Are Australian employers required to give employees a privacy notice?

It depends on the size of the organisation and the nature of the information collected. Under the Privacy Act 1988 (Cth), Australian Privacy Principle 5 (APP 5) requires an APP entity (generally organisations with an annual turnover exceeding $3 million, and smaller organisations that handle health information or opt in to the regime) to take reasonable steps to notify individuals at or before the time of collection, or as soon as practicable afterwards, of certain matters including who is collecting the information, why it is being collected, how it will be used, to whom it may be disclosed, and how the individual can access or correct their information. Small businesses with an annual turnover of $3 million or less are generally exempt from the Privacy Act 1988, but are still subject to the employee records exemption provisions and may be subject to state and territory privacy legislation. Even if not legally required, providing employees with a clear privacy notice is strongly recommended as a matter of best practice. It builds trust, reduces complaints, and ensures employees understand how their personal information is handled, which can reduce the risk of privacy complaints to the Office of the Australian Information Commissioner (OAIC).

What is the employee records exemption under the Privacy Act 1988?

Section 7B(3) of the Privacy Act 1988 (Cth) provides that an act or practice of an organisation is exempt from the Privacy Act if the act or practice is directly related to a current or former employment relationship between the organisation and the individual, and directly related to an employee record held by the organisation about the individual. This is known as the 'employee records exemption'. The exemption is broad in scope and covers routine HR activities such as managing payroll, recording leave, maintaining performance records, and managing disciplinary processes. However, the exemption does not cover all activities involving employee personal information. For example, it does not apply to the recruitment process (before an employment relationship is established), to the collection of prospective employee information, to acts that are not directly related to the employment relationship, or to acts involving subcontractors or labour hire workers engaged through a third-party agency. Furthermore, even where the federal employee records exemption applies, state and territory privacy legislation — such as the Health Records and Information Privacy Act 2002 (NSW) and the Health Records Act 2001 (VIC) — may still apply to certain categories of information. Employers should not assume that the employee records exemption removes all privacy obligations in respect of employees.

Can employers collect sensitive information such as health records from employees?

Yes, but with restrictions. Sensitive information is defined in s6 of the Privacy Act 1988 (Cth) and includes health information, genetic information, biometric information and templates, racial or ethnic origin, political opinions, membership of a political association, religious beliefs, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, and criminal record. APP 3.3 provides that an APP entity must not collect sensitive information about an individual unless the individual consents and the information is reasonably necessary for one or more of the entity's functions or activities, or in other limited circumstances (such as where collection is required or authorised by law, or where it is necessary to prevent a serious threat to life, health, or safety). In the employment context, employers commonly collect health information for workers compensation purposes, to manage return-to-work programs, for workplace safety assessments, and to administer sick leave. Tax file numbers are also a form of sensitive information (subject to the TFN Guidelines issued by the OAIC) and are collected for payroll purposes. Biometric data (such as fingerprints for access control) is also sensitive information under the Privacy Act 1988. Employers who collect sensitive information from employees should ensure they have an appropriate legal basis for doing so and should be transparent about the collection in their privacy notice.

What are the Notifiable Data Breaches obligations for employers in Australia?

The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth) requires APP entities (organisations subject to the Privacy Act) to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an eligible data breach occurs. An eligible data breach occurs when there is unauthorised access to, unauthorised disclosure of, or loss of personal information held by the entity, and a reasonable person would conclude that the breach is likely to result in serious harm to one or more of the individuals whose information was involved. In the employment context, an eligible data breach might include a cyberattack or ransomware attack that results in employee personal information being accessed or exfiltrated; accidental disclosure of employee personal information to the wrong person; or loss of a device containing unencrypted employee records. When an employer becomes aware of a suspected eligible data breach, it must conduct an assessment within 30 days to determine whether the breach meets the threshold for notification. If it does, the employer must notify the OAIC and, where reasonable, notify affected employees directly. Failure to comply with the NDB scheme obligations can attract civil penalties of up to $50 million for serious or repeated interferences with privacy. Employers should have an incident response plan in place to detect, assess, and respond to data breaches in a timely manner.

What rights do employees have to access their personal information?

Under APP 12 of the Privacy Act 1988 (Cth), an individual has the right to request access to personal information held about them by an APP entity. The entity must respond to the access request within 30 days and must give access to the information unless one of the limited grounds for refusal applies. Grounds for refusal include where giving access would be unlawful, where access may impact on the privacy of other individuals, or where the information relates to anticipated legal proceedings between the entity and the individual. In the employment context, an employee can request access to their HR file, performance records, disciplinary records, and other personal information held by the employer. Importantly, under APP 12.3, an APP entity is not required to give an employee access to their personal information if it falls within the employee records exemption, but this is a discretionary exception rather than a prohibition. Under APP 13, employees also have the right to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. If the employer refuses a correction request, it must take reasonable steps to associate with the information a notation that the individual has requested the correction and why. Employers are not permitted to charge a fee for making an access or correction request, although they may charge a reasonable fee for the costs of giving access if the request is complex.

Does the Privacy Act 1988 apply to small business employers?

Generally, the Privacy Act 1988 (Cth) only applies to organisations with an annual turnover exceeding $3 million. Small businesses with a turnover of $3 million or less are generally exempt from the Privacy Act, which means the Australian Privacy Principles (APPs) do not apply to them. However, there are several important exceptions. Small businesses that provide health services and hold health records are covered by the Privacy Act regardless of turnover. Small businesses that opt in to the Privacy Act regime are also covered. Small businesses that disclose personal information about another person for a benefit, service, or advantage are subject to the APPs in respect of that disclosure. Furthermore, even if a small business employer is exempt from the federal Privacy Act, they may still be subject to state and territory privacy legislation that regulates the handling of health information about employees (such as the Health Records and Information Privacy Act 2002 in NSW or the Health Records Act 2001 in Victoria). All employers are also subject to the common law duties of confidence and to specific statutory provisions regarding tax file numbers. Small business employers who handle employee health information or who deal with customers' personal information should seek legal advice about their specific privacy obligations.

Employee Privacy Notice (Australia) — Australia

Issue a compliant Employee Privacy Notice and Collection Statement under Australian Privacy Principle 5 (APP 5) of the Privacy Act 1988 (Cth). Covers the employee records exemption under s7B(3), notification of personal and sensitive information collection, payroll and TFN handling under the Income Tax Assessment Act, workplace health and safety information, superannuation, overseas disclosure obligations under APP 8, access and correction rights under APP 12 and 13, and the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988. Includes an employee acknowledgment signature block for HR compliance records.

What Is a Employee Privacy Notice (Australia)?

An Employee Privacy Notice (also called a Collection Statement) is a document that an employer provides to employees, contractors, and job applicants to explain how the organisation collects, holds, uses, and discloses their personal information. In Australia, the obligation to provide such a notice arises primarily from Australian Privacy Principle 5 (APP 5) in Schedule 1 of the Privacy Act 1988 (Cth), which requires APP entities to take reasonable steps to notify individuals at or before the time personal information is collected.

The Privacy Act 1988 (Cth) is the principal federal privacy statute in Australia. It contains 13 Australian Privacy Principles (APPs) that regulate the collection, use, disclosure, and management of personal information by APP entities, which are generally organisations with an annual turnover exceeding $3 million and certain other organisations (including those that handle health information). The APPs replaced the National Privacy Principles in 2014 following the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).

An important feature of Australian privacy law for employers is the employee records exemption in s7B(3) of the Privacy Act 1988 (Cth). This exemption provides that acts and practices of an organisation that are directly related to a current or former employment relationship, and directly related to an employee record held by the organisation, are exempt from the Privacy Act. However, this exemption does not remove the obligation to notify employees of the information collected, and does not exempt employers from obligations under state and territory privacy legislation.

A well-drafted Employee Privacy Notice covers the organisation's identity and contact details, the categories of personal and sensitive information collected, the purposes for collection, to whom the information may be disclosed (including overseas recipients), employees' access and correction rights, the organisation's security measures, and how to make a privacy complaint.

When Do You Need a Employee Privacy Notice (Australia)?

An Employee Privacy Notice should be issued by any organisation that collects personal information from employees, contractors, or job applicants in Australia. There are several specific circumstances that make an Employee Privacy Notice particularly important.

Organisations subject to the Privacy Act 1988 (Cth) — those with an annual turnover exceeding $3 million — are required to provide an APP 5 collection notice to employees and job applicants. The notice must be provided at or before the time of collection, or as soon as practicable afterwards. This means that employers should provide a Privacy Notice to job applicants at the start of the recruitment process, and to new employees at the time of engagement.

Organisations that collect sensitive information from employees — such as health information (for workers compensation and workplace safety), biometric data (for access control), or tax file numbers (for payroll) — need an Employee Privacy Notice that specifically addresses the collection of that sensitive information and the basis on which it is collected.

Organisations that use overseas service providers — such as cloud-based HR and payroll software, offshore shared services centres, or parent company HR systems located overseas — must provide employees with information about overseas disclosures and satisfy the APP 8 requirements before disclosing employee personal information to overseas recipients.

Organisations that are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth) should have a Privacy Notice in place that informs employees about their rights in the event of a data breach.

Even small businesses that are generally exempt from the Privacy Act 1988 should consider issuing an Employee Privacy Notice if they handle sensitive health information about employees, are subject to state or territory privacy legislation, or wish to demonstrate transparency and good governance to employees.

What to Include in Your Employee Privacy Notice (Australia)

A comprehensive Australian Employee Privacy Notice should include the following key elements to satisfy the APP 5 notification requirements and best practice standards.

Organisation identity: The notice must identify the organisation (the APP entity) that is collecting the personal information, including its full legal name, ABN or ACN, and registered address. Employees need to know who is responsible for handling their personal information.

Categories of personal information collected: The notice should list all categories of personal information collected from employees, including identity information, contact details, employment history, payroll and financial information, workplace safety records, attendance records, and security information. Sensitive information (such as health information, biometric data, and tax file numbers) should be separately identified.

Purposes of collection: APP 5.2 requires the notice to state the purposes for which personal information is collected. In the employment context, these purposes include HR and payroll administration, compliance with the Fair Work Act 2009 and associated legislation, workplace health and safety, superannuation, and disciplinary processes.

Disclosure to third parties: The notice must inform employees of the types of third parties to whom the organisation discloses personal information, including payroll providers, government agencies, superannuation funds, and related corporate entities. If information is disclosed to overseas recipients, this must be specifically disclosed in accordance with APP 8.

Access and correction rights: The notice must inform employees of their right to access and correct their personal information under APP 12 and APP 13, and explain how to exercise those rights.

Privacy Officer contact details: The notice must provide the contact details of the person or office responsible for handling privacy enquiries and complaints.

Complaint procedure: The notice must explain the process for making a privacy complaint, including the right to escalate to the Office of the Australian Information Commissioner (OAIC) if the employee is not satisfied with the organisation's response.

Employee acknowledgment: Including an employee signature and date confirming receipt of the notice creates a record for HR compliance purposes.

Frequently Asked Questions

Related Documents

You may also find these documents useful:

Privacy Policy (Australia)

Create a compliant Australian Privacy Policy for your business or website. Our template is drafted in accordance with the Privacy Act 1988 (Cth) and covers all 13 Australian Privacy Principles (APPs), including APP 1 (open management), APP 5 (notification), APP 6 (use and disclosure), APP 7 (direct marketing), APP 8 (cross-border disclosure), APP 11 (security), APP 12 (access), and APP 13 (correction). Includes the Notifiable Data Breaches scheme, OAIC complaint process, and the $3 million turnover threshold explanation.

Workplace Surveillance Policy (Australia)

Create a compliant Australian Workplace Surveillance Policy notifying employees of camera/CCTV, computer and internet monitoring, and GPS/vehicle tracking. Compliant with the Workplace Surveillance Act 2005 (NSW), Surveillance Devices Act 1999 (VIC), Surveillance Devices Act 2007 (NT), Listening and Surveillance Devices Act 1992 (TAS), Surveillance Devices Act 2016 (SA), and Privacy Act 1988 (Cth) APPs. Satisfies the mandatory 14-day prior written notice requirement under the NSW Act. Covers overt and covert surveillance provisions, BYOD (Bring Your Own Device) monitoring, data use and retention, disciplinary use of surveillance evidence, and worker rights and complaint procedures.

Anti-Discrimination and Diversity Policy (Australia)

An Australian Anti-Discrimination and Diversity Policy is a formal workplace document that sets out an employer's commitment to preventing discrimination, harassment, victimisation, and vilification in the workplace, and to fostering a culture of inclusion and equal opportunity. It reflects obligations imposed on Australian employers by an interlocking framework of Commonwealth and state and territory anti-discrimination legislation, and articulates the practical steps the organisation will take to comply with those obligations. The principal Commonwealth laws governing workplace discrimination are the Age Discrimination Act 2004 (Cth), the Disability Discrimination Act 1992 (Cth), the Racial Discrimination Act 1975 (Cth), the Sex Discrimination Act 1984 (Cth), and the Australian Human Rights Commission Act 1986 (Cth). Together these Acts prohibit direct and indirect discrimination in employment on the grounds of age, disability, race, colour, national or ethnic origin, sex, pregnancy, marital or relationship status, sexual orientation, gender identity, intersex status, and family responsibilities, among others. The Fair Work Act 2009 (Cth) s 351 provides a separate avenue of protection under the general protections provisions, prohibiting adverse action against an employee because of any of those attributes. A landmark development occurred on 12 December 2022 when the Anti-Discrimination and Human Rights Legislation Amendment (Respect@Work) Act 2022 (Cth) commenced, inserting s 47C into the Sex Discrimination Act 1984 (Cth). Section 47C imposes a positive duty on employers to take reasonable and proportionate measures to eliminate, as far as possible, sexual harassment, sex-based harassment, discrimination on the ground of sex, and conduct that creates a hostile workplace environment on the ground of sex. The Australian Human Rights Commission (AHRC) has been given enforcement powers in relation to this positive duty and has published a compliance framework identifying seven key standards against which employer conduct will be assessed: leadership, culture, knowledge, risk management, support, reporting and response, and monitoring, evaluation, and transparency. Every state and territory also has its own anti-discrimination legislation that applies to conduct occurring within that jurisdiction. These Acts extend protection to additional grounds such as sexual orientation and gender identity (in jurisdictions not yet covered by Commonwealth law), religious belief, political opinion, and criminal record, and may also govern areas beyond employment. Relevant state Acts include the Anti-Discrimination Act 1977 (NSW), Equal Opportunity Act 2010 (Vic), Anti-Discrimination Act 1991 (Qld), Equal Opportunity Act 1984 (WA), Equal Opportunity Act 1984 (SA), Anti-Discrimination Act 1998 (Tas), Discrimination Act 1991 (ACT), and Anti-Discrimination Act 1996 (NT). A well-drafted Anti-Discrimination and Diversity Policy helps employers demonstrate compliance with both the reactive obligations under these Acts (responding appropriately to complaints) and the proactive positive duty under s 47C of the Sex Discrimination Act 1984 (Cth). It also helps protect the organisation from vicarious liability: under ss 106 and 107 of the Sex Discrimination Act 1984 (Cth) and equivalent provisions in other Acts, an employer will be vicariously liable for the discriminatory or harassing acts of its employees unless the employer can show it took all reasonable steps to prevent the conduct. This policy is suitable for businesses of all sizes in all industries operating in any Australian state or territory. It should be communicated to all workers upon commencement and following any update, supported by regular training, and reviewed at least annually.