In 2019, Diversity Council Australia conducted a survey of 3,000 Australian workers which revealed that 75% of those surveyed support their employer taking action to create a diverse and inclusive workplace. Diversity surveys have become an increasingly popular tool for employers to drive the diversity and inclusivity workers are after.

While the Racial Discrimination Act 1975 (Cth) (RDA) coupled with the Fair Work Act 2009 (Cth) (FWA) makes it unlawful for employers to treat an applicant or employee unfavourably by virtue of their race, colour or national or ethnic origin (section 9 of the RDA and section 351 of the FWA), employment law generally does not prevent employers from conducting diversity surveys. For certain agencies and organisations, diversity data must be collected in accordance the Privacy Act 1988 (Cth) (Privacy Act).

Under the Privacy Act, information or an opinion about an individual’s race, ethnicity, politic opinions, religion, sexuality, health, and genetic information is considered ‘sensitive information’. Sensitive information is a subsect of personal information. The Privacy Act including the 13 Australian Privacy Principles (APPs) regulates the collection of sensitive information and requires a higher level of privacy protection than other personal information.

For organisations and agencies subject to the Privacy Act, the collection of sensitive information including diversity data information must be:

  • In the case of an agency (as defined in section 6 Privacy Act) – reasonably necessary for, or directly related to, one or more of the agencies functions or activities (APP 3.3(i)). To be ‘directly related to’ one or more of the organisation’s functions or activities, a clear and direct connection must exist between the sensitive information being collected and a particular activity;
  • In the case of an organisation – reasonably necessary for one or more of the organisation’s functions or activities (APP 3.3(ii)); and
  • In all instances – collected ‘by lawful and fair means’ (APP 3.5). This means diversity data cannot be collected by spying, hacking or other illegal means.

In addition to these requirements, organisations may only ask individuals for and collect sensitive information if the individual consents to the sensitive information being collected, unless a relevant exception as set out in APP 3.4 applies (APP 3.3).

Employers cannot assume that employees automatically agree to participating in diversity surveys. Before collecting and handling sensitive information, including diversity data, employers must obtain express consent.


‘Consent’ is defined in the Privacy Act (section 6(1)). When collecting diversity data, employers must consider the following four key elements of consent:

  1. Adequate information: have you told the individual exactly what information you are collecting and what you are going to do with it?
  2. Voluntary: has the individual freely made the decision to agree to give you their personal information? Have they been put under any pressure, or told that they cannot, for example, access a particular service without agreeing to part with the requested diversity data?
  3. Current & specific: Have you asked the individual for their consent recently? And was it for this current purpose?
  4. Capacity: As far as you can tell (acknowledging you may have limited knowledge on which to decide), does the individual have capacity to agree to give you their information?

Sainty Law can assist your organisation to understand its obligations under the Privacy Act. Get in touch with us today.