Sensitive data are data that can be used to identify an individual, species, object, or location that introduces a risk of discrimination, harm, or unwanted attention. Major, familiar categories of sensitive data are:
Definitions In Australia, in addition to the Commonwealth legislation, almost each state and territory has its own privacy legislation. The Office of the Australian Information Commissioner offers links to all this legislation.
The Commonwealth Privacy Act 1988 (Part II, Division I, Section 6) defines:
personal information as “information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.” Common examples are an individual’s name, address, telephone number, date of birth, bank account details and commentary or opinion about a person.
identification information about an individual as: the individual’s full name, alias, date of birth, sex; current, last known or previous address or employer, or driver’s license number.
identifier of an individual as a number, letter or symbol, or a combination thereof, that is used to identify or verify the identity of the individual, but does not include the individual’s name. For instance, an identifier of an individual may include a Medicare number or Hospital/Medical Record Number. de-identified as “personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable”.
De-identified information is no longer considered personal information under the Privacy Act 1988 and can be shared.
Ethical collection, storage and usage of data (Monash University)
The Australian National Data Service (ANDS) advises on issues to consider when dealing with sensitive data,. Some of these are:
- If you plan to share the data, make sure you get informed consent for this from the research participants.
- Protect people's identities by anonymising data where needed.
- Consider controlling access to the data.
- Apply for an appropriate license if needed.
De-identification aims to allow data to be used by others without the possibility of individuals being identified. Data de-identification may be used to:
Data that is still identifiable (i.e. contains personal information) needs to be managed carefully, through access control and data security measures. (Read more here.)