In December 2019, the Attorney-General announced that the Australian Government would conduct a review (the Review) of the Privacy Act 1988 (Cth) (the Privacy Act).  The Review aimed to investigate the effectiveness of Australia’s current data protection regime to ensure it “empower[s] consumers, protect[s] their data and best serve[s] the Australian economy”.  Since then, the Attorney-General has published an Issues Paper in October 2020 (the Issues Paper) and a Discussion Paper in October 2021 (the Discussion Paper) and conducted several rounds of public consultations.  This series from Gilbert + Tobin’s Technology + IP team will guide you through the key issues that have been raised by the Review.

The Privacy Act ‘employee records’ exemption allows Australian private sector employers to avoid the application of the Australian Privacy Principles for large swathes of personal information they hold about their employees.  The Discussion Paper has identified this exemption as a potential area for reform. 

Background: Existing Regime

Under the Privacy Act, an employer’s dealings with personal information is exempt from the Australian Privacy Principles if their act or practice is directly related to:

• a current or former employment relationship between the employer and the individual; and
• an employee record held by the organisation and relating to the individual.

What is an ‘employee record’?

The Privacy Act contains a definition of “employee record” – a record of personal information relating to the employment of the employee.  However, the narrow scope of this definition has meant that not all dealings with personal information in the employment context are exempt.  For example, the exemption does not apply to personal information collected from unsuccessful job applicants, contractors, or volunteers.  Further, the 2019 case of Jeremy Lee v Superior Wood Pty Ltd, found that, in some circumstances, employers were still required to comply with the APPs when collecting personal information from employees, because at the point of collection, the information had not yet been distilled into an “employee record”.

For reference, the EU’s data protection regime, the GDPR, does not contain an employee records exemption.  The GDPR applies to personal information collected as part of an employment relationship in the same way it applies to any other personal information that is collected by a company.  The California Consumer Privacy Act (the CCPA) contains an employee records exemption that is similar, but slightly broader than Australia’s regime.  However, as of 1 January 2023, this exemption will be removed and the CCPA will apply to “human resources data”.

Discussion Paper Position

The Discussion Paper explores whether the employee records exemption has resulted in a failure to adequately protect the personal information of private sector employees.  It considers whether the exemption should be abolished altogether, whether it should be modified so that it only applies to certain APPs, or whether it needs to be retained.

In particular, it considers whether APP 11.1 should apply to employee records, which would require private sector employers to take steps that are reasonable in the circumstances to protect that information from misuse, interference and loss, and from unauthorised access modification and disclosure.  Due to the sensitive nature and large volumes of information that is collected during an employment relationship (e.g. police background checks, health information, salary details), individuals could be at significant risk if this information is mishandled.  Similarly, the Discussion Paper also considers whether the notifiable data breach scheme should be extended to apply to all employee records, and whether the legislation should be amended to explicitly state how APP 3 (Collection of Solicited Personal Information) applies to employment information in the wake of Lee v Superior Wood.

However, the Discussion Paper also considered the many submissions that advocated to retain the employee records exemption.  These submissions highlighted the potential overlap with the existing information handling restrictions required under workplace relations laws.  They also highlighted the APPs that would be difficult to apply in an employment context.  For example, allowing employees to access and correct their personal information may complicate the administration of workplace investigations or performance management processes.

Ultimately, the paper puts forward three options for reform:

• removing the employee records exemption entirely.  The Discussion Paper glosses over this option with a short comment about the difficulties this would raise in administering the employment relationship for private sector employers.
• enhancing employee privacy protections in workplace relations legislation.  Again, the Discussion Paper makes a brief comment that this approach would further fragment privacy protection across various legislative regimes.
• modifying the employee records exemption to only apply to specific APPs.  The Discussion Paper proposes each APP should be individually considered in the employment context.  In its commentary around this proposal, it suggests that employee records should be subject to APPs 8 (Cross Border Disclosures) and 11 (Security of Personal Information).  It also suggests that the employee records exemption should be retained, in a more tailored form, for APP 3 (Collection of Solicited Personal Information) and APP 6 (Use and Disclosure of Personal Information). 

Industry Submissions

The OAIC has recommended that the employee records exemption should be removed and the Attorney-General should consider whether it is appropriate to add additional exceptions to specific APPs.  In its response the OAIC stated that the Privacy Act is a more appropriate framework for regulation of employers’ dealings with personal information, rather than workplace relations laws, and this approach will help achieve a consistency of privacy regulation across the economy.  The OAIC’s response seems reluctant to suggest too many exceptions for employee records, and it highlights the “principles-based” nature of the APPs that allow employers to take a risk-based approach to compliance, rather than recommending any piece-meal exceptions for specific APPs.

In contrast, the Australian Chamber of Commerce and Industry’s submission is that the employee records exemption should be kept intact.  It argues that employment information should be the domain of workplace legislation, and there is no evidence that employee information is currently being misused as a result of the lack of regulation.  Further, the ACCI recommends that the existing employee records exemption is extended to expressly apply to the collection of personal information in an employment context, so that employers have clarity on their obligations in response to the Lee v Superior Wood decision.

Implication of an employee records reform

There’s a lot at stake for this reform.  If the employee records exemption is removed many Australian businesses may need to re-design their HR information processes to be compliant with the APPs.  In many ways, the existing employee records exemption is inconsistent and confusing – it seems arbitrary that the exemption does not apply to contractors or job applicants – and the Lee v Superior Wood decision has created uncertainty about how the regime applies.  Regardless of the type of reform the AG chooses to enact, this is certainly an area of the Privacy Act that needs to be reformed to provide greater certainty to Australian businesses.

Authors: Andrew Hii and Claire Harris