Legal, Organisational enablement

How to navigate evolving rules around employee data security

By Georgie Chapman

With data security under scrutiny and new regulations coming into effect, HR leaders need clarity on the legal obligations governing employee records.

With the rise of the data economy, reports of breaches have become almost weekly news – making data security a pressing priority for organisations and their boards. 

While headlines usually focus on customer information stolen in cyberattacks, companies are also amassing vast stores of employee-related data

Performance metrics, behavioural insights and even health information are increasingly captured through data-driven systems, giving employers unprecedented access to personal and sensitive details.

This raises an urgent question for HR leaders and executives alike: what are the legal boundaries when collecting, storing and using employee data?

Personal versus sensitive information

The Privacy Act 1988 (Cth), which incorporates the 13 Australian Privacy Principles (the ‘APPs’), is the key legislation governing how entities handle personal and sensitive information. 

The Privacy Act does not apply to all organisations, but compliance is widely considered best practice. In addition, each state and territory has public sector-specific privacy legislation in place. 

‘Personal information’ is “information or an opinion about an identified individual, or an individual who is reasonably identifiable”. Sensitive information is a subset of personal information relating to specific attributes of a person, including health information. 

Sensitive information is more closely safeguarded by the APPs. An organisation must have a person’s consent before collecting their sensitive information. Consent may be expressed or implied, but must always be informed and voluntary.  

However, and relevant to employers, the Privacy Act currently contains the ‘employee records exemption’, which exempts private sector employers from complying with the APPs when handling “a record of personal information relating to the employment of the employee”. Data relating to an employee’s performance is an example of this. 

In saying this, not all personal information an employer acquires about employees will be considered an ‘employee record’. 

“An organisation must have a person’s consent before collecting their sensitive information. Consent may be expressed or implied, but must always be informed and voluntary.”

For example, an employee’s bank details may form an employee record, but emails an employee receives from their bank via their work email may not, as these may not relate to their employment. The exemption only applies to personal information already held by the employer. So, when collecting new information, the APPs apply. 

Further, information gathered during recruitment processes is not covered by the exemption. Employers should be mindful of how personal information of candidates is stored, and, ideally, safely destroy any unnecessary data collected for unsuccessful candidates. 

Employers should also be aware that additional obligations may arise under other legislation, such as the Health Records Act 2001 (Vic), when handling employees’ personal health information. 

New regulations around serious invasions of privacy

A new statutory tort for serious invasions of privacy has recently been introduced to the Privacy Act. 

This is a cause of action for individuals, including employees, who consider another person has invaded their privacy by ‘intruding upon their seclusion’ or misusing information relating to them, where the person would have had a reasonable expectation of privacy in the circumstances. 

While this new tort is currently untested, a serious invasion of privacy may occur if, for example, an employer informed an employee’s clients or colleagues of their experience of family and domestic violence.  

The government has flagged further reforms to the Privacy Act – including potential changes to the long-standing employee records exemption. This is currently in the consultation period.

In summary: HR action points

To ensure compliance, employers should:

  • Have robust and compliant policies protecting personal information, including around misuse, unauthorised access, modification, disclosure and loss.
  • Review the privacy policies of any third party dealing with employee data on their behalf.
  • Have clear protocols for collecting and handling health and sensitive information, including how consent is obtained.
  • Review data collection and storage practices and determine if these are necessary – reducing the level of data stored reduces risk.

Georgie Chapman is a Partner at HR Legal.

A version of this article was originally published in the October/November 2025 edition of HRM Magazine.

All information, content and materials available on this site are for general informational purposes only. The contents of this article do not constitute legal advice and should not be relied upon as such.

Understand the principles of data-driven decision making and responsible use of employee data with AHRI’s foundational and advanced short courses in People Analytics.

Subscribe to receive comments
Notify me of
guest

0 Comments
Inline Feedbacks
View all comments
More on HRM
Legal
When can employers decline an annual leave request?
5 December, 2025 5 minute read
Legal
Can you ask employees to work over the Christmas period?
26 November, 2025 5 minute read
Health, wellbeing and safety
When should HR take a resignation at face value?
24 November, 2025 5 minute read
HOW TO
How to's
10 considerations to ensure probation periods lead to strong performance cultures
22 September, 2025 7 minute read
How to's
5 tips to respectfully push back against your executive peers
1 July, 2025 5 minute read
How to's
3 signs your team is stuck in inertia – and what to do about it
10 June, 2025 5 minute read
Jobs board
Director Organisational Development
View this role
View all
Legal, Organisational enablement

How to navigate evolving rules around employee data security

By Georgie Chapman

With data security under scrutiny and new regulations coming into effect, HR leaders need clarity on the legal obligations governing employee records.

With the rise of the data economy, reports of breaches have become almost weekly news – making data security a pressing priority for organisations and their boards. 

While headlines usually focus on customer information stolen in cyberattacks, companies are also amassing vast stores of employee-related data

Performance metrics, behavioural insights and even health information are increasingly captured through data-driven systems, giving employers unprecedented access to personal and sensitive details.

This raises an urgent question for HR leaders and executives alike: what are the legal boundaries when collecting, storing and using employee data?

Personal versus sensitive information

The Privacy Act 1988 (Cth), which incorporates the 13 Australian Privacy Principles (the ‘APPs’), is the key legislation governing how entities handle personal and sensitive information. 

The Privacy Act does not apply to all organisations, but compliance is widely considered best practice. In addition, each state and territory has public sector-specific privacy legislation in place. 

‘Personal information’ is “information or an opinion about an identified individual, or an individual who is reasonably identifiable”. Sensitive information is a subset of personal information relating to specific attributes of a person, including health information. 

Sensitive information is more closely safeguarded by the APPs. An organisation must have a person’s consent before collecting their sensitive information. Consent may be expressed or implied, but must always be informed and voluntary.  

However, and relevant to employers, the Privacy Act currently contains the ‘employee records exemption’, which exempts private sector employers from complying with the APPs when handling “a record of personal information relating to the employment of the employee”. Data relating to an employee’s performance is an example of this. 

In saying this, not all personal information an employer acquires about employees will be considered an ‘employee record’. 

“An organisation must have a person’s consent before collecting their sensitive information. Consent may be expressed or implied, but must always be informed and voluntary.”

For example, an employee’s bank details may form an employee record, but emails an employee receives from their bank via their work email may not, as these may not relate to their employment. The exemption only applies to personal information already held by the employer. So, when collecting new information, the APPs apply. 

Further, information gathered during recruitment processes is not covered by the exemption. Employers should be mindful of how personal information of candidates is stored, and, ideally, safely destroy any unnecessary data collected for unsuccessful candidates. 

Employers should also be aware that additional obligations may arise under other legislation, such as the Health Records Act 2001 (Vic), when handling employees’ personal health information. 

New regulations around serious invasions of privacy

A new statutory tort for serious invasions of privacy has recently been introduced to the Privacy Act. 

This is a cause of action for individuals, including employees, who consider another person has invaded their privacy by ‘intruding upon their seclusion’ or misusing information relating to them, where the person would have had a reasonable expectation of privacy in the circumstances. 

While this new tort is currently untested, a serious invasion of privacy may occur if, for example, an employer informed an employee’s clients or colleagues of their experience of family and domestic violence.  

The government has flagged further reforms to the Privacy Act – including potential changes to the long-standing employee records exemption. This is currently in the consultation period.

In summary: HR action points

To ensure compliance, employers should:

  • Have robust and compliant policies protecting personal information, including around misuse, unauthorised access, modification, disclosure and loss.
  • Review the privacy policies of any third party dealing with employee data on their behalf.
  • Have clear protocols for collecting and handling health and sensitive information, including how consent is obtained.
  • Review data collection and storage practices and determine if these are necessary – reducing the level of data stored reduces risk.

Georgie Chapman is a Partner at HR Legal.

A version of this article was originally published in the October/November 2025 edition of HRM Magazine.

All information, content and materials available on this site are for general informational purposes only. The contents of this article do not constitute legal advice and should not be relied upon as such.

Understand the principles of data-driven decision making and responsible use of employee data with AHRI’s foundational and advanced short courses in People Analytics.

Subscribe to receive comments
Notify me of
guest

0 Comments
Inline Feedbacks
View all comments
Jobs board
Director Organisational Development
View this role
View all
More on HRM
Legal
When can employers decline an annual leave request?
5 December, 2025 5 minute read
Legal
Can you ask employees to work over the Christmas period?
26 November, 2025 5 minute read
Health, wellbeing and safety
When should HR take a resignation at face value?
24 November, 2025 5 minute read
HOW TO
How to's
10 considerations to ensure probation periods lead to strong performance cultures
22 September, 2025 7 minute read
How to's
5 tips to respectfully push back against your executive peers
1 July, 2025 5 minute read
How to's
3 signs your team is stuck in inertia – and what to do about it
10 June, 2025 5 minute read
VIDEOS
play_circle_filled
Legal
When can employers decline an annual leave request?
5 December, 2025 34 views
play_circle_filled
Business Strategy
How this organisation is developing its leaders for the future of work
3 December, 2025 1,806 views
play_circle_filled
Case study
HR case study: Building a future-fit performance framework
2 December, 2025 2,035 views
We use cookies to personalise content, provide social media features, and analyse traffic. You can disable cookies at the browser level, however this can limit your experience with our website. Accept Cookies Learn More