Navigating Employee Data Through Australian Privacy Act

State and Territory privacy legislation

In most territories and states of Australia, the privacy regulation is limited to the public
sector. Employers need to be aware of the following legislation for every state
or territory. These include:

• Victoria - Privacy and Data Protection Act 2014 (Vic) and the Charter of Human Rights and Responsibilities Act 2006 (Vic)
• New South Wales - Privacy and Personal Information Protection Act 1998 (NSW)
• Queensland - Information Privacy Act 2009 (Old)
• Western Australia - Freedom of Information Act 1992 (WA)
• South Australia - Information Privacy Principles (IPPs) reissued by the State Government of South Australia in 1992
• Tasmania - Personal Information and Protection Act 2004 (Tas)
• Northern Territory - Information Act (NT)
• Australian Capital Territory - Information Privacy Act 2014 (ACT)

Fair Work Act 2009

The Fair Work Act 2009 of Australia also regulates the relationship between employees and “national system employers”. These are broadly defined in the Fair Work Act, a network of various employers in Australia based on location. This act pertains to the rights of the employee union, giving them access to their personal employment records. It is important to note that unions that access employee records must then comply with the Privacy Act obligations with respect to those records.

Freedom of Information Legislation

The Freedom of Information Act 1982 also gives employees the right to access their documents which are held by federal government agencies or Ministers, other than exempt documents.

Employee Record Under the Privacy Act:

The Privacy Act defines “Employee Records” as "a record of personal information relating to the employment of the employee". This can include:

1. Engagement, disciplining, training or resignation of the employee
2. Termination of the employment
3. Terms and conditions of employment
4. Personal emergency contact details
5. Performance or conduct
6. Hours of employment
7.  Salary or wage
8. Membership of a professional or trade association
9. Allocated leaves
10. Taxation, banking or superannuation affairs

Employer Obligations Under the Privacy Act:

1. Obligations Related to Former and Current employees:

The Privacy Act treats public and private sector employee records differently. It applies to Australian Government and Norfolk Island administration employee records, but the use and disclosure of any employee record a private-sector employer holds aren’t covered by the Privacy Act if the use or disclosure of the record directly relates to the current or former employment relationship. This means an employer does not need to comply with the Privacy Act and Australian Privacy Principles (for example, in relation to the storage, access, use, disclosure and handling of the information) in relation to records about its current and former employees.

However, the exemption does not apply to the collection of personal information about prospective employees.

2. Job Applicants and Privacy Act:

The personal information of job applicants, including information contained in CVs, references, and background checks, must be dealt with in accordance with the Privacy Act. For example, personal information may only be collected where it is necessary for one or more of the legitimate functions or activities of the business, and must only be used for the purpose for which it is collected. For prospective employees, employers must comply with the following Australian Privacy Principles.

3. Data Collection From Prospective Employees:

An employer may only collect sensitive personal information about an employer from someone other than the employer if the employer consents, or if the employer is required or authorized by law to collect the information from someone else. Employers can process employee personal information for another purpose if, among other things:

• The employee gives free consent
• The purpose is related to the primary purpose

4. Data Retention:

In cases where the employee data falls under a Privacy Act exemption, employers have no obligations under the legislation. This means that the personal data of employees of private organizations’ current and former employees do not fall under the ambit of the Privacy Act.
However, various state and federal level legislation requires that employers retain specific records relating to employees for up to seven years under the Fair Work Regulations 2009.

5. Privacy Statement or Agreement

Australian Privacy Principle 1 requires that employers covered by the Privacy Act must have a clearly expressed and up-to-date privacy policy about the management of personal information by the employer. Such a policy must contain the following information:

• Type of information being collected and stored
• How this data is being stored
• The purpose of the collection
• How an individual and access and/or rectify this data
• The procedure of complaint and how the employer will handle it
• Whether the employer is likely to disclose information to overseas recipients

6. Data Transfers Requirements:

For the cross-border transfer of personal data of employees, the Privacy Act requires that the recipient country should have appropriate guidelines and obligations regarding personal data before an employer can transfer data there. The Australian Privacy Principle 8 refers to the transfer of data across borders. This transfer can only be done if the following guidelines are followed:

• The recipient country has an enforceable law or binding scheme that is similar to the Privacy Act;
• Consent for transfer is obtained from the employee;
• The disclosure of the information has been provided;
• A “permitted general situation” exists with regards to the disclosure;
• Disclosure is authorized or required by an international agreement to which Australia is a party;
• Disclosure is necessary for enforcement-related activities.

7. Contractors of Employers:

The “employee record” does not cover contractors and subcontractors when they handle the personal information of the employees of another organization, notwithstanding their contractual arrangements. For example, the employee records exemption is unlikely to apply to organizations that provide recruitment, human resource management services, or medical, training, or superannuation services under contract to an employer. An organization that is a contractor or subcontractor that collects employee records about an individual from an employer will have to comply with the Australian Privacy Principles in handling that information, including the notice requirements in APP 5.

Employee Rights under Australian Privacy Act

The Privacy Act gives prospective employees in the private sector broad control over the way their personal information is handled. The Privacy Act allows employees to:

• Know why their personal data is being collected
• Know how it will be used and who it will be disclosed to
• Request for access to their personal information
• Rectify personal information that is incorrect
• Complain to the enforcement authority if they believe the employer has mishandled their personal information.

Consequence of Violating the Privacy Act

Employees can file a complaint regarding interference with privacy to the relevant employer. If the complaint is not resolved, it can be referred to the Office of the Australian Information Commissioner for conciliation. Once this is done, the Australian Privacy Commissioner can apply to the Federal Court for an order requiring the organization to pay a pecuniary penalty for certain privacy breaches under the Privacy Act 1988. Depending on the type of breach, the penalty can range from $525,000 to $2.1 million for a corporate body and from $105,000 to $420,000 for any other entity.

Considerations Towards the Privacy Act and Employee Data

When complying with the Privacy Act, employers should make sure that any employee information stored by the organization is only used and processed in a manner directly relating to the employment. This means that any information collected, stored, used or transferred should only be for the purpose of an employment relationship.
Employers are required to obtain written consent from employees in relation to collecting, using and disclosing their personal and sensitive information collected during the recruitment process. It is advised that employers consider including consent forms in their employment contracts. This will reduce the risk of an employer violating the Privacy Act.

• Employers are required to ensure the following as well:
• Understand the legislation which regulates the collection, storage and use of personal information
• Understand that the Privacy Act may be different in all jurisdictions
• Implement policies and procedures which regulate the collection, use and storage of an employees personal information in accordance with the Privacy Act
• Train employees to handle personal information in accordance with the Privacy Act.

Conclusion

In order for employers to manage their employees' data within Australia, they need to abide by the Privacy Act and other federal and state-level legislation. This law has several requirements when it comes to personal data and organizations need to make sure that they abide by it in order to avoid fines or penalties.

With data growing at an exponential rate, employers will need to recruit the help of automation if they hope to stay in compliance. Certain solutions allow organizations to use artificial intelligence and robotic automation to simplify this process.

Request a demo with Securiti to see how we can help.