What is considered 'sensitive information' under the Privacy Act, and what extra protections does it have?

In Plain English

The Privacy Act 1988 defines "sensitive information" to include things like your health details and genetic information. Because this type of information is highly personal and could be misused, the Act places extra restrictions on how it can be collected, used, and shared. Generally, organizations need your consent to collect sensitive information, unless a specific exception applies.

Detailed Explanation

Under the Privacy Act 1988, "sensitive information" is defined in section 6 and includes health information and genetic information. Privacy (Guidelines issued under section 95AA) Approval 2024 further clarifies that genetic information that is (or could be) predictive of an individual's health is treated as health information, while genetic information that is not otherwise health information, such as the result of a parentage test, is treated as sensitive information.

Australian Privacy Principle (APP) 3.3 of the Privacy Act 1988 specifically addresses the collection of sensitive information, prohibiting its collection unless the individual consents or an exception applies. This is reinforced by Privacy (Guidelines issued under section 95AA) Approval 2024, which highlights that APP 3.3 prohibits the collection of sensitive information about individuals, unless an individual consents or an exception applies.

APP 7.4 of the Privacy Act 1988 states that an organization may use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose.