Privacy exemption for Australian private sector employee records ‘has uncertain future’

As a general rule, personal privacy protection measures in countries worldwide need to be balanced against a business’ legitimate operational needs, including managing information about its employees.

In Australia, the primary federal source of privacy protections arises from the Privacy Act 1988 (Cth), which implements a series of ‘Australian Privacy Principles’ (APPs).  The APPs govern standards, rights and obligations around the collection, use and disclosure of personal information, among other things. 

The APPs require certain things such as the issuing of a privacy notice and seeking an individual’s consent, before collecting their personal information. The privacy notice would notify the individual of the purpose for the collection of their personal information, and how it might be used or disclosed.

The employee records exemption

For private sector employers, there is a significant carveout from the APPs known as the employee records exemption. In essence, the APPs do not apply to acts taken which are directly related to a current or former employment relationship in the private sector between an employer and employee, or an employee record held by the employer and relating to the employee.

Employee records mean any personal information relating to the employment of the employee including terms and conditions of employment, performance management records and details of the employee's salary.

The effect of this exemption is that private sector employers are able to collect and use this type of employee information without worrying about tripping up on privacy laws along the way. This exemption only applies to employee relationships – so the APPs and other privacy requirements still apply to personal information of customers, contractors, visitors or secondees.

Review of the Privacy Act

Following some high-profile data breaches in recent years, the Australian government commissioned a review of the Privacy Act. In February 2023, the government released the review report (320-page / 4.14MB PDF), which proposed reforms to the employee records exemption in order to:

• improve employer transparency about how they use the personal information of their employees and former employees;
• ensure employers can still "collect, use and disclose" employee information but only when it is "reasonably necessary to administer the employment relationship";
• require employers to consider whether they need employee consent for the particular collection, use or disclosure of employee information;
• protect employee information from "misuse, loss or unauthorised access", and ensure the information is destroyed when employers no longer need it – in a way that is consistent with the employer’s other legal obligations;
• guarantee that employees and the privacy regulator are notified of any data breaches involving employee personal information that are likely to result in serious harm.

Submissions made on employee records reform

During the review, some large employers opposed changes to the existing employee records exemption, for reasons including:

• requiring employee consent to collecting personal information could jeopardise their ability to achieve workplace diversity and inclusion, as this involves collecting and using employees' sensitive information, such as racial and ethnic origin and health information;
• their ability to administer sensitive matters such as complaints, disciplinary action and performance management would be negatively affected by some of Privacy Act's protections; and
• employers should not be subject to multiple layers of regulation pertaining to the same subject matter, as any watering down of the exemption might put employers at risk of breaching the Privacy Act due to confusion about its interaction with industrial relations laws such as the Fair Work Act 2009 (Cth).

The reform report stated that most submissions agreed there was a need, at least to some extent, for dedicated exceptions or carveouts to permit employers to collect, use or disclose employees' personal information without consent.

At the end of September 2023, the Australian government formally responded to the Privacy Act review and declared in-principle support for the review’s recommendations regarding employee information. The government said it would consult with employer and employee groups further before it prepares draft legislation.

We anticipate it won’t be until the second half of 2024 that proposed amendments to the Privacy Act are released. In the meantime, employers should continue to monitor this space, review their existing privacy regimes and be prepared to amend them if necessary to ensure they stay up to date with any upcoming reforms.