16.08.2010
6.88 ‘Sensitive information’is a sub-set of personal information and is given a higher level of protection under the NPPs. The IPPs do not refer to sensitive information and agencies are required to handle all information, including sensitive information, in accordance with the IPPs. The principles recommended for handling sensitive information, and their extension to agencies, are discussed further in Chapter 22.
6.89 ‘Sensitive information’ is defined in the Privacy Act to mean information or an opinion about an individual’s:
- racial or ethnic origin;
- political opinions;
- membership of a political association;
- religious beliefs or affiliations;
- philosophical beliefs;
- membership of a professional or trade association;
- membership of a trade union;
- sexual preferences or practices; or
- criminal record.
6.90 ‘Sensitive information’ also includes health information[98] and genetic information about an individual that is not otherwise health information.[99]
6.91 ‘Sensitive information’ is subject to a higher level of privacy protection than other ‘personal information’ handled by organisations in the following ways:
- ‘sensitive information’ may only be collected with consent, except in specified circumstances. Consent is generally not required to collect ‘personal information’ that is not ‘sensitive information’;[100]
- ‘sensitive information’ must not be used or disclosed for a secondary purpose unless the secondary purpose is directly related to the primary purpose of collection and within the reasonable expectations of the individual;[101]
- ‘sensitive information’ cannot be used for the secondary purpose of direct marketing;[102] and
- ‘sensitive information’ cannot be shared by ‘related bodies corporate’ in the same way that they may share other ‘personal information’.[103]
6.92 Similar classes of personal information are included in the definitions of ‘sensitive information’ in the Victorian, Tasmanian and Northern Territory privacy legislation.[104] Health information is not included in the definition of ‘sensitive information’ in Victoria because it is covered separately by the Health Records Act 2001 (Vic). The Privacy and Personal Information Protection Act 1998 (NSW) does not include a definition of sensitive information.
6.93 The Council of Europe Convention and OECD Guidelines do not specifically address sensitive information. Indeed, the Explanatory Memorandum to the OECD Guidelines expresses the view that ‘it is probably not possible to identify a set of data which are universally regarded as being sensitive’.[105]
6.94 Article 8 of the EU Directive deals with ‘special categories of data’, which are defined as ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life’. Article 8 prohibits the processing of this kind of information without consent except in specified circumstances and allows Member States to prohibit processing such data even with the consent of the data subject. The EU Directive also refers to ‘sensitive data’ but does not define the term.[106]
6.95 Sensitive information is provided with additional protection in the Privacy Act for a number of reasons. Information relating to race or ethnic origin, political or religious beliefs, trade union membership and sexual orientation, for example, is highly personal and may provide the basis for unjustified discrimination. In addition, this sort of information is likely to be necessary for the functions and activities of agencies and organisations in very limited circumstances. Health information, genetic information and criminal record information also is highly personal and has the potential to give rise to unjustified discrimination against individuals.
6.96 In IP 31, the ALRC asked whether the existing definition of ‘sensitive information’ was adequate and appropriate.[107] The major issues raised by stakeholders in response were: information made sensitive by context; financial information; and biometric information.
Information made sensitive by context
6.97 In its submission to the Inquiry, the NHMRC stated that:
it is extremely difficult to establish the categories of information which universally would be considered ‘sensitive’ either because of the nature of the information, the context in which it is handled or the views of the person to whom the information relates.
We note that the Personal Information Protection and Electronic Documents Act 2000 (Canada) does not define ‘sensitive information’ and that the Model Code allows an organisation discretion in determining whether information is sensitive. We also note that the sensitivity of certain categories of information may vary between cultures and individuals.[108]
6.98 The Canadian Personal Information Protection and Electronic Documents Act 2000 states that:
Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.[109]
6.99 The NHMRC suggested that the categories of information included in the definition of ‘sensitive information’ might be amended by regulation to provide some flexibility.[110] The CSIRO suggested that sensitive information should include ‘culturally sensitive data’ or other data deemed to be sensitive by the data provider.[111]
6.100 The Queensland Government Commission for Children and Young People and Child Guardian noted that:
For instance, a health practitioner receiving information relating to the abuse or neglect of a child may consider this information to be health information, and hence deal with it under the specific health privacy regime. However, if the same information is received by a child welfare practitioner it is not likely to be considered purely health information. The classification of child abuse information thus appears to depend not only on its nature, but also the context in which it is received.[112]
6.101 DLA Phillips Fox, however, suggested that:
Introducing more subjective criteria (such as the sensitivity of the information taking into account surrounding circumstances) would:
- result in greater uncertainty of application; and
- reduce the ability of organisations to implement broad guidelines for the treatment of categories of information so as to ensure compliance with the NPPs (and equivalent state and territory requirements).[113]
ALRC’s view
6.102 The ALRC recognises that personal information can become more or less sensitive because of the context in which it is considered and notes that this can apply to almost any personal information. The definition of ‘sensitive information’, however, should not be amended to include information made sensitive by context. On balance, the existing approach of listing categories of information as sensitive provides greater certainty. This is important because the Privacy Act imposes stringent requirements for handling sensitive information.
6.103 In particular, the Privacy Act and the model UPPs provide that sensitive information should generally be collected with consent and should be used only for the purpose for which the information was collected or a directly related secondary purpose. This regime is significantly different to the regime regulating the handling of other personal information, which can be collected without consent and used and disclosed for a broader range of purposes. It is important to be clear about what information is covered by the more stringent requirements.
Financial information
6.104 A number of stakeholders suggested that sensitive information should include financial information,[114] while others described consumer credit information as sensitive.[115] The OPC stated that:
Community attitudes research undertaken by the Office in 2001 and 2004 has indicated that individuals consider financial information to be very sensitive. In both community attitudes surveys, financial information was the top response for individuals when rating what types of information they were most reluctant to provide to organisations.[116]
6.105 Legal Aid Queensland, however, noted in its submission:
That obtaining consent as the primary criteria for the release of financial information fails to recognise the inherent disparity in the bargaining positions of consumers and corporations.[117]
6.106 A number of other stakeholders were of the view that financial information should not be included in the definition of ‘sensitive information’.[118]
ALRC’s view
6.107 Financial information should not be included in the definition of ‘sensitive information’ in the Privacy Act. Financial information is sensitive in some respects and does require appropriate handling, for example, appropriate security. Financial information has a number of characteristics, however, that sets it apart from the categories of information currently included in the definition of sensitive information. In particular, it does not relate to the physical attributes or personal beliefs of the individual in the same way as other information currently defined as sensitive.
6.108 In addition, agencies and organisations often have a legitimate interest in an individual’s financial information, for example, in relation to providing credit. Such information is necessary to the functions and activities of agencies and organisations in order to protect the interests of all parties to transactions. The Privacy Act already recognises that personal information relating to credit can be prejudicial and should only be collected, used and disclosed in appropriate circumstances. The Act provides a range of safeguards in relation to credit reporting that are discussed in detail in Part G. It is important to note, however, that these safeguards are not the same as the safeguards provided in relation to ‘sensitive information’. For example, the credit reporting provisions do not require consent for the collection of credit information.
Biometric information
6.109 Biometric information can be ‘personal information’ for the purposes of the Privacy Act in some circumstances, that is, where an individual’s identity is apparent or can reasonably be ascertained from the information.[119] A number of stakeholders suggested that biometric information, like genetic information, should be accorded the higher protection provided by the Privacy Act in relation to ‘sensitive information’.[120]Concern has been expressed that biometric technologies, such as facial recognition technologies, may be used to identify individuals without their knowledge or consent,[121] and that biometric information could reveal other sensitive personal information, such as information about a person’s health, racial or ethnic origin or religious beliefs.[122]
6.110 The Biometrics Institute describes the nature of biometric technology as follows:
Biometric technology involves the storage and use of unique personal information to verify the identity of an individual. These unique identifiers are based on personal attributes such as fingerprints, DNA, iris, facial features, hand geometry, voice etc. Even a photograph could be described as one of the lower levels of biometric recognition.[123]
6.111 As discussed in Chapter 9, in a typical biometric system a biometric device, such as a finger scanner, is used to take a biometric sample from an individual. Data from the sample are then analysed and converted into a biometric template, which is stored in a database or an object in the individual’s possession, such as a smart card. Later biometric samples taken from the individual can then be compared to the stored biometric template to identify the individual (identification, or one-to-many matching) or to attempt to verify that an individual is who he or she claims to be (verification, or one-to-one matching).
6.112 Recognising some of the special sensitivities around the use of biometric technology, the Biometrics Institute, in consultation with the OPC, has developed a privacy code to regulate the handling of biometric information.[124] The code binds private sector organisations that apply to become Code Subscribers and whose applications are approved by the Biometrics Institute Board. To date, only four organisations have elected to be bound by the Code.
6.113 The Biometrics Institute Privacy Code includes a number of Supplementary Biometrics Institute Privacy Principles. One of the additional principles is similar in scope to the protection provided for ‘sensitive information’ by NPP 2.1(a):
Secondary analysis or function creep of biometric information collected for purposes such as authentication or identification is not permitted without express free and informed consent. For example biometric information collected for the purposes of authentication and identification shall not be used to examine that information in search of genetic patterns or disease identification without express free and informed consent.[125]
6.114 In its submission to the Inquiry, the Health Informatics Society of Australia noted that:
Sensitive information by definition relates to those areas where prejudices can prevail, eg sexual preferences, political or religious beliefs, criminal records, etc. The concern individuals have over the way that other parties might act based on the knowledge gained from genetic information puts this into the sensitive information category. Furthermore, biometric information can be considered sensitive since it is fixed and unlike a password or PIN cannot be reset once it has been inappropriately released.[126]
6.115 The OPC expressed the view that
all biometric template information should be covered by the stricter provisions in the Privacy Act for sensitive information. However, it may be impractical and undesirable for all biometric samples to be included under the definition of sensitive information, especially where there is no intention to use the sample for biometric matching or identification. For example, it would be difficult and overly burdensome to require consent every time a photograph of a person (technically a biometric sample) is taken.
The Office takes the view that sensitive information provisions should only apply to: (a) biometric samples collected for the purpose of biometric matching or biometric identification; and (b) biometric template information.
The Office notes however that biometric samples—if they were to fall outside this definition of sensitive information—may still be covered by the Privacy Act as personal information and therefore achieve legislative protections. Furthermore, as noted in IP31 (at IP31 paragraph 11.46) there may be instances where a biometric sample reveals sensitive information about an individual such as health information and will thus be defined as sensitive information under the Privacy Act.[127]
Discussion Paper proposal
6.116 In DP 72 the ALRC proposed that the definition of ‘sensitive information’ be amended to include: biometric information collected for the purpose of automated biometric authentication or identification; and biometric template information.[128] There was significant support for this proposal.[129]
6.117 A small number of stakeholders did not support the proposal.[130] The Australian Government Department of Defence did not support extending the definition of ‘sensitive information’ to include biometric template information.[131]
6.118 Professor Michael Wagner, of the National Centre for Biometric Studies at the University of Canberra, noted in correspondence to this Inquiry that biometric templates contain ‘all the salient information necessary to authenticate or identify a person’ and that ‘this will potentially include sensitive information related to age, gender, [and] health’. He stated that:
Biometric templates are not essentially different from the original biometric information. Therefore I believe that both original biometric information and biometric templates should equally be treated as sensitive and protected correspondingly.[132]
ALRC’s view
6.119 The definition of sensitive information should be amended to include certain biometric information. Biometric information shares many of the attributes of information currently defined as sensitive in the Privacy Act. It is very personal because it is information about an individual’s physical self. Biometric information can reveal other sensitive information, such as health or genetic information and racial or ethnic origin. Biometric information can provide the basis for unjustified discrimination.
6.120 The ALRC recognises that requiring consent to collect all biometric information may be impracticable. For this reason, the ALRC has limited the type of biometric information to be included in the definition of sensitive information—namely, biometric information collected for use in automated biometric verification and identification systems and biometric template information. This recommendation is intended to address the most serious privacy concerns around the handling of biometric information, for example, that such information may be used to identify individuals without their knowledge or consent.
6.121 The provisions of the Privacy Act relating to sensitive information do not currently apply to agencies. In Chapter 22, the ALRC recommends that the requirements in the model UPPs dealing with ‘sensitive information’ apply to both agencies and organisations.[133] The ALRC also recommends broadening the circumstances in which sensitive information may be collected without consent to include collection ‘required or authorised by or under law’ to meet concerns raised by agencies.[134] Where biometric information is to be collected by agencies, for example, for inclusion in automated biometric verification or identification systems, such as the ‘SmartGate’ automated border processing system,[135] such collection should be carried out on the basis of consent, or as required or authorised by or under law.
Sexual orientation and practices
6.122 In DP 72, the ALRC also suggested that the reference to ‘sexual preferences and practices’ in the definition of ‘sensitive information’ be changed to ‘sexual orientation and practices’.[136] This was on the basis that the term ‘sexual orientation’ is consistent with language used in recent federal legislation[137] and state and territory anti-discrimination and human rights legislation.[138] It also reflects modern usage. A number of stakeholders expressed support for this change.[139]
Recommendation 6–4 The definition of ‘sensitive information’ in the Privacy Act should be amended to include:
(a) biometric information collected for the purpose of automated biometric verification or identification; and
(b) biometric template information.
Recommendation 6–5 The definition of ‘sensitive information’ in the Privacy Act should be amended to refer to ‘sexual orientation and practices’ rather than ‘sexual preferences and practices’.
[98]Privacy Act 1988 (Cth) s 6(1). The definition of ‘health information’is discussed in Ch 62.
[99]Privacy Legislation Amendment Act 2006 (Cth). In the report Essentially Yours (ALRC 96), the ALRC and AHEC considered the definition of ‘sensitive information’. They came to the conclusion that the definition did not provide an appropriate level of protection for genetic information that did not fall within the definition of health information—for example, genetic information derived from parentage or other identification testing that is not predictive of health—and recommended that the definition be amended to clarify this issue: Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), Rec 7–5. The Australian Government accepted this recommendation and the relevant amendment came into force in September 2006.
[100]Privacy Act 1988 (Cth) sch 3, NPP 10.
[101] Ibid sch 3, NPP 2.1(a).
[102] Ibid sch 3, NPP 2.1(c).
[103] Ibid s 13B.
[104]Information Privacy Act 2000 (Vic) sch 1; Personal Information Protection Act 2004 (Tas) s 3; Information Act 2002 (NT) s 4. Note, however, that the Northern Territory Act does not specifically refer to ‘an opinion’ about those matters.
[105] Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), Explanatory Memorandum, [19].
[106] European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), arts 34, 70.
[107] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 3–4.
[108] National Health and Medical Research Council, Submission PR 114, 15 January 2007.
[109]Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada) sch 1, cl 4.3.
[110] National Health and Medical Research Council, Submission PR 114, 15 January 2007.
[111] CSIRO, Submission PR 176, 6 February 2007.
[112] Queensland Government Commission for Children and Young People and Child Guardian, Submission PR 171, 5 February 2007.
[113] DLA Phillips Fox, Submission PR 111, 15 January 2007.
[114] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007.
[115] National Legal Aid, Submission PR 265, 23 March 2007; J Harvey, Submission PR 12, 25 May 2006.
[116] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. See Office of the Privacy Commissioner, Community Attitudes Research 2001, 2004, available at <www.privacy.gov.au/
business/research/index.html>.
[117] Legal Aid Queensland, Submission PR 292, 11 May 2007.
[118] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[119] Biometric systems technologies are discussed further in Ch 9.
[120] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; AAMI, Submission PR 147, 29 January 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.
[121] Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 12–13.
[122] Council of Europe, Progress Report on the Application of the Principles of Convention 108 to the Collection and Processing of Biometric Data (2005), 6; M Crompton, ‘Biometrics and Privacy: The End of the World as We Know it or the White Knight of Privacy?’ (Paper presented at Biometrics Institute Conference: Biometrics—Security and Authentication, Sydney, 20 March 2002).
[123] Biometrics Institute, Biometrics Institute Privacy Code Information Memorandum (2006), 1.
[124] Biometrics Institute, Biometrics Institute Privacy Code (2006).
[125] Ibid, 12.3.
[126] Health Informatics Society of Australia, Submission PR 196, 16 January 2007.
[127] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[128] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 3–6.
[129] Unisys, Submission PR 569, 12 February 2008; Australian Government Department of Finance and Deregulation, Submission PR 558, 11 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; P Youngman, Submission PR 394, 7 December 2007.
[130] Confidential, Submission PR 536, 21 December 2007.
[131] Australian Government Department of Defence, Submission PR 440, 10 December 2007.
[132] M Wagner, Correspondence, 16 January 2008.
[133] Rec 22–1.
[134] Rec 22–2.
[135]SmartGate is an automated border processing system. It performs the customs and immigration checks normally made by a Customs Officer on arrival in Australia. SmartGate takes a live image of an individual’s face and using facial recognition technology matches that image with the digitised image stored in an ePassport.
[136] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 3–7.
[137]Private Health Insurance Act 2007 (Cth) s 55.5.
[138]Equal Opportunity Act 1995 (Vic) s 6; Charter of Human Rights and Responsibilities Act 2006 (Vic) s 3; Equal Opportunity Act 1984 (WA) s 35O; Anti-Discrimination Act 1998 (Tas) s 16; Human Rights Act 2004 (ACT) s 8.
[139] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007.