Out-Law Analysis 3 min. read
13 Oct 2023, 2:36 am
Changes to the legal framework allowing private sector employers in Australia to collect and use data on their employees without breaching data privacy laws could be underway following a government review.
As a general rule, personal privacy protection measures in countries worldwide need to be balanced against a business’ legitimate operational needs, including managing information about its employees.
In Australia, the primary federal source of privacy protections arises from the Privacy Act 1988 (Cth), which implements a series of ‘Australian Privacy Principles’ (APPs). The APPs govern standards, rights and obligations around the collection, use and disclosure of personal information, among other things.
The APPs require certain things such as the issuing of a privacy notice and seeking an individual’s consent, before collecting their personal information. The privacy notice would notify the individual of the purpose for the collection of their personal information, and how it might be used or disclosed.
For private sector employers, there is a significant carveout from the APPs known as the employee records exemption. In essence, the APPs do not apply to acts taken which are directly related to a current or former employment relationship in the private sector between an employer and employee, or an employee record held by the employer and relating to the employee.
Employee records mean any personal information relating to the employment of the employee including terms and conditions of employment, performance management records and details of the employee's salary.
The effect of this exemption is that private sector employers are able to collect and use this type of employee information without worrying about tripping up on privacy laws along the way. This exemption only applies to employee relationships – so the APPs and other privacy requirements still apply to personal information of customers, contractors, visitors or secondees.
Following some high-profile data breaches in recent years, the Australian government commissioned a review of the Privacy Act. In February 2023, the government released the review report (320-page / 4.14MB PDF), which proposed reforms to the employee records exemption in order to:
We anticipate it won’t be until the second half of 2024 that proposed amendments to the Privacy Act are released.
Submissions made on employee records reform
During the review, some large employers opposed changes to the existing employee records exemption, for reasons including:
Employers should review their existing privacy regimes and be prepared to amend them if necessary to ensure they stay up to date with any upcoming reforms.
The reform report stated that most submissions agreed there was a need, at least to some extent, for dedicated exceptions or carveouts to permit employers to collect, use or disclose employees' personal information without consent.
At the end of September 2023, the Australian government formally responded to the Privacy Act review and declared in-principle support for the review’s recommendations regarding employee information. The government said it would consult with employer and employee groups further before it prepares draft legislation.
We anticipate it won’t be until the second half of 2024 that proposed amendments to the Privacy Act are released. In the meantime, employers should continue to monitor this space, review their existing privacy regimes and be prepared to amend them if necessary to ensure they stay up to date with any upcoming reforms.