The treatment by private sector organisations of the personal information of current and former employees in their employee records is presently exempt from the majority of the obligations contained in the Australian Privacy Principles (APPs). That could be about to change as the Attorney General's report on the review of the Privacy Act flags significant amendments to the scope and effect of this "employee records exemption".
Any significant abrogation of the "employee records exemption" would require a significant rethink as to the handling of the personal information of current and former employees.
Current state of the law on employee records
A private sector organisation is exempt under section 7B(3) of the Privacy Act from having to comply with many of the APPs when dealing with their current and former employees' personal information. This exception for private sector organisations created a gap that was supposed to be (but was not) filled by State and Territory workplace relations legislation. There is no equivalent exemption for public sector agencies.
To fall within the employee records exemption, the personal information in question must directly relate to:
- a current or former employment relationship between the employer and the individual (but not prospective employees); and
- an "employee record" held by the organisation and relating to the individual.
An "employee record" is defined by section 6(1) of the Privacy Act as being a record of personal information relating to the employment of the individual. Examples include the terms and conditions of employment, records concerning salary and wages, records concerning the performance or conduct of the employee, and records relating to the termination of employment.
While the employee record exemption applies to an "employee record" held by the organisation and relating to the individual, it only applies once the personal information has been collected and stored in a record. This means that organisations are already under an obligation to collect the personal information of its employees in accordance with the APPs. This requires that private sector organisations collect personal information that is reasonably necessary for, or directly related to, one or more of its functions or activities. If that personal information is also sensitive information (such as health information), then the private sector organisation must also obtain the individual's consent.
The proposed changes: limited extension of the privacy protections
The Report does not propose to remove the current employee record exemption from the Privacy Act entirely. Rather, the current proposal (which is subject to further consultation) is to amend the Privacy Act so that some of the privacy protections available to the public are made available to private sector employees. The key objectives of such amendments would be:
- Improving transparency about dealings with employee information – Transparency at all stages of the life cycle of personal information is seen as an important issue in many of the submissions received by the AG's Department. The nature of the employment relationship, technological developments and modern approaches to employment, such as working from home, all mean that employers handle ever increasing volumes of personal information about their employees. However, other submissions identified the differences between an employee-employer relationship and the typical consumer-data collector relationship. In particular, employers will hold personal information about the employee's performance and reviews/disciplinary action which few would argue should be made freely available to the employee concerned. As such, while pursuing transparency should be encouraged, overly narrowing the employee record exemption might risk damaging the employer-employee relationship to the benefit of neither.
- Collecting "reasonably necessary" information – Focus has been placed on the quantity and types of personal information collected from employees and whether this personal information is 'reasonably necessary' as required by APP 3.1. Of particular importance was the collection of sensitive information, such as health information. In this regard, the debate around the collection of COVID-19 vaccination status comes to mind. The nature of the employer-employee relationship complicates matters as the information collected may be required to properly administer the relationship and assist with the organisation's various workplace and administrative legal obligations.
- Improving information security – Despite commonly forming part of the data stolen by hackers, there is currently no strict requirement for employers to report the loss of their employee's personal information. Employees are at significant risk of harm if their information is inappropriately used or disclosed. Extending the existing Privacy Act requirements around security and notification to employee personal information may go a long way to fostering trust and confidence in how private sector employer's handle their employees' personal information.
- Preventing misuse of information and end of life processing – Allied to each of the key aims above is ensuring that employee personal information is protected from misuse, loss or unauthorised access (whether internally or externally) and that it is destroyed when it is no longer required. While it is proposed that employee personal information would need to be destroyed when it is no longer required, employers would need to remain cognisant of their other record keeping obligations.
Why are changes proposed?
Employee advocates have long argued that the absence of the protections afforded by the APPs in respect of use, disclosure, security and end of life handling of an employee's personal information highlights the need for enhanced protections. Their position is supported by recent research which identifies the need for further consideration of this issue, with 81% of Australians surveyed being unaware of the employee record exemption.
However, the nature and extent of the additional privacy obligations that may apply to the handling of private sector employee records has been identified as an issue requiring further consultation and consideration.
The Report recognises the potential compliance and administrative issues that a private sector organisation may face when handling an employee's personal information and the general desire to avoid the fragmentation of Australian privacy law for an individual in their private capacity and as an employee.
The Commonwealth Government's recent response to the Report indicates that it further engagement with entities and a comprehensive impact analysis is required before it makes a final decision to implement the proposals. Key areas for further consideration is how privacy and workplace relations laws should interact, and the interplay between the employee records exemption and the proposed new privacy obligations for small businesses.