As the dust settles on several high-profile corporate data breaches, leaders at many organisations are feeling uneasy about the security and compliance of their own employee data.
The right way for businesses to handle employee data has been a hot-button issue for some time. In light of recent media attention on big-name corporate data leaks, concerns about data security have been pushed even further into the spotlight.
During AHRI’s recent webinar on collecting and storing employee data, Emily Booth, Special Counsel at Holding Redlich, spoke alongside Justin Waite, Managing Director at Sentaris and Rob Scott, Chief Operating Officer at Smart WFM about the ways organisations can strengthen data security and ensure they are compliant with relevant employment laws.
Queries about managing employee data came in thick and fast from webinar attendees, and the experts responded with insights on everything from Fair Work obligations to the most secure places to store data.
In an effort to keep the conversation going, Booth spoke with HRM to answer some of the audience questions that the experts didn’t have time to address during the webinar.
Q1: Why do we need to collect employee data in the first place?
A lot of HR professionals would be able to tell me more about why in practice they need to collect employee data, but as an employer you also have a legal obligation to collect and store employment records. For example, certain records need to be collected and kept for seven years, including information about pay, leave, hours of work, reimbursement of work-related expenses, workers comp insurance and superannuation contributions. These regulations are prescribed under the Fair Work Act and the Fair Work Regulations (view details here).
It’s also best practice to keep other records, such as resumes/applications, employment contracts and performance reviews, to provide a full employment history and assist you to undertake your normal HR functions, such as performance management.
“For serious data breaches under the Privacy Act, the penalty is currently $2.2 million. And they’re looking at increasing that by the end of the year to the greater of $10 million.” – Emily Booth, Special Counsel, Holding Redlich
Depending on your organisation, there may be other reasons why you need to collect employee data, which might include working with children checks or certain licenses that the employee is required to have in order to perform their normal work.
Q2: How long are we legally required to keep employee data?
Other than the requirements under the Fair Work Act mentioned above (that employee data is stored for seven years) there are other laws that require you to keep your tax and superannuation calculations, and how you met your choice of super fund obligations for five years.
Depending on your organisation, there’ll be various other laws that require you to retain various data.
Q3: What are the risks of not retaining employee data properly?
You would need to look at that in respect of your individual organisation. Obviously one of the biggest risks is reputational and losing the trust of your employees. There would also be potential fines and other enforcement action that could be taken under the Fair Work Act depending on the circumstances.
You asked what the penalties under the Privacy Act are, but whether they applied would of course depend on what kind of organisation you were and whether the employee records exemption applied, as we discussed more in the seminar. However for serious data breaches under the Privacy Act, the penalty is currently $2.2 million. And they’re looking at increasing that by the end of the year to the greater of $10 million; three times the value of any benefit obtained (directly or indirectly) from the contravention; or, if the value of the benefit cannot be ascertained, 10 per cent of the annual turnover of the organisation.
Read HRM’s article on 10 things you should keep in mind when storing employees’ vaccination status.
Q4: Is there a length of time we can store recruitment data for prospective employees?
There is not a one-size-fits-all answer to this. We recommend to clients that this be addressed in their privacy policy and privacy collection notices provided to candidates when they submit their recruitment data in the first place.
If candidates are notified that their data will be stored for a legitimate purpose outlined in a privacy notice, you can keep it for as long as that purpose still applies. Often candidates would be happy to have their data stored so you could contact them in respect of further opportunities that arise. But it’s still good to set a limit on this period of time because, after a certain point, it’s more likely that the information is out of date.
If a candidate is successful and obtains a role, the recruitment data would become part of the employment record and would be categorised as employee data.
Q5: Are individuals liable for penalties under the Privacy Act, or only organisations?
At this stage, only organisations are liable under the Privacy Act. However, there are exemptions for small businesses with revenue under $3 million in certain circumstances.
Sometimes individuals might be liable under other laws for related actions, such as cybercrime offenses, including hacking. An action for breach of confidence has also been successfully pursued where an individual published intimate photos of another individual (their former partner) online in what would also be considered a breach of that individual’s privacy by another individual.
These are examples of other avenues that could make individuals liable, but they are not often pursued. Some of the law reforms in this area are looking at more direct forms of recourse including, potentially, extending the Privacy Act to apply to individuals.
Want to hear more from Emily Booth and other experts about employee data
and cybersecurity? Watch the full webinar here.