By Jacqueline Monk, Special Counsel and Brian Powles, Partner

Employers collect significant amounts of personal information from employees – ranging from innocuous details like phone numbers and email addresses all the way to biometric information, copies of identification documents, tax file numbers and evidence of vaccinations. 

Do privacy laws extend to this information? What happens if this information gets hacked? What are the potential pitfalls for employers in this area? 

Privacy Act

In Australia, the Privacy Act 1988 (Cth) is the key piece of legislation governing handling of personal information for private organisations. Among other things, the Privacy Act sets out 13 principles for the management of personal information. These principles apply to any organisation that is governed by the Privacy Act and set out requirements as to: 

• the collection, use and disclosure of personal information;
• an organisation’s governance and accountability;
• storage, integrity and correction of personal information; and
• the rights of individuals to access their personal information.

‘Employee records’ exemption

The Privacy Act, while wide-reaching, does not specifically govern each and every act of an organisation. Importantly, certain exemptions apply to employers when handling personal information about employees. However, tread carefully! This exemption has been interpreted narrowly and only applies to disclosure and use of employee information that has a sufficient connection to the employment relationship and that is already held by the employer. This means that employers need to comply with the requirements of the Privacy Act when collecting personal information from employees, including providing notice of collection and, where collecting sensitive information, seeking consent from employees before collection. The exemption also does not extend to employee tax file numbers. 

Notifiable Data Breach Scheme (NDBS)

An important feature of the Privacy Act is the notifiable data breach scheme, which requires organisations to notify both the Office of the Australian Information Commissioner (OAIC) and individuals affected if an ‘eligible breach’ occurs. Are employee records captured by this scheme? The short answer to this is (unhelpfully)…maybe. 

The OAIC’s guidance for the NDBS suggests that if an employee record is accessed by a third party without authorisation, then the employer should follow the notification requirements under the NDBS and should not rely on the employee records exemption under the Privacy Act. However, this view has not yet been tested by the courts. An alternative interpretation of the employee records exemption is that if an employee record is accessed by a third party without authorisation, then the record still falls within the exemption because the employer themselves has not done anything to invalidate the exemption. 

It is also important to consider whether the General Data Protection Regulation (GDPR) applies to your particular business. The GDPR does not contain an equivalent employee records exemption so if your business has connections with the EU then the exemption will not be available to you. 

In short, you should carefully assess any data breach involving employee details and seek legal advice as to whether it is an ‘eligible data breach’ and whether notice is necessary. Given the urgency with which your business needs to respond to such breaches, it may be worth getting guidance on possible scenarios during ‘business as usual’ and setting out how you intend to approach such a breach in your data breach response plan. In this way, when a crisis occurs you will already have the material on hand to respond.  

Where to next?

In February 2023 the Attorney-General’s Department released the Privacy Act Review Report.  The Report made 116 proposals of reform to the Privacy Act. In its chapter dedicated to reviewing the employee records exemption, it points out that while submissions received from employers expressed a wish to retain (and strengthen) the exemption, submissions from employee representative organisations are looking for greater transparency around the use and disclosure of employee information. The Report recommends that further consultation is required so it is unlikely that the position on the employee records exemption will be settled in the near future. 

The Walter Baden team is experienced in both employment and privacy law and is ready to provide guidance if you have questions about how to handle your employees’ details.    

Next week, we’ll look at how to treat employee details during a M&A due diligence exercise.