Video interview on the Australian Privacy Principles and the ‘Heartbleed bug’.

Video interview on guidelines, Regulatory Action Policy, focus areas and investigations

Video interview on privacy for employers, prospective employees and social media.

Privacy in the Workplace: Avoid damaging employee data breaches by managing five high risk areas

5 May 2014

The new privacy regime is in full swing, with the pressure on organisations to demonstrate substantial compliance with the new laws. The handling of 'employee records' and information is now one area currently receiving considerable attention despite being untouched by the recent amendments.

We take a look at the key issues to consider when managing employee information and provide guidance on how organisations and their employees can work together to minimise the risk of non-compliance under the new regime.

Key terms

Employee Record

A record of personal information relating to the employment of the employee, including information normally found in employee records such as salary and disciplinary information. Importantly, it will not apply to records for job applicants (until they become employees) or contractors; records held by someone other than the actual employer; and records not relating to the employment such as purchases by the employee from the employer.  

Employee Records Exemption

This applies to "organisations" and therefore employees of government agencies will obtain the benefit of the Australian Privacy Principles (APPs). Section 7B of the Act provides that an act or practice of an organisation that is or was an employer of an individual is exempt from the provisions of the Act if it 'is directly related to:

  • a current or former employment relationship between the employer and the individual; and
  • an employee record held by the organisation relating to the individual.'

Five high risk issues for managing employee data records

Organisations needs to consider the following areas when managing employee records under the new APPs:

1. Groups of Companies

In the cases where related companies have arrangements whereby one company acts as the employer of all employees in the group, group companies may hold some employment records which will not be exempt as they are not held by the employer.

Many companies in this position have opted to have a separate employee privacy policy because of the unique nature of the topics covered. As contractors are treated in a similar manner to employees they are often covered in these policies. It is generally advisable for group companies to treat all employment records as being covered by the APPs as quarantining some records is likely to be difficult to achieve.

2. Collection Notices

Where the employee records exemption does not apply, the APPs will. This means that applicants for employment, contractors and employees of other entities will need to be given collection notices as required under APP 5. The new provisions provide that a collection notice will now usually be required to include:

  • notification that the privacy policy of the organisation contains information about how individuals can: 
    • access and seek correction of their personal information held by the organisation; and
    • complain about a breach of the APPs and how the complaint will be dealt with; and
  • whether the organisation is likely to disclose personal information overseas and, if so, to which countries.

Employers should consider whether their employment application forms, offers of employment or employment contracts, need to be amended to meet these new requirements.

3. Overseas Disclosures

Employee information can be disclosed overseas in a number of ways, the two most common are to facilitate travel and to send the information to related companies. If international companies hold all HR information centrally, this raises issues about the interaction of the employee records exemption and the APPs.

An employer does not have to notify its employees that their personal information may be sent overseas, as any act or practice by an employer involving an employee record is exempt from the provisions of the Act, including the APPs (provided the act or practice is directly related to the current or former employment relationship). The cross-border disclosure provisions set out in APP 8 are also not applicable and the Australian organisation will not be liable for a breach of the employee's privacy by the overseas entity that received the information.

However, overseas entities with an 'Australian link' are subject to the provisions of the Act - but whether this link exists depends on the circumstances. The meaning of Australian link is discussed in the APP Guidelines in a less than satisfactory way.

Where the employee records exemption does not apply, the employee must be informed of the possible overseas disclosure and the employer will remain responsible for taking steps to ensure the recipient does not breach the APPs, unless one of the exceptions contained in APP 8.2 applies.

4. Access to Personal Information

An individual is able to seek access to personal information held about him or her under APP 12 (where the employee records exemption does not apply) but employers can refuse access to the information for many reasons. One exception often relied upon by employers is that 'giving access would have an unreasonable impact on the privacy of other individuals'.

Under a new exception in the APPs, the entity can deny access when it has reason to suspect misconduct of a serious nature relating to it's functions or activities, and that granting access would jeopardise attempts to address the matter. It is yet to be seen how this exception will play out in practice.

5. Security

Even if the employee records exemption does apply, employers should take steps to protect the confidentiality of employee records and review the security systems they have in place to achieve this. APP 11 extends the obligation from 'loss and misuse' to now include protection from 'interference'. As was previously the case under the old law, it also requires entities to 'take such steps as are responsible in the circumstances to destroy' information or de-identify it when it is no longer needed for any permitted purpose. Employers can determine how long they keep employee records but it is good practice to destroy those no longer needed.

The APP Guidelines and the OAIC's Guide to information security contain measures for maintaining security here.

Employee training is paramount

It is vital to provide training for employees to protect the privacy of customers and other parties with whom their employer interacts in order to prevent potential breaches.

Should a breach occur it is likely that the existence or absence of employee training would be high on the list of the matters that the Privacy Commissioner would investigate.

Providing training will help entities demonstrate that they are 'taking such steps as are reasonable in the circumstances to implement practices, procedures and systems ... that will ensure that the entity complies with the Australian Privacy Principles' under APP 1.2.

Author(s) Charles Alexander