
Fact Sheet - IP addresses and Privacy February 2026
Aboriginal and Torres Strait Islander Flags
We acknowledge Aboriginal and Torres Strait Islander peoples as custodians of Australia and pay our respects to Elders, past and present. We also acknowledge the ongoing connection to land, sea and communities throughout Australia, and the contributions to the lives of all Australians. 

IPC logo.

© IPC

CC logo

Navigate

Useful links

IPC Social Media

   Linkedin

 

IPC Social Media Terms of Use