PerSonal Data (Personal Information)
The Privacy Act defines personal data (referred to in the Privacy Act as “personal information”) to be “information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not”.
Information about legal entities is not considered personal unless the information identifies specific individuals.
Sensitive personal data (Sensitive information)
Sensitive information includes:
- information or an opinion about an individual, that is also personal information, in respect to his/her racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record;
- health information or genetic information about an individual;
- biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
- biometric templates.
Sensitive information about an individual can only be collected if:
- the data subject consents to the collection and if the information is reasonably necessary for one or more of the entity’s functions or activities;
- the collection is required or authorised under an Australian law or a court/tribunal order;
- a permitted general or health situation exists;
- the organisation is an enforcement body and the collection is reasonably necessary for the entity’s functions or activities; or
- the organisation is a non-profit organisation and the information relates to both its activities and its members.
An organisation may only use or disclose sensitive data for a purpose other than the primary purpose of collection if:
- the secondary purpose is directly related to the primary purpose of collection and such use or disclosure might reasonably be expected by the data subject; or
- the data subjecthas consented; or
- the use or disclosure is authorised or required under law; or
- another exception exists.
The Privacy Act 1988 establishes that “consent means express consent or implied consent”.
When used in relation to the sending of an electronic message, according to the Spam Act, consent means express consent; or consent that can reasonably be inferred from both the conduct and the business and other relationships of the individual or organisation concerned. The consent of the relevant electronic account-holder cannot be inferred from the mere fact that the relevant electronic address has been published, with some exceptions set out by the Spam Act.
When used in relation to the making of a telemarketing call or the sending of a marketing fax, consent means the express consent, or the consent that can reasonably be inferred from the conduct, and the business and other relationships of the individual or organisation concerned. If express consent is given and it is not expressed to be for a specified period or for an indefinite period, the consent is taken to have been withdrawn at the end of the period of 3 months from the day on which the consent was given. The consent may not be inferred from the mere fact that the number has been published.
The Privacy Act 1988 (Privacy Act) protects an individual’s personal information regardless of their age.
An organisation handling the personal information of an individual under the age of 18 must decide if the individual has the capacity to consent on a case-by-case basis. As a general rule, an individual under the age of 18 has the capacity to consent if they have the maturity to understand what’s being proposed. If they lack maturity it may be appropriate for a parent or guardian to consent on their behalf.