Privacy covers three main areas; personal information, sensitive information and confidential information.

Confidential Information refers to any information or document that a business or individual wishes not to make public. It may include any information or documents about a business’s organisational structure, activities, operating procedures, products and services, intellectual property, trade secrets, finances, plans, transactions and policies. 

The Privacy Act 1988 defines personal information as: “Information or an opinion about an identified individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.” A person’s name, signature, home address, email address, telephone number, date of birth, medical records, bank account details and employment details will generally constitute personal information.

Sensitive information is a form of personal information that is more sensitive to the person’s personal identity such as health, credit information and tax information. Information does not have to be explicitly recognised as personal information to constitute personal information under the Privacy Act. The types of information that are personal information are unlimited and can vary widely. It is worth noting that personal information can be covered under the privacy act even if the information is not correct, this is designed to help protect against the spread of rumours and slander about a person’s personal life, with the intent of discovering actual personal information.

Some information may not be personal information when considered on its own. However, when combined with other information held by (or accessible to) an entity, it may become ‘personal information’.  

Sensitive information is defined in the Privacy Act to mean information or an opinion about an individual’s


  • racial or ethnic origin;
  • political opinions;
  • membership of a political association;
  • religious beliefs or affiliations;
  • philosophical beliefs;
  • membership of a professional or trade association;
  • membership of a trade union;
  • sexual preferences or practices; or
  • criminal record.


Sensitive information may only be collected with consent, except in specified circumstances. Consent is generally not required to collect ‘personal information’ that is not ‘sensitive information.’ Sensitive information must not be used or disclosed for a secondary purpose unless the secondary purpose is directly related to the primary purpose of collection and within the reasonable expectations of the individual. Sensitive information cannot be used for the secondary purpose of direct marketing.

Sensitive information cannot be shared in the same fashion as ‘personal information’.