Authors: Gianluca Pecora & Megan Adams, Progressive Legal
Sensitive Information: Privacy Compliance and Best Practices
All businesses collect some customer data. Sometimes a business will need to collect and use sensitive information to provide its services. Given recent privacy breaches, customers are becoming increasingly apprehensive to provide this information. To comply with the Privacy Act 1988 and increase confidence in your business, it’s important to understand when data is sensitive information and when it is acceptable to disclose that sensitive information.
If your business collects sensitive information, it is a requirement to have the individual’s express consent to collect and store this information. Adding a detailed privacy policy can be a great start to maximising customer confidence that their sensitive information is secure.
What is sensitive information under the Privacy Act?
Sensitive information can often get mixed up with personal information. Personal information is a broader description for all information or opinion about an identified person – including name, signature, address, phone number, date of birth, email address, credit information, employee record information, photographs, internet protocol (IP) addresses, voice print and facial recognition biometrics, location information from a mobile device.
A subset of personal information is sensitive information, which the Privacy Act treats with a higher level of protection. This is to account for discrimination, mistreatment, humiliation and embarrassment that may result from the release of an individual’s sensitive information.
The Privacy Act says sensitive information means information or an opinion about an individual’s:
- racial or ethnic origin; or
- political opinions; or
- membership of a political association; or
- religious beliefs or affiliations; or
- philosophical beliefs; or
- membership of a professional or trade association; or
- membership of a trade union; or
- sexual orientation or practices; or
- criminal record;
that is also personal information; or
- health information about an individual; or
- genetic information about an individual that is not otherwise health information; or
- biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
- biometric templates.
Racial or ethnic origin
Information that clearly implies the racial or ethnic origin of a person. The surname of a person is not enough to meet this threshold for sensitive information.
Political opinions, philosophical beliefs and religious beliefs
The privacy Act does not specifically define these terms, so they adopt their ordinary meaning and should be interpreted broadly.
Genetic information about an individual that is not otherwise health information
Information that is predictive of the health of the individual or a genetic relative (Health Records and Information Privacy Act 2002 (NSW) section 6(d)).
Biometric information that is to be used for the purpose of automated biometric verification or biometric identification
According to the Biometrics Institute, Types of Biometrics, biometric information includes person’s fingerprint, iris print, hand, face, voice, gait or signature, which may be used to confirm an individual’s identity and authorise access to restricted areas.
Biometric templates
Digital representations of the biometric samples listed.
When can I use sensitive information?
Direct purpose and reasonable expectation of disclosure
There is a two-limb test that must be satisfied before using or disclosing an individual’s sensitive information:
- the purpose of disclosure must directly relate to the primary purpose for which the sensitive information was collected; and
- the individual whose sensitive information is being held must reasonably expect the information to be used in this way.
An example of appropriate disclosure was in F v Medical Specialist [2009] PrivCmrA , where a healthcare consultant who refused to treat a patient, disclosed that patient’s sensitive information to the clinic manager.
The disclosure’s purpose was to explain to another provider the patient’s need for treatment and to justify the first practitioner’s refusal to treat the patient. This was found to be a directly related to the original purpose of obtaining the sensitive information.
Individual’s consent
Sensitive information can be disclosed when the affected individual provides ‘express consent or implied consent’.
For valid consent, the individual giving their consent must:
- be adequately informed before giving consent;
- give the consent voluntarily;
- give consent that is current and specific; and
- have capacity to understand and communicate their consent.
Authorised by law
Sensitive information can be disclosed when an Australian law or a court/tribunal order authorises disclosure.
Common instances where disclosure is authorised include:
- when a court issues a warrant, order or notice to provide information or produce records or documents on hold;
- when there is a Statutory requirement to report financial transactions, notifiable diseases or suspected child abuse to an enforcement body or agency; and
- when a law clearly and specifically authorises an entity to disclose
Permitted general situation
Sensitive information can be disclosed to:
- lessen or prevent a serious threat to life, health and safety;
- take appropriate action in relation to suspected unlawful activity or serious misconduct;
- locate a person reported as missing;
- establish, exercise or defend a legal or equitable claim – if disclosure is necessary;
- conduct confidential alternative dispute resolution – if disclosure is necessary;
- conduct a diplomatic or consular function or activity; and
- conduct certain Defence Force activities outside Australia.
Permitted health situation
Sensitive information can be disclosed in ‘permitted health situations’:
- to conduct research, compile, or analyse statistics or manage, fund or monitor a health service – in this complex situation, we recommend seeking legal advice;
- necessary to prevent a serious threat to the life, health or safety of a genetic relative; and
- to disclose sensitive information to a person responsible for an individual.
This exception is only available to organisations and not government agencies.
Enforcement-related activity
Sensitive information can be disclosed to a law enforcement body when it is believed reasonably necessary for law enforcement to occur.
Law enforcement bodies include:
- State and Territory Police;
- Australian Federal Police;
- Australian Crime Commission;
- Customs;
- the Integrity Commissioner;
- the Immigration Department;
- Australian Prudential Regulation Authority;
- The Australian Securities and Investments Commission; and
- AUSTRAC.
This exception also applies to disclosure of biometric information to police and other enforcement bodies.
Key Takeaways
To ensure a robust and trustworthy approach to handling customer data, it is imperative to be discerning about what constitutes sensitive information. Always seek and meticulously document explicit consent before gathering any sensitive data. Moreover, consider implementing a comprehensive privacy policy as a crucial step to bolster customer assurance in the security of this type of information.
If you require a privacy policy or legal advice in relation to your whether you can disclose sensitive information, our privacy lawyers at Progressive Legal are experts in the field. Feel free to call our office at 1800 820 083 or request our expert advice below.
Need Privacy Help?
Please get in touch with us today via phone or the contact form on this page.
Contact Us
Rated 5/5 based on 132 Google reviews
Request our advice
Get in touch for a no-obligation quote.
Legal packages
‘On demand’ monthly access to a lawyer.
Legal documents
We can provide you with tailored Legal Documents.
1800 820 083
Suite 8.01, Level 8, 100 William St, Woolloomooloo NSW 2011