Just as a matter of routine, businesses collect a great deal of personal information about their employees. Providing that information to strangers could well be a breach of the Federal Privacy Act. But there is an exemption: compliance with the Privacy Act is waived if the disclosure of an employee record was ‘directly related’ to the current or former employment relationship as provided by s7B(3) of the Act.
In this bulletin we consider what that exemption means in practice, and identify some areas of risk.
What are ‘employee records’?
An ‘employee record’ is a record of personal information relating to an employee, such as:
- contact details - routine and emergency;
- matters to do with health;
- engagement, conduct, performance, disciplining, training, resignation;
- terms and conditions of employment (including salary and wages);
- membership of a professional body, a trade association, or a union;
- taxation, banking and superannuation affairs; and
- leave taken and accrued.
In general, the Privacy Act requires that employee records are to be managed in accordance with the Australian Privacy Principles, which are set out in the schedule to the Privacy Act. Those principles can be restrictive, but there is that exemption.
So what exactly does the exemption exempt?
The exemption applies to any act that is ‘directly related’ to the current employment relationship or former relationship. What do those words mean? What is directly related?
An example – a prospective purchaser
Say you are thinking about selling your business and you have some inquiries from prospective purchasers. You have been asked to disclose the terms and conditions under which your employees currently work. The inquiry is confidential so you can’t ask your employees to agree to the disclosure. Would disclosing that personal information contained in the employee records be directly related to the current employment relationship?
Doing so may well be to the employer’s interests, but probably not to the interests of the employee. But interests aside, is the disclosure directly related? It’s hard to see how the disclosure could be.
How is it directly related to your current employment that your employer provide information about your remuneration or performance to a prospective purchaser? And yet it happens all the time.
One day an employee will complain about the new boss having the upper hand in salary negotiations because the old boss handed over their salary details. The employer might argue that disclosure was ‘directly related’ because if the business was not sold there would be no job. But that does not necessarily make the disclosure ‘directly related’ to the employment relationship itself.
So what should a business vendor do? Perhaps de-identify the data and say: “We have five employees in the $150,000+ band, ten between $100,000 and $150,000 and the rest under $100,000.” That’s disclosure of information, but not disclosure of personal information.
When is disclosure allowed?
Employee records can be disclosed outside the direct employment relationship but only in limited circumstances. For example, Australian Privacy Principle 2.2.a allows disclosure if authorised under an Australian law. Employers may be required to disclose information to a Fair Work Inspector or the Australian Taxation Office. Disclosure of an employee’s personal information to a lawyer for the purpose of legal advice is permitted as an exemption. And disclosure to a workers compensation insurer would be directly related to the employment.
The privacy complaint of C v Commonwealth Agency  PrivCmrA 3 illustrates the issues. A husband and wife worked for the same employer. The wife made a workers’ compensation claim and argued she could not afford some medical expenses. To prove she had enough money, the employer gave details of the husband’s salary to the insurer’s lawyer.
Apart from making assumptions about matrimonial finances, the Privacy Commissioner found the employer had breached the Privacy Act because the disclosure of the husband’s salary details was not ‘directly related’ to his employment. The employer was only saved by the disclosure being to the lawyer, as a matter of seeking advice under client legal privilege exemption. But the principle remains – the salary details could not be disclosed to a third party.
That case involved a Commonwealth government department. As well as the private sector the Privacy Act also covers the Federal Government, but not small businesses or the State governments.
What about the NSW public sector?
The Federal Privacy Act does not extend to NSW State government bodies, which are instead regulated by the Privacy and Personal Information Protection Act. The NSW Act operates in a similar way as the Federal Privacy Act. The employee records of public servants are personal information held by the agency.
Although there is no equivalent to the ‘directly related’ exception, what is personal information is defined in a different way, in s4(3)(j) of the Act, being; information or opinions about an employee’s suitability for appointment or employment as a public sector official. And there are related provisions in s5(3)(m) of the Health Records and Information Protection Act 1998.
The different definition of personal information as not relating to ‘suitability for appointment or employment’ might sound like a broad exception. But it has been narrowly interpreted so as to require that the precise context of the collection and the disclosure has to be immediately related to ‘suitability’.
In the case of Department of Education and Training v PN (GD)  NSWADTAP 66, a principal of a school passed on an investigation report about a transferring teacher to the next school principal. It was held that the disclosure was not about ‘suitability’ for employment as the transfer had already happened and was not subject to assessment of other matters such as the investigation report. There had been a breach of privacy.
So passing on information about general performance was not permitted because at the time there was no question of suitability for appointment or employment.
With cases like these we can expect that employees may soon be more interested in protecting their private employee records than they may have in the past. Discloser beware!