Rules around employers’ legal requirements regarding the collection and storage of employee information could be set to change in the near future, with proposed reform ahead for the employee record exemption. Here’s what HR needs to know.
The Australian Privacy Act 1988 (Cth) currently includes an exemption for handling the records of current or former employees, commonly referred to as the ‘employee record exemption’.
This means that private sector employers don’t have to comply with the Australian Privacy Principles (APPs) when dealing with employee records. This allows employers to collect, use and disclose personal and sensitive information about a current or former employee if the information relates to the employment relationship between the business and the individual.
The exemption does not cover prospective employees, so job candidate information must be dealt with in accordance with the APPs.
Earlier this year, the Federal Attorney-General’s department recently released its response to the Privacy Act Review Report. The report’s consideration on proposals to reform the employee records exemption is relevant reading for HR and employers.
Among other things, it considered multiple options to reform the way employers deal with employee information, including the removal or modification of the employee record exemption, or the enhancement of protections within workplace relations legislation.
It predominantly focused on strengthening employee protections and proposes that employers would still be able to collect information that is “reasonably necessary to administer the employment relationship”, which could include information for superannuation and payroll purposes, for example.
However, it has also suggested introducing additional limitations on the employee records exemption to prevent misuse of such data. The Report did not detail what the additional limitations may be, but we anticipate there may be a stricter definition of what constitutes use in relation to the employment relationship.
The proposed reforms
On 28 September 2023, the Federal Government indicated its in-principle agreement with the recommendation, stating that it agrees with bolstering privacy protections for private sector workers, including:
- Enhancing transparency in how employers utilise employee personal information.
- Permitting employers to “collect, use and disclose” worker information only when it is deemed “reasonably necessary to administer the employment relationship,” including an assessment of the necessity of obtaining consent.
This may include information about an employee’s medical conditions, if it’s relevant to an application for sick leave, or to the inherent requirements of the employee’s role.
- Safeguarding employee information from misuse, loss or unauthorised access, with a condition for its deletion when it’s no longer needed by employers.
- Ensuring that both employees and the Information Commissioner are notified in cases of data breaches involving employee personal information that may result in serious harm, such as leaking an employee’s banking details.
The Government has also indicated its willingness to engage in further consultation with employer and employee representatives to determine the legislative framework for enhanced employee privacy protections, including the interaction between privacy and workplace relations laws.
For example, such consultations would have to consider how any requirement to destroy employee information would interact with the requirements under the Fair Work Act 2009 (Cth) to retain certain employee information for seven years.
In addition to these reforms, there is the prospect of a privacy code of practice being introduced, with the aim of clarifying obligations related to the collection, use and disclosure of personal and sensitive information.
Read HRM’s article, ‘Do your pre-employment checks contravene privacy laws?’
Potential issues that could arise
Given the scope of changes that employers have had to deal with over the past two years, more changes which potentially increase the administrative costs and operational burdens on employers are unlikely to be welcome.
Employer groups have expressed opposition to the changes, citing reasons such as:
- Requiring employee consent to collecting personal information could jeopardise an employer’s ability to achieve workplace diversity and inclusion, as this involves collecting and using employees’ sensitive information, such as racial and ethnic origin and health information.
- An employer’s ability to administer sensitive matters such as complaints, disciplinary action and performance management may be negatively affected if they are required to comply with the APPs.
Employee information data leaks are already a concern. In Australia, major companies have had employee information hacked and leaked on the dark web.
How to help your organisation prepare
We anticipate it will be at least another year before any reforms take effect, and it’s likely that employers would be given a grace period to get their current employee records in order. However, we still recommend employers start to prepare by:
- Conducting a high-level audit of what, where and why your business has particular employee data. This will be helpful in ensuring all compliance issues can be identified and remedied quickly when the reforms take effect.
- Engage with internal IT, line management, payroll and HR teams about the organisation’s current practice of collection and use of employee data.
- Assess external service providers who hold your employee data, such as payroll or incentive scheme systems.
- Consider whether there is any current and former employee data that is unnecessary to retain and therefore can be securely destroyed, and whether there are any destruction practices that can be implemented going forward.
We anticipate that any limitations on the employee record exemption will likely cause significant practical implications for employers. For example, many employers do not currently have collection or use notices for employee information. Some employers may also have to closely audit their processes and systems, including what information is stored on various HR and payroll software and systems.
Presumably a breach of the Privacy Act will apply to a more limited employee record exemption in a similar way as it does to other Privacy Act breaches – meaning that there could possibly be penalties and fines for both individuals and companies. This is one to watch as we move into the new year.
Aaron Goonrey is a Partner and Emma Lutwyche is a Special Counsel, at Pinsent Masons.
Need help brushing up on HR laws and compliance? AHRI’s short course will give you an understanding of the key elements of legislation, regulation and practices HR needs to be across.