The Attorney-General’s Department recently released its Privacy Act Review Report 2022 (Privacy Review Report). One major recommendation, which to date has gone largely overlooked, is the repeal or rollback of the ‘employee records exemption’ in the Privacy Act 1988 (Cth) (Privacy Act).

The ‘employee records exemption’ exempts most employers from the operation of the Privacy Act for an act or practice directly related to its employment relationship with an individual, and an employee record it holds relating to the individual (s 7B(3) Privacy Act). The exemption also extends to the ‘notifiable data breach’ scheme (NDB).

Should this exemption be amended, employers (including local councils in Victoria) the subject of the Fair Work Act 2009 (Cth) (Fair Work Act) will be required to pivot quickly to ensure compliance with privacy obligations with respect to their employees.

This issue will turn on whether the relevant amendments will be made to the Privacy Act or the Fair Work Act. Regardless, even if amendments are made to the Privacy Act, similar changes may follow for the Privacy and Data Protection Act 2014 (Vic) (Victorian Privacy Act).

Key message for local councils

In the likely event that the current exemptions in the Privacy Act and the Fair Work Act are wound back or removed entirely, local councils should immediately be prepared to:

  • audit all types of employee personal and sensitive information held;
  • be able to justify why each type of personal or sensitive information is held by reference to whether its collection, use and disclosure is fair and reasonable;
  • create and/ or review privacy policies in relation to employee information;
  • update employment contracts and policy handbooks;
  • appoint or designate a senior employee responsible for privacy;
  • undertake privacy impact assessments for activities with high privacy risks, including programs that access or manage employee personal information e.g. payroll services, employee assistance programs etc;
  • report data breaches relating to employee personal information (including loss of information and if it has been accessed inappropriately); and
  • destroy information if there is no reasonable justification or necessity for employers to hold that information.

Indeed, the above recommendations should be undertaken by local councils regardless of whether the amendments are made to the Privacy Act, Fair Work Act or even the Victorian Privacy Act.

Whilst many local councils are used to protecting the personal information relating to individual customers, employee information is equally deserving of protection. In the context of class action litigation commenced in relation to the handling practices of personal information by several businesses, and recent data breaches allegedly involving the exposure of both Rio Tinto’s and Meriton’s employees’ personal information, local councils need to be increasingly vigilant and invest resources with respect to privacy, information management practices and cyber-security.

Moray & Agnew is available to immediately assist local councils meet their obligations.

What is being proposed?

In summary, the Privacy Review Report recommends the following enhanced protections for employees:

  • transparency to employees regarding what information is being collected and used for by employers;
  • ensuring that employers have adequate flexibility to collect, use and disclose employees’ information that is reasonably necessary to administer the employment relationship;
  • ensuring that employees’ personal information is protected from misuse, loss or unauthorised access and is destroyed when it is no longer required; and
  • notifying employees and the Office of the Australian Information Commissioner of any data breach involving an employee’s personal information which is likely to result in serious harm.

The impact of the amendments for local councils will depend on how the amendments are made. That is:

  • if the Fair Work Act is amended to enhance the privacy protections for employees in conjunction with the limitation or repeal of the ‘employee record exemption’ under the Privacy Act, then Victorian local council employees should be covered; and
  • were the Privacy Act to be amended to incorporate privacy protections for employees, it would potentially only extend to those entities that are APP entities within the meaning of the Privacy Act. This does not include Victorian local councils. However, it may be that the Victorian Privacy Act would also then be amended to mirror the relevant provisions of the Privacy Act and, accordingly, then apply to Victorian local councils.

Why is it being proposed?

Among other things, the proposed recommendations seek to address circumstances in which:

  • employers are increasingly collecting, using and disclosing employee personal information. Further, it is in digitised form, which facilitates ease of disclosure and accessibility;
  • there is often limited transparency about how and why employees’ personal information is being used and disclosed, and whether the collection and use is in fact reasonably necessary to administer the employment relationship;
  • employee records often contain sensitive information (e.g., health, financial) and are not subject to security and/ or destruction requirements. This became particularly apparent in response to the COVID-19 pandemic and the need for employers to collect this information in order to be compliant with their non-delegable occupational health and safety obligations;
  • as a result of not being subject to the same stringent requirements as other types of personal information, employee records are particularly vulnerable to exploitation by external parties (such as by way of hacking) and/ or internal parties (employees/ contractors inappropriately accessing or using personal information). This vulnerability is then compounded by there being no regulatory obligations on employers to report or remedy these breaches;
  • overseas jurisdictions do not have comparable privacy exemptions for employers in relation to employee personal information. Rather, employee personal information is treated like any other personal information collected and held by an entity. In some respects, it has been considered that consistency between jurisdictions is beneficial to entities that operate transnationally.

What does this mean for Victorian local councils?

While the above proposals are only recommendations, it is anticipated that they will be implemented in the short to medium term. Accordingly, local councils should be prepared to deal with the administration of complying with the new privacy landscape as it relates to employee records. For example, local councils should ensure that:

  • there is sufficient investment and attention to the security of employee records and information management systems, including robust policies and procedures for the collection, use and disclosure of employee records. For example, as an interim measure, organisations may wish to limit access to employee records to key personnel within the organisation on a ‘need to know’ basis;
  • there is a clear purpose for the information being collected, how it is used, disclosed (and to whom) which conforms to a ‘fair and reasonable’ test. The types of information being collected may be different and, therefore, the purpose for collection should be clearly articulated having regard to the nature of the information. This purpose should be communicated to employees. There will be implications for organisations that collect information for the purposes of meeting diversity quotas or organisations operating in industries that use biometric information as a form of identification;
  • employees are kept updated and notified regarding collection, disclosure and/ or how this impacts their personal information; and
  • the capability to correct, update and destroy information (and when).

Summary

It is anticipated that the ‘employee records exemption’ will be wound back or repealed. This will create significant additional obligations upon local councils with respect to how they manage employee personal information. This includes amendments to employment contracts and internal privacy policies, and reviewing what employee personal information is being collected, held (and for how long) and disclosed to third parties. Moray & Agnew can assist employers to comply with these anticipated regulatory changes.

Further information / assistance regarding the issues raised in this article is available from the authors, Nick Duggal, Partner, Bill Fragos, Special Counsel and Estelle Sarra, Associate or your usual contact at Moray & Agnew.