Handle with care: employer obligations when handling personal information about their employees

A recent decision by the Australian Privacy Commissioner has highlighted the need for employers to tread carefully whenever they receive personal information, particularly sensitive health information, about their employees.

Current state of the law on employee records

The Privacy Act 1988 (Cth) (Act) is the main federal source of privacy protections in Australia.  The Act provides for several Australian Privacy Principles (or APPs), which govern the standards, rights and obligations around the collection, use and disclosure of personal information and sensitive information.

Private sector employers are exempt from compliance with many of the APPs where an act or practice is directly related to:

  • a current or former employment relationship; and
  • an “employee record” (defined in the Act) held by the employer and relating to an individual.[1]

Importantly, the exemption only operates once an “employee record” is held by an employer.  This means that organisations with an annual turnover of $3 million or more[2] are not exempt from the need to comply with APPs when initially collecting an employee record, such as recording personal details on an onboarding form or registering a fingerprint to implement digital attendance scanners at a workplace.[3]

Relevantly, these APP obligations require that such organisations only collect personal information that is reasonably necessary for, or directly related to, one or more of its functions or activities and, if that personal information is also sensitive information (such as health information), then the organisation must also obtain the individual’s consent.

Despite the drastic increase in the collection, storage, use and disclosure of employee records since the employee records exemption was introduced in 2000,[4] there is still a lack of awareness about the exception[5] and uncertainty about its scope, given the infrequency of published decisions considering it.

ALI and ALJ

This privacy complaint[6] (determined by the Commissioner in June 2024) arose after an employee suffered a medical episode whilst they were at work in their employer’s car park. They were given CPR by colleagues until an ambulance arrived and transported the employee to a hospital.  Following the episode, a staff member contacted the employee’s husband and asked that he contact their manager to provide an update on the employee’s condition.

The husband sent a text message to the manager providing an update on the employee’s condition and that manager conveyed this message to the managing director of the employer.  The managing director then proceeded to send an email to over 100 head office employees, disclosing that the employee had experienced a medical episode, providing details about her health status and including the full names of her and her husband in the email.

The employee ultimately resigned from the organisation and lodged a complaint to the Commissioner in respect of the disclosure.

Under APP 6, an organisation must not disclose or use personal information for a purpose other than what it was initially collected for.  In responding to the complaint, the employer argued that it was exempt from the APPs, due to the employee records exception.

The Commissioner rejected the employer’s argument.  It determined that the employer had interfered with their employee’s privacy, had breached the APP 6.1 and ordered it to pay to the employee $3,000  for non-economic loss and a small amount for reasonable expenses.

In reaching this conclusion, the Commissioner considered that the primary purpose of the collection of was to ensure the welfare of the employee and to meet work, health and safety obligations concerning incident reports.  However, the information was then used instead to update staff about the employee’s condition, which was not the primary purpose for which it was collected.

The Commissioner also:

  • did not consider that the employee had implicitly consented for the secondary use of their information, despite her husband willingly sharing that information;
  • rejected the argument that a reasonable person would expect the employer to disseminate her health information in the manner that it did; and
  • did not agree that the Work, Health and Safety Act 2011 (NSW) authorised the employer to act in the way it did.

The future of the employee records exemption

In late 2023, the Federal Government formally responded to a 2022 review from the Attorney General’s Department into the Act, which had suggested amendments to the employee records exception, with the aim of:

  • improving employer transparency about how they use the personal information of their employees and former employees;
  • ensuring employers can still “collect, use and disclose” employee information but only when it is “reasonably necessary to administer the employment relationship“;
  • requiring employers to consider whether they need employee consent for the particular collection, use or disclosure of employee information;
  • protecting employee information from “misuse, loss or unauthorised access”, and ensure the information is destroyed when employers no longer need it – in a way that is consistent with the employer’s other legal obligations; and
  • guaranteeing that employees and the privacy regulator are notified of any data breaches involving employee personal information that are likely to result in serious harm.

The Government agreed, in principle, that further consultation should be undertaken with employee and employer representatives on how enhanced privacy protections should be implemented in legislation.  However, as at the date of this article, no public consultation process has been commenced.

Takeaways

The recent decision of ALI and ALJ is an important reminder about the need for employers to exercise caution when collecting, handling, using and disclosing employee personal information, despite the existence of the employee records exemption.

It also underscores the regulatory burden on organisations — driven largely by uncertainty about what conduct is and is not regulated by the Act — who are now in possession of increasing of volumes of personal information from their workplace.

Until further clarity is provided by the Government in the form of legislative change fit for the modern workplace, employers will continue to be forced to speculate about what kinds of information need to be handled carefully and how.

[1] Section 7B(3) of the Act.

[2] Sections 6C(1) and 6D of the Act.

[3] See Lee v Superior Wood Pty Ltd [2019] FWCFB 2946.

[4] Privacy Amendment (Private Sector) Bill 2000 (Cth).

[5] In a 2023 survey conducted by the Office of the Australian Information Commissioner, 81% of respondents were unaware that businesses collecting work-related information about employees were exempt from the privacy obligations under the Act.

[6] ALI and ALJ (Privacy) [2024] AICmr 131 (20 June 2024)

 

To keep up with the latest developments across employment, workplace relations and workplace health and safety law, sign up to our e-newsletter, Kingston Reidable by emailing [email protected].

The views expressed in this article are general in nature only and do not constitute legal advice.

Please do not hesitate to contact us if you require specific advice tailored to the needs of your organisation in relation to the implications of these changes for your organisation.

 

Lucy Shanahan
Partner
+61 2 9169 8405
[email protected]
Keifer Veloso
Senior Associate
+61 2 9169 8406
[email protected]
Dylan Pietrocola
Lawyer
+61 2 9169 8423
[email protected]