Most employers would be aware of the stringent obligations in place to protect their employee's personal information. What might not be so clear are your obligations as an employer where law enforcement has requested this information be shared with them.
Knowing how to act in this situation is crucial. With the introduction of new data breach disclosure provisions, the standard for protecting an employee's personal information has never been higher (or the punishments more severe!).
Sure, you might be currently shielding employee personal information from unauthorised access. But how should you respond if you are requested by the police to willingly hand over information to assist in the investigation of a crime? Is it OK to comply? Should you?
Privacy at the Federal level in Australia is governed generally by the Australian Privacy Principles in the Privacy Act 1988. The Privacy Principles apply to Commonwealth agencies and most private enterprises (excluding small businesses).
Privacy Principle 6 prevents employers from using or disclosing employee personal information (such as names and contact details) for a purpose unrelated to the primary purpose for which it was gathered. Given that employee personal information is typically gathered for the purpose of allowing that person to be employed, use of that information for the purpose of, for example, a criminal investigation will be plainly unrelated. A breach of the Privacy Act obligations carries with it significant potential financial penalties.
In light of these obligations, what is the best way to respond if police contact you with a request for an employee's personal information, to assist in the investigation of a criminal offence?
Provided the following specific steps are followed, the good news is that you will be permitted to release the information without running the risk of a breach of your disclosure obligations.
Steps to take when asked for personal information by the police
While taking the above steps will ensure that your obligations regarding the disclosure of employee personal information are not breached, a general rule of thumb for such disclosures is to disclose the minimum amount of personal information reasonably necessary for the activity in question. If all that is required to assist in the enforcement related activity is an employee's name, only provide that.
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.