No matter what type of business you are, it’s likely you deal with personal or sensitive information. As such, you’ll need to consider relevant privacy obligations.
In the world of technology, it’s more important than ever to ensure you protect the way information is transmitted when in the hands of your business.
Australia has key laws around privacy for businesses, covered specifically by the Privacy Act 1988. One key distinction that the law covers is the difference between sensitive information and private information. This is because the nature of the information you handle will determine which laws will apply to you.
So, what exactly is the difference between personal information and sensitive information?
In this article, we will cover:
- What the Privacy Act is
- The difference between personal information and sensitive information
- Examples of personally identifiable information
- How businesses can comply with privacy laws
- Whether businesses can sell personal information
What Is The Privacy Act?
The Privacy Act 1988 is the primary legislation in Australia regulating the way information is handled by businesses and government organisations. It gives individuals the right to know how their information is being used, when it’s being collected, for what purposes and how long it will be stored for.
The Act also covers what is commonly known as the Australian Privacy Principles. The two regulations combine to protect the privacy of individuals and place strict regulations on agencies that collect the information of individuals.
For example, it sets out rules for how you should collect information, what to do if there is a breach of that information and consumers’ right to access such databases.
What Is Personal Information?
The rules set out in the Privacy Act apply to businesses who collect ‘personal information’. So, to understand what your privacy obligations are, you needed to determine what personal information actually is.
Personal information refers to details or opinions about an individual that can be used to identify them (this is also referred to as ‘personally identifiable information’, which we’ll cover in more detail shortly).
An individual’s personal information is usually unique to them and can even be subject to change. Examples of personal information include:
- Place of residence
- Contact information
- Date and place of birth
- Financial details
- Passport number
If personal information is consensually handed out for the purposes of being sold or displayed in any kind of way, then it’s no longer personal. Essentially, everything boils down to consen t- there’s more on this below.
What Is Sensitive Information?
Sensitive information, on the other hand, refers to information that can trigger prejudice or biases. Much like personal information, there’s a broad range of matters that can be considered sensitive information.
Information that can be considered sensitive includes:
- Gender identity or sexual orientation
- Political connections or preferences
- Criminal history
- Racial or ethnic background
- Health conditions
- Trade union membership
- Socio economic status
It’s important to keep in mind that whether information is considered sensitive can be highly dependent on context.
Tom works at an investment bank that is located in a privileged area of town. Tom lives in the local area, however, he grew up in a different suburb that is underfunded and considered less desirable by his colleagues.
Tom has found they often make mean remarks about the side of town he’s from. Tom reports this behaviour to his bank’s Human Resources officer. In order to avoid any prejudices against him, Tom asks them to keep the place he grew up in private.
This would be considered sensitive information due to the bias it could lead to.
Oftentimes, the information by itself won’t be considered sensitive. However, if there are circumstances under which other people’s reactions could be negative based on the information, then it is likely to be regarded as sensitive information.
If your business is dealing with sensitive information, you’ll need to comply with certain privacy laws.
What Is Considered Personally Identifiable Information?
As we discussed above, personal information is the information that can be used to identify a particular individual. Also referred to as personally identifiable information, it can be anything ranging from our age, geographical location and name.
Privacy laws and principles have been aimed largely at keeping this information private. The consequences of not doing so can be rather serious, as it can make people susceptible to dangers such as fraud, scams and even harassment.
Sarah is doing online shopping when she signs up for a website that claims to offer discounts to some of her favourite stores. The website asks Sarah for details such as her name, address, and phone number.
Sarah enters them only to find out the website didn’t offer any valid discounts. She logs off and forgets about it, however, the next day Sarah begins to get inundated with emails and text messages for various different advertisements.
Soon, she begins getting junk mail as well. Sarah later finds out that the website that falsely promised her discounts used her information to send her advertisements without her permission.
However, there is not always a clear distinction between private and sensitive information. As mentioned previously, context and consent play a huge role in defining types of information.
How Can I Comply With Privacy Laws?
It’s important to make sure you are complying with privacy laws to not only protect your customers, but your business as well. The exact methods to comply with privacy laws will depend on your individual business, so it’s best to seek the advice of a legal professional for this.
We’ve listed a few of the common ways businesses tend to comply with privacy obligations.
If your business is open to international customers, then it’s also important to comply with the privacy laws of all the other regions you operate in. For example, the European Union developed the General Data Protection Regulations (GDPR). The regulation sets out precise requirements for privacy policies, so ensure you’re well aware of them to avoid any serious consequences.
Website Terms And Conditions
A Website Terms and Conditions lists the duties and obligations of users upon entering your website and utilising its services. It clarifies the duties, liabilities and rights of the website’s owner, as well.
Most websites will use terms and conditions regardless of whether they are selling something or not. This is because a website’s terms and conditions limit any liability in case something goes wrong, so it’s a good idea to have one in place.
Website terms and conditions can be catered to fit the needs of your business.
Claudia runs an online cake shop, where she makes her cakes to order and ships them out to her customers. Claudia clearly states in her terms and conditions that users must agree to read the ingredients carefully, prior to purchasing from her store.
The terms and conditions for Claudia’s website limits her liability in case a person does not read the ingredients properly and consumes something that is potentially harmful to them.
Terms and conditions are often paired with Cookie Policies and Privacy Policies, however, the ones you will need will depend heavily on your individual business. It’s worth chatting to a lawyer who can assess your business’ needs and guide you through your legals – our team is always happy to help.
How Do I Know If The Privacy Act Applies To My Business?
As mentioned above, if your business deals with any kind of personal information, then it’s likely your business is covered under the Privacy Act or the Australian Privacy Principles.
However, there are some exceptions.
The general rule is that if you handle personal information and your business has an annual turnover of more than $3 million, then the Act applies to you. However, even if your business is under this threshold, you may still need to comply with the Act if you handle health information or tenancy databases.
There are, in fact, a number of instances where the privacy laws may apply to a business – it’s worth going through this comprehensive list to ensure you’re compliant.
Do I Need A Data Breach Response Plan?
A Data Breach Response Plan is used in case data is leaked, lost or ends up in the wrong hands.The response plan is simply a well thought-out reaction to the situation occurring as well as the process to remedy the situation.
For example, it should set out how the breach will be contained, who is in charge of containing it and how to notify affected individuals.
Data breach response plans need to be in writing. All relevant employees should be familiar with the details of the plan as well as their role in it, such as who is to notify the Office of the Australian Information Commissioner (OAIC) of the breach (the best way to do this is to incorporate it into your onboarding process).
The plan must also detail what consists of a data breach, the strategy for containing the breach and a way to record the incident. If you need help creating a data breach response plan, our legal team is happy to assist you!
Can I Sell Personal Information?
Selling or trading personal information involves giving away the information of other individuals for some kind of benefit, such as a monetary exchange.
Personal information can be sold, however, it needs to be done in accordance with the law. It’s important to tread carefully and discuss this with a legal professional to ensure you’re not breaking any regulations.
If you sell your business or purchase another business and the sale includes pre-existing information about customers or clients, then it is not considered selling or trading information.
This is due to the fact that the information still stays within the business despite the change of ownership.
Distinguishing between private and sensitive information is important, as it dictates what can and cannot be done with that information under the Act. The lines can get blurred and the legislation around it is rather heavy, so we recommend talking to our legal consultants if you have any further questions.
To summarise what we’ve discussed:
- The Privacy Act and Australian Privacy Principles are the key legal regulations for determining how information can be used by businesses
- Personal information can be used to identify an individual, such as an address
- Sensitive information can be used against a person, such as their gender identity
- The distinction between personal and sensitive can be influenced by consent and context
- Businesses have legal requirements to protect either kind of information
- Privacy policies, cookies, terms and conditions and data breach response plans are all ways that businesses can adhere to their legal requirements to protect information
If you would like a consultation on private and sensitive information, you can reach our friendly lawyers at 1800 730 617 or firstname.lastname@example.org for a free, no-obligations chat.
Get a free, fixed-fee quote.
We'll get back to you within 1 business day.