This LAWFIT™ Privacy Guide is published as part of a series of legal and regulatory guides on data and privacy. Below we examine the treatment of employee records under Australian privacy laws.
The Act includes 13 Australian Privacy Principles (‘APPs’) that outline how companies must handle, use and manage Personal Information. Further, where Personal Information is unlawfully disclosed, changes to the Act in February 2018 introduced the Notifiable Data Breach Scheme, which require companies to investigate and notify affected individuals and the Australian Information Commissioner.
Personal Information (‘PI’) is defined under the Act as:
information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
Under the Act, some categories of PI are exempt from the application of Privacy Laws. Below we look at the important exemption in respect of Employee Records.
An Employee Record is defined under the Act to mean: a record of personal information relating to the employment of the employee.
Clearly this is a broad definition. Examples of Employee Records provided by the OAIC include the following PI in respect of an employee:
• Health information;
• Records regarding workplace performance or conduct, training, discipline, leaving arrangements, resignation or termination of employment;
• Terms and conditions of employment, including hours of employment, salary or wages;
• Personal and emergency contact details;
• Membership of a professional or trade association or trade union membership;
• Recreation, long service, sick, maternity, paternity or other leave; and
• Taxation, banking or superannuation affairs.
In certain circumstances, an employer’s handling of Employee Records relating to current and former employment relationships will be exempt from the Privacy Laws. This includes an employer’s obligations in respect of PI handling, use and management under the APPs, as well notification obligations under the Notifiable Data Breach Scheme.
The exemption will apply if the relevant act or practice is directly related to:
• A current or former employment relationship between the employer and an individual; and
• An employee record held by the employer relating to that individual.
This means that the employer does not need to comply with the Privacy Laws when it handles current and past Employee Records for purposes directly related to the employment relationship. It also means that an employer does not have to grant an employee access to his or her Employee Records under the Act.
However, as discussed below, not all PI about an employee would necessarily be considered to be “relating to the employment” of the employee, so employers should not assume a blanket exemption applies.
The employment exemption will not apply to the collection of PI about prospective employees who are subsequently not employed by the employer, such as unsuccessful job applicants. However, once an employment relationship is formed with an individual, the records the employer holds relating to that individual’s pre-employment checks will become exempt.
The employment exemption will not apply to independent contractors who are not employees.
No all information and employer holds in relation to an individual employee would be classified as an Employee Record. For example:
• Whilst an employee’s bank details may form part of an Employee Record, emails an employee receives from their financial institution via their work email account may not necessarily be part of an Employee Record as they may not relate to the employment of the employee.
• Information about employees regarding the provision of additional perks or benefits to employees, such as gym memberships, health services or insurances, may not be exempt under the Privacy Laws. This may be because the information is not strictly regarded as employment-related PI.
These can be cases of fine distinctions. Whether or not information forms part of an Employee Record will depend on the circumstances in any particular case.
Key takeaways from this Guide:
(a) An employer does not need to comply with the Privacy Laws when it handles current and past Employee Records that are directly related to the employment relationship.
(b) An employer does need to comply with the Privacy Laws in relation to PI about:
(i) prospective employees who are not employed by the employer; and
(ii) information it holds in relation to an individual employee that would not be classified as an Employee Record.
(c) Not every piece of information that an employer holds about an employee is automatically an exempt Employee Record under the Privacy Laws. These can be subtle distinctions and specialised legal advice may be required.
The information above is general in nature. If you would like to learn more about the collection of personal information under the Privacy Act, please contact us below.