Personal vs Sensitive Information: Australian Privacy Guide

Collecting customer details is part of running a modern business. But not all data is treated the same under Australian privacy law.

Understanding the difference between “personal information” and “sensitive information” matters because the law expects you to handle them differently. Get this right, and you build trust and reduce legal risk. Get it wrong, and you could face complaints, investigations or reputational damage.

In this guide, we’ll break down exactly what each term means under the Privacy Act 1988 (Cth), how the Australian Privacy Principles (APPs) apply, and what practical steps you can take to stay compliant as a small business in Australia.

What Counts As Personal Information In Australia?

Personal information is any information or opinion about an identified individual, or an individual who is reasonably identifiable. It doesn’t matter whether the information is true or recorded in a material form.

Common examples include:

• Names, addresses, email addresses and phone numbers
• Date of birth and gender
• Customer account details and order history
• IP address or device identifiers if they can reasonably identify someone
• Employment details, resumes and references

If a person can be identified (directly or indirectly) from what you collect, treat it as personal information.

It’s worth noting that privacy and confidentiality aren’t the same thing. Privacy is about how you collect, use and secure personal information under the law, while confidentiality is about keeping certain information secret under a contract or duty. If you’re comparing these concepts in your business, this quick explainer on the difference between privacy and confidentiality is a helpful starting point.

What Is Sensitive Information (And Why It’s Treated Differently)?

Sensitive information is a special subset of personal information that attracts stricter rules under the APPs. Because it can be highly private or carry a greater risk of harm if mishandled, the law usually requires express consent before collection or use.

Under the Privacy Act, sensitive information includes:

• Health information and medical records
• Biometric and genetic information
• Racial or ethnic origin
• Political opinions or memberships
• Religious or philosophical beliefs
• Trade union membership
• Sexual orientation or practices
• Criminal records

Why the extra care? Sensitive information, if misused or disclosed, can cause discrimination, stigma or significant personal harm. That’s why, for most businesses, collecting it should be necessary for your functions and supported by clear consent (unless a narrow exception applies, such as where collection is required by law or needed to reduce a serious threat to life or health).

Personal Vs Sensitive: Practical Examples For Small Businesses

Let’s ground this in everyday scenarios so you can classify what you collect and apply the right rules.

• Online store signup: Name, email and delivery address are personal information. If you run optional customer surveys asking about ethnicity or disability status, those answers are sensitive information and need extra safeguards and consent.
• Fitness studio: Contact details, dates of attendance and payment history are personal information. Pre-exercise questionnaires about injuries, health conditions or medications are sensitive information (health information) and require express consent and stronger protection.
• Recruitment: CVs and contact details are personal information. Criminal history checks (where lawful) are sensitive information. You’ll also need a lawful basis to conduct the check.
• Marketing list: Email addresses and behavioural data (e.g. email opens) are personal information. If you infer religious beliefs or political opinions from browsing patterns, you may be handling sensitive information and should avoid this unless you have a very clear legal basis and consent.
• CCTV footage: Video of identifiable people is personal information. If you use facial recognition or biometric matching, that becomes sensitive information.

If you collect both types, apply the stricter approach to the sensitive data set and keep the two logically separated in your systems where possible.

What Are Your Legal Obligations Under The Privacy Act?

Many small businesses with an annual turnover under $3 million are exempt from the Privacy Act. However, there are important exceptions. For example, you’re covered if you’re a health service provider (even small clinics), you trade in personal information, you’re a contracted service provider to the Commonwealth, or you handle certain regulated datasets (like Tax File Numbers or credit reporting information).

Even if you’re not technically covered, customers expect strong privacy practices-and any future law reform may broaden coverage. Treat the APPs as best practice.

1) Be Open And Transparent

Under APP 1, you should be clear about what you collect and why. This is usually achieved through an accessible, up-to-date Privacy Policy on your website and a concise Privacy Collection Notice wherever you collect data (e.g. checkout pages, forms or apps).

2) Only Collect What You Need (And Get Consent For Sensitive Data)

APP 3 requires that you collect personal information only where it’s reasonably necessary for your functions. For sensitive information, you generally need express consent unless a narrow exception applies.

3) Use And Disclose For The Right Reasons

Under APP 6, you should use or disclose personal information only for the primary purpose you collected it, or a related secondary purpose the person would reasonably expect. For sensitive information, the threshold is higher-it usually can’t be used for secondary purposes without express consent.

4) Direct Marketing And Cookies

APP 7 sets rules for direct marketing, including the need to provide a simple opt-out. Sensitive information can’t be used for direct marketing without consent. If your website uses tracking technologies, set expectations transparently and consider publishing a clear Cookie Policy alongside your Privacy Policy.

If you send promotional emails or SMS, make sure you’re also complying with Australian email marketing laws (consent, sender identification and unsubscribe mechanisms).

5) Keep Information Secure

APP 11 requires you to take reasonable steps to protect the data you hold from misuse, interference, loss, and unauthorised access, modification or disclosure. Practical measures include access controls, encryption, role-based permissions, and regular training.

It’s good practice to document your approach in an Information Security Policy, especially if you handle sensitive information or work in regulated industries.

6) Manage Overseas Disclosures

If you transfer data overseas (for example, using offshore cloud services), APP 8 may make you accountable for how that recipient protects the information. Use contracts, due diligence and technical safeguards to ensure comparable protection.

7) Plan For Data Breaches

Under the Notifiable Data Breaches scheme, you must assess suspected eligible data breaches and notify affected individuals and the OAIC if the breach is likely to cause serious harm. Prepare, test and maintain a Data Breach Response Plan so you can act quickly under pressure. You may also need to meet your data breach notification obligations.

8) Don’t Keep Data Longer Than Needed

APP 11.2 expects you to securely destroy or de-identify personal information when you no longer need it (and aren’t required by law to keep it). A clear policy that aligns with data retention laws will help your team make consistent decisions.

9) Special Note On Employee Records

Private sector employers have a limited exemption for “employee records” when directly related to the employment relationship. However, this is narrow and doesn’t apply to job applicants or contractors. Many businesses still follow APP best practices for staff data to meet expectations and prepare for potential law reform.

How To Handle Information Safely: A Step-By-Step Approach

Here’s a practical workflow you can apply, whether you’re collecting contact details or managing sensitive health information.

Step 1: Map What You Collect And Why

List every touchpoint where you collect data (website, app, forms, POS, phone, third-party platforms) and note the data types. Separate personal from sensitive information, and make sure each item is reasonably necessary for your business functions.

Step 2: Set Your Legal Basis (Consent vs Other Grounds)

For most personal information, you’ll rely on necessity and reasonable expectation. For sensitive information, build a consent process that’s voluntary, informed, current and specific. Consent should be as easy to withdraw as it is to give.

Step 3: Draft Clear Notices And Policies

Make your Privacy Collection Notice short and specific to each form or flow. Keep your website’s Privacy Policy comprehensive but readable. If you collect sensitive information, explain why, how you’ll protect it and who (if anyone) you share it with.

Step 4: Tighten Your Security Controls

Use multi-factor authentication, least-privilege access, secure devices, and vendor due diligence. Document roles and responsibilities in an Information Security Policy and train staff-especially anyone handling sensitive information.

Step 5: Set Vendor And Overseas Data Rules

If a third party processes data for you (e.g. CRM, marketing automation, cloud hosting), lock in privacy and security obligations in a Data Processing Agreement. For overseas transfers, confirm where the data sits and the safeguards in place.

Step 6: Align Marketing And Cookies

Build consent and opt-out tools into your forms and email flows so you meet APP 7 and Australia’s email marketing laws. If you run analytics or ad tags, publish a simple, accurate Cookie Policy and provide choices where possible.

Step 7: Prepare For Breaches And Retention

Create a playbook for breach identification, assessment and notification using your Data Breach Response Plan. Finally, set timeframes for securely deleting or de-identifying data in line with data retention laws and any industry rules.

Key Takeaways

• Personal information identifies someone, while sensitive information is a higher-risk subset (like health, biometrics, beliefs or criminal records) that usually requires express consent.
• Apply the Australian Privacy Principles even if you’re a small business-customers expect it and many small businesses are covered by the Privacy Act due to specific activities or data types.
• Be transparent with a clear Privacy Policy and collection notices, and only collect data you truly need for your functions.
• Use stronger safeguards for sensitive information, including consent, tighter access controls, and careful rules for use, disclosure and retention.
• Lock down your ecosystem: secure your systems, set vendor obligations with a Data Processing Agreement, and plan for breaches with a tested response plan.
• Build privacy into everyday operations-consent flows, marketing opt-outs, cookie settings and deletion schedules-so compliance is consistent and scalable.

If you’d like a consultation on handling personal and sensitive information in your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.