Privacy Act

Written By Gavin McInnes

What types of data are protected by the Privacy Act?

The Privacy Act regulates the way in which APP entities handle ‘personal information’. There are sub-sets of personal information, namely ‘sensitive information’ and ‘health information’, that are subject to a higher level of protection than personal information, about which it is advisable to obtain specialist legal advice.

Personal Information

Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable. It does not matter whether the information or opinion is true or whether the information or opinion is recorded in a material form.

Common types of personal information are an individual’s name, address, telephone number, date of birth, signature, medical records, bank account details and employment details.

Whether a person is ‘reasonably identifiable’ from particular information will depend on a range of considerations, including:

  • the nature and amount of information;

  • the circumstances of its receipt;

  • who will have access to the information;

  • other information held by or available to the APP entity that holds the information;

  • whether it is possible for the individual or entity that holds the information to identify the individual using available resources, as well as the practicability, time and costs involved in using the available resources; and

  • if the information is publicly released, whether a reasonable member of the public who accesses that information would be able to identify the individual.

The Privacy Act does not apply to a deceased person, although it is possible that information about a deceased person may also constitute personal information about a living person, for example, if the deceased person suffered from a genetic disorder.

Images

Images of individuals in photographs or videos are personal information where the person’s identity is clear or can reasonably be worked out from that image. Images of individuals may also contain sensitive information if, for example, the person’s race or ethnic origin or religious beliefs are apparent from the image. An APP entity may only collect images of identifiable individuals if it is reasonably necessary for the organisation’s functions or activities. Consent will be required to collect the image if the image also records sensitive information.

De-identification

Personal information that has been ‘de-identified’ will no longer constitute personal information for the purposes of the Privacy Act. De-identification occurs if the individual to whom the information relates is no longer identifiable or reasonably identifiable from the information. It requires the removal of personal identifiers, such as an individual’s name, address or date of birth and the removal or alteration of other information that may allow an individual to be identified.

If you are engaging in de-identification, it is important to be aware of the risk of re-identification. There may, for example, be a possibility that another dataset or other information could be matched with the de-identified information. This risk must be actively assessed and managed when dealing with de-identified information.

Sensitive Information

Sensitive information under the Privacy Act means:

  • information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious belief or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices or criminal record if that is also personal information;

  • health information about an individual;

  • genetic information about an individual that is not otherwise health information;

  • biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or

biometric templates.

Health Information

Health information under the Privacy Act means personal information about:

  • the health or a disability (at any time) of an individual;

  • an individual’s expressed wishes about the future provision of health services to him or her;

  • a health service provided, or to be provided, to an individual;

  • other personal information collected to provide, or in providing, a health service;

  • other personal information about an individual collected in connection with the donation or intended donation by the individual of their body parts, organs or body substances; or

  • genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.

Examples of health information include information about a person’s physical or mental health, appointment and billing details, dental records, records held by a fitness club about an individual and any other personal information collected for the purpose of providing a health service.

_______________________________________________________________________________________________________________________________________________________________

For more information, please contact Gavin McInnes on 07 3367 8681 or gmcinnes@grmlaw.com.au.

 The information contained in this article is general in nature and cannot be regarded as anything more than general comment. Readers of this article should not act on the basis of this comment without consulting one of GRM LAW 's legal practitioners who will consider their particular circumstances.

Expertise

GRM LAW has a wide range of experience assisting companies in all aspects of business, corporate and IT law.

Not only will you find that GRM LAW is likely to have assisted someone in your exact situation, but you’ll find that a GRM LAW lawyer can distill a complex legal issue into a set of actionable options for you to consider.

Gavin McInnes
Previous

Collection of personal information

Next

What is data?