'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on September 2, 2021 AUTHOR - Privacy Research Team
In Australia, privacy obligations regarding the employees’ data are largely derived from the statute as there is no “constitutional” protection of privacy rights. Privacy in Australia is regulated at a federal, as well as, a State level. Due to this, privacy obligations may differ across different jurisdictions, as well as between private and public sectors. In each jurisdiction, privacy may be regulated by specific legislation and also by legislation with respect to freedom of information, health and electronic surveillance. Privacy Act 1988 (Privacy Act) is the most relevant legislation that regulates employees’ personal data with certain exemptions.
In most territories and states of Australia, the privacy regulation is limited to the public
sector. Employers need to be aware of the following legislation for every state
or territory. These include:
The Fair Work Act 2009 of Australia also regulates the relationship between employees and “national system employers”. These are broadly defined in the Fair Work Act, a network of various employers in Australia based on location. This act pertains to the rights of the employee union, giving them access to their personal employment records. It is important to note that unions that access employee records must then comply with the Privacy Act obligations with respect to those records.
The Freedom of Information Act 1982 also gives employees the right to access their documents which are held by federal government agencies or Ministers, other than exempt documents.
The Privacy Act defines “Employee Records” as "a record of personal information relating to the employment of the employee". This can include:
The Privacy Act treats public and private sector employee records differently. It applies to Australian Government and Norfolk Island administration employee records, but the use and disclosure of any employee record a private-sector employer holds aren’t covered by the Privacy Act if the use or disclosure of the record directly relates to the current or former employment relationship. This means an employer does not need to comply with the Privacy Act and Australian Privacy Principles (for example, in relation to the storage, access, use, disclosure and handling of the information) in relation to records about its current and former employees.
However, the exemption does not apply to the collection of personal information about prospective employees.
The personal information of job applicants, including information contained in CVs, references, and background checks, must be dealt with in accordance with the Privacy Act. For example, personal information may only be collected where it is necessary for one or more of the legitimate functions or activities of the business, and must only be used for the purpose for which it is collected. For prospective employees, employers must comply with the following Australian Privacy Principles.
An employer may only collect sensitive personal information about an employer from someone other than the employer if the employer consents, or if the employer is required or authorized by law to collect the information from someone else. Employers can process employee personal information for another purpose if, among other things:
In cases where the employee data falls under a Privacy Act exemption, employers have no obligations under the legislation. This means that the personal data of employees of private organizations’ current and former employees do not fall under the ambit of the Privacy Act.
However, various state and federal level legislation requires that employers retain specific records relating to employees for up to seven years under the Fair Work Regulations 2009.
For the cross-border transfer of personal data of employees, the Privacy Act requires that the recipient country should have appropriate guidelines and obligations regarding personal data before an employer can transfer data there. The Australian Privacy Principle 8 refers to the transfer of data across borders. This transfer can only be done if the following guidelines are followed:
The “employee record” does not cover contractors and subcontractors when they handle the personal information of the employees of another organization, notwithstanding their contractual arrangements. For example, the employee records exemption is unlikely to apply to organizations that provide recruitment, human resource management services, or medical, training, or superannuation services under contract to an employer. An organization that is a contractor or subcontractor that collects employee records about an individual from an employer will have to comply with the Australian Privacy Principles in handling that information, including the notice requirements in APP 5.
The Privacy Act gives prospective employees in the private sector broad control over the way their personal information is handled. The Privacy Act allows employees to:
Employees can file a complaint regarding interference with privacy to the relevant employer. If the complaint is not resolved, it can be referred to the Office of the Australian Information Commissioner for conciliation. Once this is done, the Australian Privacy Commissioner can apply to the Federal Court for an order requiring the organization to pay a pecuniary penalty for certain privacy breaches under the Privacy Act 1988. Depending on the type of breach, the penalty can range from $525,000 to $2.1 million for a corporate body and from $105,000 to $420,000 for any other entity.
When complying with the Privacy Act, employers should make sure that any employee information stored by the organization is only used and processed in a manner directly relating to the employment. This means that any information collected, stored, used or transferred should only be for the purpose of an employment relationship.
Employers are required to obtain written consent from employees in relation to collecting, using and disclosing their personal and sensitive information collected during the recruitment process. It is advised that employers consider including consent forms in their employment contracts. This will reduce the risk of an employer violating the Privacy Act.
In order for employers to manage their employees' data within Australia, they need to abide by the Privacy Act and other federal and state-level legislation. This law has several requirements when it comes to personal data and organizations need to make sure that they abide by it in order to avoid fines or penalties.
With data growing at an exponential rate, employers will need to recruit the help of automation if they hope to stay in compliance. Certain solutions allow organizations to use artificial intelligence and robotic automation to simplify this process.
Request a demo with Securiti to see how we can help.