In an age where the management of data is largely electronic, employers have a much greater opportunity to collect and retain vast amounts of information, much more than ever before. This information is useful to have on file - but what are the risks?
With the new Australian Privacy Principles (APPs) to take effect from 12 March 2014, it is a timely reminder that Australian employers must observe strict requirements of handling employee related information.
The risks an employer faces range from costly penalties of up to $1.7 million for the Company and $340,000 for individuals, unforeseeable investigations under the Privacy Commissioner's new "own motion" investigative powers and reputational damage.
Now, more than ever, employers should implement or update privacy policies and procedures to offer themselves greater protection.
'I have a policy and, besides, employers have the employee records exemption!'
We hear this phrase a lot, and blindly relying on either, without considering their application to the specific circumstances, is extremely dangerous.
The employee records exemption only applies to personal information collected and used as part of the employment relationship (current or former), or contained in an 'employee record.'
The hidden risk here is that individuals like contractors and job candidates are not covered by the exemptions.
Many employers hold, use and even disclose personal information of individuals who are not exempt, placing them at risk.
Another critical but frequently overlooked risk is where a member of a corporate group collects personal information of a subsidiary's employee assuming the employee record exemption applies. Only the legal employer has the benefit of the exemption. Therefore, the notification requirements and other privacy obligations of the APPs will need to be considered before any such collection occurs.
Having policies and procedures is a good start, but they will only be as useful as they are up to date.
Our top privacy tips for employers collecting non-exempt employee information
- Collecting personal information from job candidates
- the types of information collected,
- the uses to for the information (i.e. during the job application process and afterwards), and
- how individuals are notified of collection.
If an employer collects sensitive information, like pre-employment health checks, it will be important to obtain consent and to have a legitimate business use/purpose for the collection.
- Destroying information
If the purpose for which the employer has collected information is complete, the information should ordinarily be destroyed or de-identified.
But what about defending an adverse action or discrimination claim?
These types of claims can be pursued by individuals who are not covered by the exemption, like job candidates.
Information that is collected or created, such as notes relating to a candidate's suitability against the selection criteria, could prove to be crucial evidence in defending a claim. In certain circumstances this information may be exempt from destruction, but only if is collected and managed in accordance with a bespoke employer policy.
Employees who handle employee related information should be prepared for the APPs. Mishandling information now has even greater consequences. Conducting privacy training sessions that specifically cover non-exempt employee information is one of the best ways to instil best practice in your workplace.
There are many misconceptions about privacy and data protection laws, so it is important that your workplace is prepared for the new changes. The Privacy Commissioner will want to test out its new 'own motion' investigative powers in the coming months, and you run the risk of your workplace may not complying if you are not proactive.
Joel Davis and Jaimie Wolbers