PII: Why your website shouldn’t collect sensitive data too soon

Posted on by Steve

For many Australian not-for-profit organisations, your website is the first point of contact with potential clients, donors, or volunteers. It’s tempting to ask for all the information you think you’ll need upfront—especially if you anticipate providing personalised services later. But collecting too much Personally Identifiable Information (PII) or sensitive data too early can create unnecessary risk and even breach Australian privacy law.

What Is PII and sensitive information?

PII refers to any data that can identify an individual—such as names, addresses, phone numbers, or email addresses.

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), sensitive information is a special category that includes details about health, ethnicity, sexual orientation, political opinions, religious beliefs, and criminal records. Health and genetic information also fall under this category and attract stricter protections.

The legal obligation

APP 3 states that organisations must only collect personal information that is reasonably necessary for their functions or activities. For sensitive information, you generally need express consent, unless an exception applies (such as a serious threat to life or health).

Collecting PII “just in case” or “because we might need it later” does not meet this standard.

Why collecting too much too soon is a problem

  • Compliance risk: Gathering unnecessary PII or sensitive data can breach APP 3 and APP 5 (notification requirements), exposing your organisation to regulatory action.
  • Security risk: The more sensitive PII you hold, the bigger the target you become for cybercriminals.
  • Trust risk: Asking for health or financial details, or details about children such as dates of birth on a simple enquiry form can feel intrusive and discourage engagement.

Best practice: Progressive disclosure

Instead of front-loading your forms with sensitive questions:

  • Start simple: Collect only the PII you need to respond—usually name, email, and a brief message.
  • Build trust first: Sensitive details can be gathered later, during a secure conversation or through your internal systems.
  • Keep it off the website: If you must collect sensitive PII, do it through secure channels and store it in your organisation’s systems—not in your website’s CMS database or email inbox.

Action steps for your organisation

  1. Audit your forms: Check every form on your website. Are you asking for PII you don’t need yet?
  2. Remove unnecessary fields: If it’s not essential at this stage, leave it out.
  3. Update your privacy policy: Make sure it clearly explains what PII you collect, why, and how it’s used/disclosed.
  4. Train your team: Ensure staff understand the principle of data minimisation and the risks of over-collection.

Final thoughts

Collecting less PII upfront isn’t just about compliance—it’s about protecting your organisation and the people you serve. By following the APPs and adopting a “privacy-first” mindset, you’ll reduce risk, build trust, and keep your focus where it belongs: on your mission.

For more information see https://www.oaic.gov.au/privacy/australian-privacy-principles

 

Posted in Not-for-profit, Tech

← Read more from the blog