Personal Information Vs Sensitive Information: What’s The Difference?

If your business collects customer or employee details in Australia, you need to understand the difference between personal information and sensitive information under the Privacy Act 1988 (Cth). The rules are similar but not the same - and getting them wrong can lead to complaints, investigations or fines.

In this guide, we’ll break down what each term means in plain English, how the Australian Privacy Principles (APPs) treat them differently, and the practical steps you can take to handle both types of data lawfully and safely.

By the end, you’ll know what to collect, when you need consent, when you can use and share the information, and what documents and systems to put in place to stay compliant as you grow.

What Counts As Personal Information In Australia?

Personal information is any information or opinion about an identified individual, or an individual who is reasonably identifiable. It doesn’t matter whether the information is true or recorded in a material form - if someone can be identified from it, it’s personal information.

Common examples

• Names, addresses and email addresses
• Phone numbers and dates of birth
• Customer account details and order histories
• Employee records (with some limited exemptions for private sector employers)
• IP addresses and device identifiers if they can be linked to a person

Personal information covers a wide range of everyday data that most businesses handle. If you collect it, the APPs apply to how you collect, use, disclose, store and destroy it.

What Is Sensitive Information - And Why Is It Different?

Sensitive information is a special subset of personal information that attracts higher protections. Because it can reveal deeply personal facts, the Privacy Act treats it more strictly than general personal information.

Types of sensitive information

• Health information (e.g. medical history, test results, disability information)
• Biometric data (e.g. faceprints, fingerprints) and biometric templates
• Racial or ethnic origin
• Political opinions and membership of political associations
• Religious or philosophical beliefs
• Membership of professional or trade associations or trade unions
• Sexual orientation or practices
• Criminal record

Because the consequences of mishandling sensitive information can be serious, the default rule is stricter: you generally need the individual’s consent before collecting it, unless a limited exception applies (for example, certain health or safety situations, or where collection is required by law).

Key Differences Between Personal And Sensitive Information

1) Consent to collect

Personal information can often be collected without consent if it’s reasonably necessary for your business functions and you collect it by lawful and fair means.

Sensitive information generally requires express consent before collection, unless an exception applies. Express consent should be specific, informed, voluntary and current - think clear tick-boxes or signed consents rather than implied assumptions.

2) Use and disclosure

For personal information, you can usually use and disclose it for the purpose you collected it (the “primary purpose”) and for reasonably expected related secondary purposes, if this is explained in your Privacy Policy.

For sensitive information, use and disclosure is tighter. You normally need consent for secondary uses, unless another APP exception applies (e.g. serious threat to life, public health research with ethics approval, or legal requirements).

3) Direct marketing

Using personal information for direct marketing is allowed in certain circumstances, with opt-outs and transparency. Using sensitive information for direct marketing generally requires consent.

4) Security and access controls

All personal information must be secured, but sensitive information warrants extra safeguards. Stronger access controls, encryption, audit logs and shorter retention periods are common risk-based measures for sensitive data.

5) Data breach risk and notification

The Notifiable Data Breaches (NDB) scheme requires you to assess suspected data breaches and notify affected individuals and the OAIC if it’s likely to result in serious harm. A breach involving sensitive information is more likely to be “eligible” and trigger notification, so prevention and response planning is crucial.

Do These Rules Apply To My Small Business?

Many small businesses under $3 million annual turnover are exempt from the Privacy Act. However, there are important exceptions - you will still be covered if you:

• Provide health services or hold health information
• Trade in personal information (buying or selling lists, profiling, etc.)
• Are a credit reporting body or handle tax file numbers
• Are a contractor to the Australian Government

In practice, lots of modern ventures collect customer data online and choose to comply anyway to build trust and support growth. If you’re not sure whether the APPs apply to you, it’s wise to speak with a data privacy lawyer and set up best-practice controls from day one.

How To Handle Personal Vs Sensitive Information In Your Business

Here’s a practical, step-by-step approach you can use to manage both types of data in line with the APPs.

Step 1: Map what you collect and why

List each data point you collect, where it comes from, whether it’s personal or sensitive, why you need it (your lawful purpose), where it’s stored, who can access it and how long you keep it. This “data map” underpins your compliance and helps you apply stricter rules to sensitive information.

Step 2: Minimise collection

Collect the least amount of information needed for your functions. If you don’t need sensitive information, don’t ask for it. If you must collect it, limit it to the essentials and keep it separate with enhanced controls.

Step 3: Be transparent and give notice

Tell people what you collect and why, how you will use and share it, and how they can access or correct their information. This is done through a clear, up-to-date Privacy Policy and a front-end Privacy Collection Notice at the point of capture (e.g. sign-up forms, checkout, onboarding).

Step 4: Get valid consent for sensitive information

If you collect sensitive information, obtain express consent. For health providers or membership organisations, capture signed or tick-box consent linked to your purpose (e.g. treatment, risk screening, member services). For clarity, use a short-form Privacy Consent Form when appropriate.

Step 5: Secure the data proportionately

Apply risk-based security. Strong passwords and MFA, encryption at rest and in transit, role-based access, and secure deletion processes should be standard. Sensitive information typically needs tighter controls, audit logs, and shorter retention periods. If you handle payment details, follow PCI-DSS and the specific requirements around storing credit card details.

Step 6: Set retention and deletion rules

Only keep information as long as you need it, then securely destroy or de-identify it. Document timeframes by category (e.g. marketing contact details vs. health records). Understanding Australia’s data retention laws will help you build sensible schedules without over-retaining riskier data.

Step 7: Manage processors and overseas disclosures

If you use third-party platforms or offshore services, you’re still responsible under the APPs. Put a robust Data Processing Agreement in place, perform due diligence on providers, and ensure appropriate transfer safeguards if data goes overseas.

Step 8: Prepare for incidents

Security incidents happen. Have a documented Data Breach Response Plan so you can quickly assess, contain and notify when required under the NDB scheme, especially if sensitive information is involved.

Can I Use Personal Or Sensitive Information For Marketing?

Direct marketing rules depend on what information you’re using, where you got it, and the individual’s expectations.

• For personal information, you can often market if you collected it directly, provided clear opt-outs, and the person would reasonably expect it.
• For sensitive information, consent is generally required for marketing use.

On top of the Privacy Act, electronic messages must comply with the Spam Act. If you’re building a mailing list, be transparent at sign-up, respect opt-outs and ensure your notices align with your privacy settings and your Privacy Policy. If you’re promoting by email, it’s a good idea to re-check your approach against Australia’s email marketing laws.

Common Scenarios: Is It Personal Or Sensitive?

Health intake forms at a physio clinic

Contact details are personal information. Details about medical history, medications and injuries are sensitive health information. You’ll need express consent to collect and use the health details for treatment and related purposes. Use layered consents and stricter security controls for the health fields.

Staff equality and diversity survey

The survey may collect sensitive information about racial or ethnic origin, disability, religious beliefs or sexual orientation. Participation should be voluntary and anonymised where possible. If identifiable, you’ll need express consent and very limited use.

Face ID to unlock a workplace app

Facial templates are biometric information and usually treated as sensitive information. Consider a non-biometric alternative, get express consent if you proceed, store templates locally where possible, and apply strong safeguards and deletion rules.

Customer support ticket with a driver licence image attached

The image is personal information. If it reveals health or other sensitive attributes, treat those fields as sensitive and redact where possible. Limit access to staff with a strict need-to-know.

What Documents And Policies Should I Have In Place?

A solid privacy framework doesn’t need to be complicated. Focus on a few core documents tailored to your operations, and then train your team to follow them.

• Privacy Policy: Explains what you collect, why, how you use and disclose information, and how people can access, correct or complain.
• Privacy Collection Notice: The short notice you present at the point of collection (e.g. forms, checkout) so people understand what’s happening with their data.
• Privacy Consent Form: Used when you need express consent, especially for sensitive information or specific uses beyond the original purpose.
• Data Processing Agreement: Contract terms with service providers that process personal and sensitive information on your behalf.
• Data Breach Response Plan: Your step-by-step playbook for containing incidents and meeting NDB obligations.
• Information Security Policy: Sets technical and organisational measures (access control, encryption, incident response). This complements your privacy documents.

Depending on your industry, you may also need additional notices (for example, for children or health services) and content-specific consents (e.g. CCTV or biometric collection). Always match your documents to the actual data you collect and the way your systems work.

Practical Tips To Reduce Privacy Risk

• Collect less: If it’s not essential to your service, don’t ask for it. This is particularly important for sensitive information.
• Separate and secure: Store sensitive information in separate systems or repositories with stricter access controls and logs.
• Shorten retention: Keep sensitive information for the shortest period you reasonably need and then securely destroy or de-identify it, guided by your data retention laws considerations.
• Train your team: Most incidents start with human error. Short, regular training on spotting phishing, handling IDs and escalation paths makes a big difference.
• Test your incident response: Run tabletop exercises on your Data Breach Response Plan so you can act quickly if something goes wrong.
• Check your vendors: Use a Data Processing Agreement and assess provider security and location before onboarding new tools.

Key Takeaways

• Personal information identifies a person; sensitive information is a special category (like health, biometrics or beliefs) that requires stricter handling and usually express consent.
• Use and disclosure rules are tighter for sensitive information, and breaches involving it are more likely to trigger notification under the NDB scheme.
• Map your data, minimise collection, give clear notices, and put stronger security and shorter retention around sensitive information.
• Core documents - a clear Privacy Policy, a front-end Privacy Collection Notice, a Data Processing Agreement and a Data Breach Response Plan - set the foundation for compliance.
• If you handle payment details, follow the specific rules around storing credit card details and prioritise encryption and access controls.
• Unsure whether the Privacy Act applies or how to tailor your documents? Getting advice from a data privacy lawyer early will help you set things up correctly and avoid costly rework.

If you’d like a consultation on handling personal and sensitive information in your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.