Privacy Policy: How do I draft the ‘sensitive information’ clause?

To ensure that your business complies with the Australian Privacy Principles (contained within the Privacy Act), your business should have an easily accessible Privacy Policy on your website. The Privacy Policy needs to set out how your business will collect personal information, what personal information will be collected, how the personal information will be used and disclosed, and how the personal information will be stored.
It is important to note that sensitive information is a special subset of personal information and, therefore, needs to be dealt with differently.
What is sensitive information and how is it collected?
Sensitive information must not be collected unless the customer consents to the collection of the information and the information is reasonably necessary for one or more of the functions of your business. For clarification on what is regarded as sensitive information, it is advisable that you speak with an online solicitor.
The following all constitute sensitive information:
- Racial or ethnic origin, political opinions, religion, trade union or other professional association or memberships, philosophical beliefs, sexual orientation or practices, criminal records;
- Health information; or
- Biometric information;
Where personal information that is also sensitive information is collected for a particular purpose i.e. the primary purpose, you cannot disclose it for another purpose i.e. a secondary purposes unless:
- The customer would reasonably expect you to use or disclose such sensitive information for the secondary purpose; and
- The secondary purpose is directly related to the primary purpose.
Under what circumstances can sensitive information be disclosed?
Sensitive information may also be disclosed if:
- The disclosure is required under Australian law;
- A permitted general situation exists;
- A permitted health situation exists; or
- You reasonably believe that the use or disclosure of such information is necessary for an enforcement related activity conducted by or on behalf of an enforcement body.
Conclusion
Businesses operating in the medical or disability sector generally collect, use and disclose sensitive information. If your business deals with sensitive information, you need to ensure that the sensitive information is well protected. If you have concerns as to your obligations under the Australian Privacy Principles, you should speak with an experienced contract lawyer as soon as possible.
Redundancies and Restructuring: Understanding Your Employer Obligations
Thursday 7 July | 11:00 - 11:45am
Online
How to Sponsor Foreign Workers For Your Tech Business
Wednesday 13 July | 11:00 - 11:45am
Online
Advertising 101: Social Media, Influencers and the Law
Thursday 21 July | 11:00 - 11:45am
Online
Structuring for Certainty in Uncertain Times
Tuesday 26 July | 12:00 - 12:45pm
Online
Playing for the Prize: How to Run Trade Promotions
Thursday 28 July | 11:00 - 11:45am
Online
Web3 Essentials: Understanding SAFT Agreements
Tuesday 2 August | 11:00 - 11:45am
Online
Understanding Your Annual Franchise Update Obligations
Wednesday 3 August | 11:00 - 11:45am
Online
Legal Essentials for Product Manufacturers
Thursday 11 August | 11:00 - 11:45am
Online
Was this article helpful?
We appreciate your feedback – your submission has been successfully received.
About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.
By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.
If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.