6.88 ‘Sensitive information’is a sub-set of personal information and is given a higher level of protection under the NPPs. The IPPs do not refer to sensitive information and agencies are required to handle all information, including sensitive information, in accordance with the IPPs. The principles recommended for handling sensitive information, and their extension to agencies, are discussed further in Chapter 22. Show 6.89 ‘Sensitive information’ is defined in the Privacy Act to mean information or an opinion about an individual’s:
6.90 ‘Sensitive information’ also includes health information[98] and genetic information about an individual that is not otherwise health information.[99] 6.91 ‘Sensitive information’ is subject to a higher level of privacy protection than other ‘personal information’ handled by organisations in the following ways:
6.92 Similar classes of personal information are included in the definitions of ‘sensitive information’ in the Victorian, Tasmanian and Northern Territory privacy legislation.[104] Health information is not included in the definition of ‘sensitive information’ in Victoria because it is covered separately by the Health Records Act 2001 (Vic). The Privacy and Personal Information Protection Act 1998 (NSW) does not include a definition of sensitive information. 6.93 The Council of Europe Convention and OECD Guidelines do not specifically address sensitive information. Indeed, the Explanatory Memorandum to the OECD Guidelines expresses the view that ‘it is probably not possible to identify a set of data which are universally regarded as being sensitive’.[105] 6.94 Article 8 of the EU Directive deals with ‘special categories of data’, which are defined as ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life’. Article 8 prohibits the processing of this kind of information without consent except in specified circumstances and allows Member States to prohibit processing such data even with the consent of the data subject. The EU Directive also refers to ‘sensitive data’ but does not define the term.[106] 6.95 Sensitive information is provided with additional protection in the Privacy Act for a number of reasons. Information relating to race or ethnic origin, political or religious beliefs, trade union membership and sexual orientation, for example, is highly personal and may provide the basis for unjustified discrimination. In addition, this sort of information is likely to be necessary for the functions and activities of agencies and organisations in very limited circumstances. Health information, genetic information and criminal record information also is highly personal and has the potential to give rise to unjustified discrimination against individuals. 6.96 In IP 31, the ALRC asked whether the existing definition of ‘sensitive information’ was adequate and appropriate.[107] The major issues raised by stakeholders in response were: information made sensitive by context; financial information; and biometric information. Information made sensitive by context6.97 In its submission to the Inquiry, the NHMRC stated that:
6.98 The Canadian Personal Information Protection and Electronic Documents Act 2000 states that:
6.99 The NHMRC suggested that the categories of information included in the definition of ‘sensitive information’ might be amended by regulation to provide some flexibility.[110] The CSIRO suggested that sensitive information should include ‘culturally sensitive data’ or other data deemed to be sensitive by the data provider.[111] 6.100 The Queensland Government Commission for Children and Young People and Child Guardian noted that:
6.101 DLA Phillips Fox, however, suggested that:
ALRC’s view6.102 The ALRC recognises that personal information can become more or less sensitive because of the context in which it is considered and notes that this can apply to almost any personal information. The definition of ‘sensitive information’, however, should not be amended to include information made sensitive by context. On balance, the existing approach of listing categories of information as sensitive provides greater certainty. This is important because the Privacy Act imposes stringent requirements for handling sensitive information. 6.103 In particular, the Privacy Act and the model UPPs provide that sensitive information should generally be collected with consent and should be used only for the purpose for which the information was collected or a directly related secondary purpose. This regime is significantly different to the regime regulating the handling of other personal information, which can be collected without consent and used and disclosed for a broader range of purposes. It is important to be clear about what information is covered by the more stringent requirements. Financial information6.104 A number of stakeholders suggested that sensitive information should include financial information,[114] while others described consumer credit information as sensitive.[115] The OPC stated that:
6.105 Legal Aid Queensland, however, noted in its submission:
6.106 A number of other stakeholders were of the view that financial information should not be included in the definition of ‘sensitive information’.[118] ALRC’s view6.107 Financial information should not be included in the definition of ‘sensitive information’ in the Privacy Act. Financial information is sensitive in some respects and does require appropriate handling, for example, appropriate security. Financial information has a number of characteristics, however, that sets it apart from the categories of information currently included in the definition of sensitive information. In particular, it does not relate to the physical attributes or personal beliefs of the individual in the same way as other information currently defined as sensitive. 6.108 In addition, agencies and organisations often have a legitimate interest in an individual’s financial information, for example, in relation to providing credit. Such information is necessary to the functions and activities of agencies and organisations in order to protect the interests of all parties to transactions. The Privacy Act already recognises that personal information relating to credit can be prejudicial and should only be collected, used and disclosed in appropriate circumstances. The Act provides a range of safeguards in relation to credit reporting that are discussed in detail in Part G. It is important to note, however, that these safeguards are not the same as the safeguards provided in relation to ‘sensitive information’. For example, the credit reporting provisions do not require consent for the collection of credit information. Biometric information6.109 Biometric information can be ‘personal information’ for the purposes of the Privacy Act in some circumstances, that is, where an individual’s identity is apparent or can reasonably be ascertained from the information.[119] A number of stakeholders suggested that biometric information, like genetic information, should be accorded the higher protection provided by the Privacy Act in relation to ‘sensitive information’.[120]Concern has been expressed that biometric technologies, such as facial recognition technologies, may be used to identify individuals without their knowledge or consent,[121] and that biometric information could reveal other sensitive personal information, such as information about a person’s health, racial or ethnic origin or religious beliefs.[122] 6.110 The Biometrics Institute describes the nature of biometric technology as follows:
6.111 As discussed in Chapter 9, in a typical biometric system a biometric device, such as a finger scanner, is used to take a biometric sample from an individual. Data from the sample are then analysed and converted into a biometric template, which is stored in a database or an object in the individual’s possession, such as a smart card. Later biometric samples taken from the individual can then be compared to the stored biometric template to identify the individual (identification, or one-to-many matching) or to attempt to verify that an individual is who he or she claims to be (verification, or one-to-one matching). 6.112 Recognising some of the special sensitivities around the use of biometric technology, the Biometrics Institute, in consultation with the OPC, has developed a privacy code to regulate the handling of biometric information.[124] The code binds private sector organisations that apply to become Code Subscribers and whose applications are approved by the Biometrics Institute Board. To date, only four organisations have elected to be bound by the Code. 6.113 The Biometrics Institute Privacy Code includes a number of Supplementary Biometrics Institute Privacy Principles. One of the additional principles is similar in scope to the protection provided for ‘sensitive information’ by NPP 2.1(a):
6.114 In its submission to the Inquiry, the Health Informatics Society of Australia noted that:
6.115 The OPC expressed the view that
Discussion Paper proposal6.116 In DP 72 the ALRC proposed that the definition of ‘sensitive information’ be amended to include: biometric information collected for the purpose of automated biometric authentication or identification; and biometric template information.[128] There was significant support for this proposal.[129] 6.117 A small number of stakeholders did not support the proposal.[130] The Australian Government Department of Defence did not support extending the definition of ‘sensitive information’ to include biometric template information.[131] 6.118 Professor Michael Wagner, of the National Centre for Biometric Studies at the University of Canberra, noted in correspondence to this Inquiry that biometric templates contain ‘all the salient information necessary to authenticate or identify a person’ and that ‘this will potentially include sensitive information related to age, gender, [and] health’. He stated that:
ALRC’s view6.119 The definition of sensitive information should be amended to include certain biometric information. Biometric information shares many of the attributes of information currently defined as sensitive in the Privacy Act. It is very personal because it is information about an individual’s physical self. Biometric information can reveal other sensitive information, such as health or genetic information and racial or ethnic origin. Biometric information can provide the basis for unjustified discrimination. 6.120 The ALRC recognises that requiring consent to collect all biometric information may be impracticable. For this reason, the ALRC has limited the type of biometric information to be included in the definition of sensitive information—namely, biometric information collected for use in automated biometric verification and identification systems and biometric template information. This recommendation is intended to address the most serious privacy concerns around the handling of biometric information, for example, that such information may be used to identify individuals without their knowledge or consent. 6.121 The provisions of the Privacy Act relating to sensitive information do not currently apply to agencies. In Chapter 22, the ALRC recommends that the requirements in the model UPPs dealing with ‘sensitive information’ apply to both agencies and organisations.[133] The ALRC also recommends broadening the circumstances in which sensitive information may be collected without consent to include collection ‘required or authorised by or under law’ to meet concerns raised by agencies.[134] Where biometric information is to be collected by agencies, for example, for inclusion in automated biometric verification or identification systems, such as the ‘SmartGate’ automated border processing system,[135] such collection should be carried out on the basis of consent, or as required or authorised by or under law. Sexual orientation and practices6.122 In DP 72, the ALRC also suggested that the reference to ‘sexual preferences and practices’ in the definition of ‘sensitive information’ be changed to ‘sexual orientation and practices’.[136] This was on the basis that the term ‘sexual orientation’ is consistent with language used in recent federal legislation[137] and state and territory anti-discrimination and human rights legislation.[138] It also reflects modern usage. A number of stakeholders expressed support for this change.[139] Recommendation 6–4 The definition of ‘sensitive information’ in the Privacy Act should be amended to include: (a) biometric information collected for the purpose of automated biometric verification or identification; and (b) biometric template information. Recommendation 6–5 The definition of ‘sensitive information’ in the Privacy Act should be amended to refer to ‘sexual orientation and practices’ rather than ‘sexual preferences and practices’. |