OAIC近期针对Medmate和Monash进行的像素使用调查，对处理“敏感信息”的网站意味着什么？

Australia – June 2026 The Office of the Australian InformationCommissioner’s (OAIC) determinationsagainst Medmate Australia Pty Ltd(Medmate) and Monash IVF Pty Limited(Monash) demonstrates the expectation forhealth-focused websites to treat sensitive Background Both Medmate and Monash are organisations, whichprovide health services to Australian individuals, includingthrough their websites. Over the period covered by thedeterminations, both Medmate and Monash deployedtracking pixels on their websites. When an individual visitsa website where a tracking pixel has been deployed by the Depending on the parameters set by the organisation whodeploys the website, different kinds of information about anindividual’s website activity will be disclosed to the third-party pixel provider, from the details of the webpage viewedby the individual (i.e. URL, domains visited and metadata The determinations found that Medmate and Monashtracked online users on their websites and collected, usedand disclosed to third parties sensitive information withoutthose users’ consent, as required by APPs 3.3 and 7.1, andwithout taking steps to notify individuals, as required by APP5.1. The findings are specific to sensitive information andnot everything will be relevant to organisations who capturepersonal information through tracking technologies. However, To see the determinations in full, please visit (theMedmateDetermination)here, and (theMonash Determination)here. Key findings In the Medmate determination, the OAIC briefly mentionsthat Medmate has undertaken a review of their “contractualarrangements with external marketing agencies”.4Westrongly recommend that all organisations who engagethird parties to collect personal information on their behalf(whether through marketing or other arrangements) review Below are the key findings that we have gleaned from theMedmate and Monash Determinations: A website operator is responsible for collecting data In its updated guidance on APP 32, the OAIC clarifies thattwo entities may collect the same personal information atthe same time. Whether the entity with “control”, but notpossession is taken to collect personal information willdepend on the contractual arrangements in place. TheMedmate and Monash Determinations put this statement Data collected through a tracking pixel will typically Under the Privacy Act, “personal information” includesinformation, or an opinion about an individual who is“reasonably identifiable” from such information (or opinion).5While Medmate and Monash argued that they could not Insight– The Privacy Act does not (yet) distinguishbetween controllers and processors of personalinformation, but these determinations suggest thatin practice, the OAIC will distinguish between theresponsibilities held by organisations, depending oneach organisation’s role. Where a website operator “…the definition of personal information does notexpressly require that an individual be specificallyidentifiable, or identifiable by direct identifiers such as The OAIC took a similar position in relation to hashed emailaddresses and phone numbers, when submitted with URLs as Particularly relevant to the ad tech context, the OAIC foundthat “reasonably identifiable” applies to circumstances whereinformation facilitates “individuation”: i.e. circumstanceswhere an organisation can single out an individual fromothers in a way that affects their rights and interests, evenif such information does not include or cannot be easilycombined with the individual’s direct identifiers (such as In these determinations, the tracking pixel collected, For the OAIC, both Medmate and Monash had configured thetracking pixel to collect sensitive information. In part, this isbecause of the nature of both organisations’ websites, whichclearly provide health services to individuals. At a high level,“sensitive information” includes information or an opinion Both websites used tracking pixels to collect and loginformation about an individual’s engagement with ahealth service provider’s website. In the view of the OAIC,this could constitute either health information about anindividual or allow inferences or opinions to be made aboutthat individual’s health, as it demonstrates their interest While the OAIC admits that this is a novel approach,the finding remains in keeping with the Privacy Act and,particularly, the revisions to the definition of “personalinformation” in 2012 to ensure that the term was “sufficientlyflexible and technologically-neutral to encompass changesin the way that information that identifies an individual Insight– The OAIC’s interpretation of “sensitiveinformation” is expansive, particularly in the case ofMedMate, which provided a variety of health services toindividuals. Specifically, sensitive information includes auser’s visit to specific sections of a health website, evenwhere the visit may not reveal the individual’s precisehealth condition. Again, the driver behind the OAIC’sin