Key message for employers

In the likely event that the current exemptions in the Privacy Act and the Fair Work Act 2009 (Cth) (Fair Work Act) are wound back or removed entirely, employers should immediately be prepared to:

• audit all types of employee personal and sensitive information held
• be able to justify why each type of personal or sensitive information is held by reference to whether its collection, use and disclosure is fair and reasonable
• create and/ or review privacy policies in relation to employee information
• update employment contracts and policy handbooks
• appoint or designate a senior employee responsible for privacy
• undertake privacy impact assessments for activities with high privacy risks, including programs that access or manage employee personal information e.g. payroll services, employee assistance programs etc
• report data breaches relating to employee personal information (including loss of information and if it has been accessed inappropriately) and
• destroy information if there is no reasonable justification or necessity for employers to hold that information

Moray & Agnew is available to immediately assist employers meet their obligations.

Introduction

The employee records exemption exempts private sector employers from the operation of the Privacy Act for an act or practice directly related to its employment relationship with an individual, and an employee record it holds relating to the individual (s7B(3) Privacy Act).  Somewhat broadly, an ‘employee record’ is defined as a “record of personal information relating to the employment of the employee” (s6 Privacy Act). The exemption also extends to the ‘notifiable data breach’ scheme (NDB). That is, any data breach involving personal information of employees in an employee record that is likely to result in serious harm is not subject to the NDB scheme’s reporting requirements.[1]

What is being proposed?

In summary, the Privacy Review Report recommends the following enhanced protections for employees:

• transparency to employees regarding what their information is being collected and used for by employers
• ensuring that employers have adequate flexibility to collect, use and disclose employees’ information that is reasonably necessary to administer the employment relationship
• ensuring that employees’ personal information is protected from misuse, loss or unauthorised access and is destroyed when it is no longer required and
• notifying employees and the Office of the Australian Information Commissioner of any data breach involving an employee’s personal information which is likely to result in serious harm.

Why is it being proposed?

Among other things, the proposed recommendations seek to address circumstances in which:

• employers are increasingly collecting, using and disclosing employee personal information. Further, it is in digitised form, which facilitates ease of disclosure and accessibility
• there is often limited transparency about how and why employees’ personal information is being used and disclosed, and whether the collection and use is in fact reasonably necessary to administer the employment relationship
• employee records often contain sensitive information (e.g. health, financial) and are not subject to security and/ or destruction requirements. This became particularly apparent in response to the COVID-19 pandemic and the need for employers to collect this information in order be compliant with their non-delegable occupational health and safety obligations
• as a result of not being subject to the same stringent requirements as other types of personal information, employee records are particularly vulnerable to exploitation by external parties (such as by way of hacking) and/ or internal parties (employees/ contractors inappropriately accessing or using personal information). This vulnerability is then compounded by there being no regulatory obligations on employers to report or remedy these breaches
• overseas jurisdictions do not have comparable privacy exemptions for employers in relation to employee personal information. Rather, employee personal information is treated like any other personal information collected and held by an entity. In some respects, it has been considered that consistency between jurisdictions is beneficial to entities that operate transnationally
• if the Fair Work Act is similarly amended to enhance the privacy protections for employees in conjunction with the limitation or repeal of the employee record exemption under the Privacy Act, then there is the potential for almost all non-public sector employees to be covered and
• were the Privacy Act to be amended to incorporate privacy protections for employees, it would potentially only extend to those entities that are APP Entities within the meaning of the Privacy Act. However, as part of the review, consideration is also currently being given to extending APP Entities to include entities with an annual turnover of less than $3 million

What does this mean for your organisation?

While the above proposals are only recommendations, it is anticipated that they will be implemented in the short to medium term. Accordingly, employers should be poised to deal with the administration of complying with the new privacy landscape as it relates to employee records.For example, employers should ensure that:

• there is sufficient investment and attention to the security of employee records and information management systems, including robust policies and procedures for the collection, use and disclosure of employee records. For example, as an interim measure, organisations may wish to limit access to employee records to key personnel within the organisation on a ‘need to know’ basis
• there is a clear purpose for the information being collected, how it is used, disclosed (and to whom) which conforms to a ‘fair and reasonable’ test. The types of information being collected may be different and, therefore, the purpose for collection should be clearly articulated having regard to the nature of the information. This purpose should be communicated to employees. There will be implications for organisations that collect information for the purposes of meeting diversity quotas or organisations operating in industries that use biometric information as a form of identification
• employees are kept updated and notified regarding collection, disclosure and/ or how this impacts their personal information and
• the capability to correct, update and destroy information (and when).

In the context of recent events involving high profile data breaches, employers/ businesses need to be increasingly vigilant and invest resources with respect to their information management practices and cyber-security. Whilst many businesses are used to protecting the personal information relating to individual customers, employee information is equally deserving of protection. A recent data breach allegedly involving the exposure of Meriton’s employees’ personal information is a timely reminder of the attention required to be given to implementing appropriate privacy practices.

Summary

It is anticipated that the employee records exemption will be wound back or repealed. This will create significant additional obligations upon employers with respect to how they manage employee personal information. This includes amendments to employment contracts and internal privacy policies, and reviewing what employee personal information is being collected, held and disclosed. Moray & Agnew can assist employers to comply with these anticipated regulatory changes.

Further information / assistance regarding the issues raised in this article is available from the authors Bill Fragos, Special Counsel, for Privacy related queries and Nick Duggal, Partner and Estelle Sarra, Associate for Employment related queries, or your usual contact at Moray & Agnew.