Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Navigating Employee Data Through Australian Privacy Act

Published September 2, 2021 / Updated October 8, 2024
Contributors

Anas Baig

Product Marketing Manager at Securiti

Muhammad Faisal Sattar

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/Asia

Listen to the content

In Australia, privacy obligations regarding the employees’ data are largely derived from the statute as there is no “constitutional” protection of privacy rights. Privacy in Australia is regulated at a federal, as well as, a State level. Due to this, privacy obligations may differ across different jurisdictions, as well as between private and public sectors. In each jurisdiction, privacy may be regulated by specific legislation and also by legislation with respect to freedom of information, health and electronic surveillance. Privacy Act 1988 (Privacy Act) is the most relevant legislation that regulates employees’ personal data with certain exemptions.

State and Territory privacy legislation

In most territories and states of Australia, the privacy regulation is limited to the public
sector. Employers need to be aware of the following legislation for every state
or territory. These include:

  • Victoria - Privacy and Data Protection Act 2014 (Vic) and the Charter of Human Rights and Responsibilities Act 2006 (Vic)
  • New South Wales - Privacy and Personal Information Protection Act 1998 (NSW)
  • Queensland - Information Privacy Act 2009 (Old)
  • Western Australia - Freedom of Information Act 1992 (WA)
  • South Australia - Information Privacy Principles (IPPs) reissued by the State Government of South Australia in 1992
  • Tasmania - Personal Information and Protection Act 2004 (Tas)
  • Northern Territory - Information Act (NT)
  • Australian Capital Territory - Information Privacy Act 2014 (ACT)

Fair Work Act 2009

The Fair Work Act 2009 of Australia also regulates the relationship between employees and “national system employers”. These are broadly defined in the Fair Work Act, a network of various employers in Australia based on location. This act pertains to the rights of the employee union, giving them access to their personal employment records. It is important to note that unions that access employee records must then comply with the Privacy Act obligations with respect to those records.

Freedom of Information Legislation

The Freedom of Information Act 1982 also gives employees the right to access their documents which are held by federal government agencies or Ministers, other than exempt documents.

Employee Record Under the Privacy Act:

The Privacy Act defines “Employee Records” as "a record of personal information relating to the employment of the employee". This can include:

  1. Engagement, disciplining, training or resignation of the employee
  2. Termination of the employment
  3. Terms and conditions of employment
  4. Personal emergency contact details
  5. Performance or conduct
  6. Hours of employment
  7.  Salary or wage
  8. Membership of a professional or trade association
  9. Allocated leaves
  10. Taxation, banking or superannuation affairs

Employer Obligations Under the Privacy Act:

1. Obligations Related to Former and Current employees:

The Privacy Act treats public and private sector employee records differently. It applies to Australian Government and Norfolk Island administration employee records, but the use and disclosure of any employee record a private-sector employer holds aren’t covered by the Privacy Act if the use or disclosure of the record directly relates to the current or former employment relationship. This means an employer does not need to comply with the Privacy Act and Australian Privacy Principles (for example, in relation to the storage, access, use, disclosure and handling of the information) in relation to records about its current and former employees.

However, the exemption does not apply to the collection of personal information about prospective employees.

2. Job Applicants and Privacy Act:

The personal information of job applicants, including information contained in CVs, references, and background checks, must be dealt with in accordance with the Privacy Act. For example, personal information may only be collected where it is necessary for one or more of the legitimate functions or activities of the business, and must only be used for the purpose for which it is collected. For prospective employees, employers must comply with the following Australian Privacy Principles.

3. Data Collection From Prospective Employees:

An employer may only collect sensitive personal information about an employer from someone other than the employer if the employer consents, or if the employer is required or authorized by law to collect the information from someone else. Employers can process employee personal information for another purpose if, among other things:

  • The employee gives free consent
  • The purpose is related to the primary purpose

4. Data Retention:

In cases where the employee data falls under a Privacy Act exemption, employers have no obligations under the legislation. This means that the personal data of employees of private organizations’ current and former employees do not fall under the ambit of the Privacy Act.
However, various state and federal level legislation requires that employers retain specific records relating to employees for up to seven years under the Fair Work Regulations 2009.

5. Privacy Statement or Agreement

Australian Privacy Principle 1 requires that employers covered by the Privacy Act must have a clearly expressed and up-to-date privacy policy about the management of personal information by the employer. Such a policy must contain the following information:

  • Type of information being collected and stored
  • How this data is being stored
  • The purpose of the collection
  • How an individual and access and/or rectify this data
  • The procedure of complaint and how the employer will handle it
  • Whether the employer is likely to disclose information to overseas recipients

6. Data Transfers Requirements:

For the cross-border transfer of personal data of employees, the Privacy Act requires that the recipient country should have appropriate guidelines and obligations regarding personal data before an employer can transfer data there. The Australian Privacy Principle 8 refers to the transfer of data across borders. This transfer can only be done if the following guidelines are followed:

  • The recipient country has an enforceable law or binding scheme that is similar to the Privacy Act;
  • Consent for transfer is obtained from the employee;
  • The disclosure of the information has been provided;
  • A “permitted general situation” exists with regards to the disclosure;
  • Disclosure is authorized or required by an international agreement to which Australia is a party;
  • Disclosure is necessary for enforcement-related activities.

7. Contractors of Employers:

The “employee record” does not cover contractors and subcontractors when they handle the personal information of the employees of another organization, notwithstanding their contractual arrangements. For example, the employee records exemption is unlikely to apply to organizations that provide recruitment, human resource management services, or medical, training, or superannuation services under contract to an employer. An organization that is a contractor or subcontractor that collects employee records about an individual from an employer will have to comply with the Australian Privacy Principles in handling that information, including the notice requirements in APP 5.

Employee Rights under Australian Privacy Act

The Privacy Act gives prospective employees in the private sector broad control over the way their personal information is handled. The Privacy Act allows employees to:

  • Know why their personal data is being collected
  • Know how it will be used and who it will be disclosed to
  • Request for access to their personal information
  • Rectify personal information that is incorrect
  • Complain to the enforcement authority if they believe the employer has mishandled their personal information.

Consequence of Violating the Privacy Act

Employees can file a complaint regarding interference with privacy to the relevant employer. If the complaint is not resolved, it can be referred to the Office of the Australian Information Commissioner for conciliation. Once this is done, the Australian Privacy Commissioner can apply to the Federal Court for an order requiring the organization to pay a pecuniary penalty for certain privacy breaches under the Privacy Act 1988. Depending on the type of breach, the penalty can range from $525,000 to $2.1 million for a corporate body and from $105,000 to $420,000 for any other entity.

Considerations Towards the Privacy Act and Employee Data

When complying with the Privacy Act, employers should make sure that any employee information stored by the organization is only used and processed in a manner directly relating to the employment. This means that any information collected, stored, used or transferred should only be for the purpose of an employment relationship.
Employers are required to obtain written consent from employees in relation to collecting, using and disclosing their personal and sensitive information collected during the recruitment process. It is advised that employers consider including consent forms in their employment contracts. This will reduce the risk of an employer violating the Privacy Act.

  • Employers are required to ensure the following as well:
  • Understand the legislation which regulates the collection, storage and use of personal information
  • Understand that the Privacy Act may be different in all jurisdictions
  • Implement policies and procedures which regulate the collection, use and storage of an employees personal information in accordance with the Privacy Act
  • Train employees to handle personal information in accordance with the Privacy Act.

Conclusion

In order for employers to manage their employees' data within Australia, they need to abide by the Privacy Act and other federal and state-level legislation. This law has several requirements when it comes to personal data and organizations need to make sure that they abide by it in order to avoid fines or penalties.

With data growing at an exponential rate, employers will need to recruit the help of automation if they hope to stay in compliance. Certain solutions allow organizations to use artificial intelligence and robotic automation to simplify this process.

Request a demo with Securiti to see how we can help.


Frequently Asked Questions (FAQs)

The law protects personal details like names, contact info, tax records, and health data. However, some workplace-related data isn't covered under the employee records exemption.

In Australia, employees have privacy rights related to the handling of their personal information under the Privacy Act 1988 (Cth). These rights include the right to know how their data is collected and used, the right to access their information, the right to correct inaccuracies, and the right to complain about data handling practices.

Australia does not have a specific "Data Privacy Act." Instead, the Privacy Act 1988 (Cth) governs the handling of personal information, including employee data, in Australia.

Confidentiality policies in Australia outline the responsibilities of employees to protect sensitive or confidential information, both during and after employment. These policies often cover topics like non-disclosure of company data and proprietary information.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA) View More
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)
Delve into Uganda's Data Protection and Privacy Act (DPPA), including data subject rights, organizational obligations, and penalties for non-compliance.
Data Risk Management View More
What Is Data Risk Management?
Learn the ins and outs of data risk management, key reasons for data risk and best practices for managing data risks.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
View More
Australia’s Privacy Act & Consent: Essential Guide for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Australia’s Privacy Act and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New