The recent significant changes to the Privacy Act 1988 (Cth) (Privacy Act), which have impacted most private sector entities, have resulted in many private sector employers asking: how does this impact our handling of employee information?
While the answer to that question, at this stage, is that employee records continue to be exempt from the coverage of the Privacy Act by virtue of an ‘employee records exemption’, employers need to be mindful of the limited application of this exemption. Additionally, employers should be aware that there may still be instances where the reformed Privacy Act (as well as health records and workplace surveillance legislation) will be relevant to some of their dealings with their employees and importantly, the reformed Privacy Act still applies to recruitment processes.
Privacy Act amendments
On 12 March 2014 the reforms to the Privacy Act took effect, introducing a number of significant changes.
Some key features of the amended Privacy Act are as follows:
- The introduction of the 13 Australian Privacy Principles (APPs) which replaced the 10 National Privacy Principles that previously applied to private sector entities covered by the Privacy Act.
- The strengthening of the Australian Information Commissioner’s powers to enforce privacy laws, including the power to prosecute organisations for serious or repeated breaches of the Privacy Act and seek penalties of up to $1.7m.
- The introduction of a more comprehensive credit reporting system and a mandatory credit reporting privacy code that binds all credit reporting bodies, most credit providers and some other entities (such as trade and mortgage insurers).
- Increasing legal obligations regarding overseas disclosures of personal information and the use of personal information for direct marketing.
Employee Records Exemption
Of relevance to private sector employers is that the reforms to the Privacy Act did not include the removal of the ‘employee records exemption’. This exemption provides that the Privacy Act does not apply to an employer’s handling of personal information about an individual if it is directly related to:
- a current or former employment relationship between the employer and the individual; and
- an employee record held by the employer relating to the individual.
Employee records refer to personal information relating to the employment of the employee including health information about the employee and personal information about the employee’s engagement, training, disciplining or resignation, dismissal, terms and conditions of employment, personal and emergency contact details, performance or conduct, hours of work, salary or wages, trade union membership, leave, taxation, banking or superannuation affairs.
The rationale behind the introduction of the employee records exemption in the Privacy Act (which occurred in 2000 with the passing of provisions to make the Privacy Act applicable to the private sector) was to enable privacy protection of employee records to be dealt with under workplace relations legislation. However, it is widely viewed that such legislation does not provide the required level of protection. Certainly, the Australian Law Reform Commission following its 2008 inquiry into the Privacy Act that led to the recent reforms (ALRC privacy inquiry) holds this view and recommended the removal of the employee records exemption so that the Privacy Act applies to an employer’s handling of its current and former employees’ personal information.
In power at the time the ALRC handed down its report on the ALRC privacy inquiry, the Labor Government indicated it would aim to remove the employee records exemption from the Privacy Act in a further stage of reforms. As we are now in a different political climate, the future of the employee records exemption remains uncertain. Employers should therefore take a ‘watch this space’ approach with regard to the ongoing application of the employee records exemption.
In any event, employers should be aware that the employee records exemption has limited application. As it will only apply to an act or practice that is directly related to the employment relationship with the individual, an employer must ensure it:
- considers the purposes for which it is handling an employee’s personal information; and
- where the information is not directly related to the employment relationship, handle the information in accordance with the Privacy Act and the Australian Privacy Principles.
It should also be noted that separate to any application of the Privacy Act to personal information of employees, health records legislation may apply to the handling of any health-related information of an employee, and that obligations of confidence are generally owed by employers to their employees when handling any form of employee personal information. Accordingly, employers should always ensure they handle employee information accordingly and treat it as confidential information.
One area in particular where employers need to be mindful of the application of the Privacy Act is employee monitoring. Employers are increasingly seeking to monitor employees’ use of workplace email and internet to prevent any misuse of employer-owned technology systems.
While at common law an employer can, without consent, generally access and monitor any information passing to and from a workplace computer, the existence of the Privacy Act as well as workplace surveillance legislation in some jurisdictions has modified this position.
Computer, internet and email monitoring of employees by employers is regulated by:
- the Privacy Act to the extent that the relevant emails or records contain information that is not directly related to the employment relationship, for example, a personal email exchange between an employee and their friend, where the employee has used their work email address; and
- legislation in various Australian jurisdictions (specifically, New South Wales and the Australian Capital Territory) which directly regulates surveillance of workplace computer use.
Accordingly, employers need to ensure they are complying with such legislation when undertaking computer, internet and email monitoring. Some key compliance strategies with respect to such monitoring include:
- ensuring employment contracts include a clause requiring employees to comply with employer policies and procedures, including email, internet and social media policies;
- having in place email, internet and social media policies that specify expectations of appropriate use of such technology and make clear that email, internet and social media use at work or that is work-related will be monitored to assess compliance;
- bringing the policies to the attention of the employees through training and regular email/intranet reminders of the policies; and
- if specific workplace surveillance legislation applies, ensure the notification requirements of the legislation are complied with.
It is important to note that the employee records exemption does not apply to information held about job applicants who are not yet, or who do not become, employees. This is because the requisite employment relationship does not exist. In this regard, the collection, use, disclosure, and storage of personal information about job applicants during the recruitment process must be handled in accordance with the Privacy Act and the APPs. Additionally, job applicants are able to request access to and correction of the personal information held about them by a prospective employer.
Some key strategies employers can adopt to ensure compliance with the Privacy Act when undertaking recruitment processes are:
- ensure personal information collected from or about an applicant is necessary and relevant to the applicant’s potential employment;
- provide applicants with privacy collection notices, setting out what and how personal information is being collected, why that information is being collected, how that information will be used, to whom that information may be disclosed, how that information will be stored and (if applicable) retained, and how the applicant can request access to and correction of that information;
- allow an applicant access to their personal information on request (unless an exception under the Privacy Act applies);
- obtain consent from applicants to conduct background checks and collect certain information from third parties, such as referees and recruitment agencies;
- only use and disclose information about a job applicant for the purpose of assessing that applicant’s suitability for the role; and
- have policies in place relating to the destruction of personal information gathered during the recruitment process.
Where to from here?
Notwithstanding the continued application of the employee records exemption, employers should ensure they are well placed to deal with their compliance obligations under the reformed Privacy Act.
Some key tips to keep in mind to ensure employers are meeting their obligations are:
- review and update privacy policies to ensure they comply with the requirements under the APPs;
- educate and train staff on the new privacy obligations and ensure staff have access to your revised privacy policies;
- review and update employment policies and processes, in particular email, internet and social media policies and recruitment processes, to ensure they are consistent with privacy and workplace surveillance obligations; and
- identify and rectify any gaps with privacy compliance processes and implement new business processes and practices required to ensure compliance with the Privacy Act, particularly with regard to direct marketing, overseas disclosures of personal information, information security and privacy complaint handling.