Privacy Policy: How do I draft the ‘sensitive information’ clause?

To ensure that your business complies with the Australian Privacy Principles (contained within the Privacy Act), your business should have an easily accessible Privacy Policy on your website. The Privacy Policy needs to set out how your business will collect personal information, what personal information will be collected, how the personal information will be used and disclosed, and how the personal information will be stored.

It is important to note that sensitive information is a special subset of personal information and, therefore, needs to be dealt with differently.

What is sensitive information and how is it collected?

Sensitive information must not be collected unless the customer consents to the collection of the information and the information is reasonably necessary for one or more of the functions of your business. For clarification on what is regarded as sensitive information, it is advisable that you speak with an online solicitor.

The following all constitute sensitive information:

• Racial or ethnic origin, political opinions, religion, trade union or other professional association or memberships, philosophical beliefs, sexual orientation or practices, criminal records;

• Health information; or
• Biometric information;

Where personal information that is also sensitive information is collected for a particular purpose i.e. the primary purpose, you cannot disclose it for another purpose i.e. a secondary purposes unless:

• The customer would reasonably expect you to use or disclose such sensitive information for the secondary purpose; and
• The secondary purpose is directly related to the primary purpose.

Under what circumstances can sensitive information be disclosed?

Sensitive information may also be disclosed if:

• The disclosure is required under Australian law;
• A permitted general situation exists;
• A permitted health situation exists; or
• You reasonably believe that the use or disclosure of such information is necessary for an enforcement related activity conducted by or on behalf of an enforcement body.

Conclusion

Businesses operating in the medical or disability sector generally collect, use and disclose sensitive information. If your business deals with sensitive information, you need to ensure that the sensitive information is well protected. If you have concerns as to your obligations under the Australian Privacy Principles, you should speak with an experienced contract lawyer as soon as possible.