22.2 ‘Sensitive information’ is a subset of ‘personal information’. ‘Sensitive information’ is defined in s 6(1) of the Privacy Act to mean information or an opinion about an individual’s:

  • racial or ethnic origin;
  • political opinions;
  • membership of a political association;
  • religious beliefs or affiliations;
  • philosophical beliefs;
  • membership of a professional or trade association;
  • membership of a trade union;
  • sexual preferences or practices; or
  • criminal record.

22.3 ‘Sensitive information’ also includes health information[1] and genetic information about an individual that is not otherwise health information.[2]

22.4 In general terms, there is a correlation between the categories of sensitive information provided for in the Privacy Act and the grounds of discrimination provided for under federal and state legislation.[3] Similarly, Australia’s international law obligations are triggered by an asylum seeker who has a well-founded fear of persecution by reason of his or her ‘race, religion, nationality, membership of a particular social group or political opinion’.[4] The fact that three of these grounds—race, religion and political opinion—are also categories of ‘sensitive information’ in s 6(1) of the Privacy Act reflects the inherent dangers that may arise where personal information of this nature is misused.

22.5 Sensitive information is given a higher level of protection under the NPPs; in particular, in relation to its collection. The Information Privacy Principles (IPPs), in contrast, do not provide for additional protection in respect of any aspect of the handling of sensitive information by agencies. The current coverage of the NPPs and IPPs is discussed below.

22.6 There is international precedent for providing additional privacy protections in respect of sensitive information. The European Parliament’s Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (1995) (EU Directive) recognises ‘special categories of data’, which are defined as ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life’.[5] Article 8 prohibits the processing of this kind of information without consent, except in specified circumstances. It also allows member states to prohibit the processing of such information, even with the consent of the individual concerned.

22.7 A Working Party on the Protection of Individuals with regard to the Processing of Personal Data, set up under art 29 of the EU Directive, highlighted the importance of providing additional protection to sensitive information, by stating that

where ‘sensitive’ categories of data are involved … additional safeguards should be in place, such as a requirement that the data subject gives his/her explicit consent for the processing.[6]

22.8 The Data Protection Act 1998 (UK), for example, prohibits the processing of sensitive information unless one of ten specified conditions apply.[7]

[1]Privacy Act 1988 (Cth) s 6(1). The definition of ‘health information’is discussed in Ch 62.

[2] The definitions of ‘personal information’ and ‘sensitive information’ are discussed in more detail in Ch 6, as are the ALRC’s recommendations concerning their amendment.

[3] Compare Privacy Act 1988 (Cth) s 6(1) with, eg, Racial Discrimination Act 1975 (Cth); Sex Discrimination Act 1984 (Cth); Disability Discrimination Act 1992 (Cth).

[4] See Migration Act 1958 (Cth) s 36, incorporating the Convention relating to the Status of Refugees, 28 July 1951, [1954] ATS 5, (entered into force generally on 22 April 1954).

[5] European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995) art 8.

[6] European Commission Working Party on the Protection of Individuals With Regard to the Processing of Personal Data, Working Document: Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive, 24 July 1998. See alsoPersonal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada)sch 1, cl 4.3.6, which provides that an organisation should generally seek express, as opposed to implied, consent when the information is likely to be considered sensitive.

[7] See The Data Protection Act 1998 (UK) sch 1, Principle 1; sch 3.