Employee Privacy Notice (Australia)

It depends on the size of the organisation and the nature of the information collected. Under the Privacy Act 1988 (Cth), Australian Privacy Principle 5 (APP 5) requires an APP entity (generally organisations with an annual turnover exceeding $3 million, and smaller organisations that handle health information or opt in to the regime) to take reasonable steps to notify individuals at or before the time of collection, or as soon as practicable afterwards, of certain matters including who is collecting the information, why it is being collected, how it will be used, to whom it may be disclosed, and how the individual can access or correct their information. Small businesses with an annual turnover of $3 million or less are generally exempt from the Privacy Act 1988, but are still subject to the employee records exemption provisions and may be subject to state and territory privacy legislation. Even if not legally required, providing employees with a clear privacy notice is strongly recommended as a matter of established standards. It builds trust, reduces complaints, and ensures employees understand how their personal information is handled, which can reduce the risk of privacy complaints to the Office of the Australian Information Commissioner (OAIC).

Section 7B(3) of the Privacy Act 1988 (Cth) provides that an act or practice of an organisation is exempt from the Privacy Act if the act or practice is directly related to a current or former employment relationship between the organisation and the individual, and directly related to an employee record held by the organisation about the individual. This is known as the 'employee records exemption'. The exemption is broad in scope and covers routine HR activities such as managing payroll, recording leave, maintaining performance records, and managing disciplinary processes. However, the exemption does not cover all activities involving employee personal information. For example, it does not apply to the recruitment process (before an employment relationship is established), to the collection of prospective employee information, to acts that are not directly related to the employment relationship, or to acts involving subcontractors or labour hire workers engaged through a third-party agency. Furthermore, even where the federal employee records exemption applies, state and territory privacy legislation — such as the Health Records and Information Privacy Act 2002 (NSW) and the Health Records Act 2001 (VIC) — may still apply to certain categories of information. Employers should not assume that the employee records exemption removes all privacy obligations in respect of employees.

Yes, but with restrictions. Sensitive information is defined in s6 of the Privacy Act 1988 (Cth) and includes health information, genetic information, biometric information and templates, racial or ethnic origin, political opinions, membership of a political association, religious beliefs, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, and criminal record. APP 3.3 provides that an APP entity must not collect sensitive information about an individual unless the individual consents and the information is reasonably necessary for one or more of the entity's functions or activities, or in other limited circumstances (such as where collection is required or authorised by law, or where it is necessary to prevent a serious threat to life, health, or safety). In the employment context, employers commonly collect health information for workers compensation purposes, to manage return-to-work programs, for workplace safety assessments, and to administer sick leave. Tax file numbers are also a form of sensitive information (subject to the TFN Guidelines issued by the OAIC) and are collected for payroll purposes. Biometric data (such as fingerprints for access control) is also sensitive information under the Privacy Act 1988. Employers who collect sensitive information from employees should ensure they have an appropriate legal basis for doing so and should be transparent about the collection in their privacy notice.

The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth) requires APP entities (organisations subject to the Privacy Act) to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an eligible data breach occurs. An eligible data breach occurs when there is unauthorised access to, unauthorised disclosure of, or loss of personal information held by the entity, and a reasonable person would conclude that the breach is likely to result in serious harm to one or more of the individuals whose information was involved. In the employment context, an eligible data breach might include a cyberattack or ransomware attack that results in employee personal information being accessed or exfiltrated; accidental disclosure of employee personal information to the wrong person; or loss of a device containing unencrypted employee records. When an employer becomes aware of a suspected eligible data breach, it must conduct an assessment within 30 days to determine whether the breach meets the threshold for notification. If it does, the employer must notify the OAIC and, where reasonable, notify affected employees directly. Failure to comply with the NDB scheme obligations can attract civil penalties of up to $50 million for serious or repeated interferences with privacy. Employers should have an incident response plan in place to detect, assess, and respond to data breaches in a timely manner.

Under APP 12 of the Privacy Act 1988 (Cth), an individual has the right to request access to personal information held about them by an APP entity. The entity must respond to the access request within 30 days and must give access to the information unless one of the limited grounds for refusal applies. Grounds for refusal include where giving access would be unlawful, where access may impact on the privacy of other individuals, or where the information relates to anticipated legal proceedings between the entity and the individual. In the employment context, an employee can request access to their HR file, performance records, disciplinary records, and other personal information held by the employer. Importantly, under APP 12.3, an APP entity is not required to give an employee access to their personal information if it falls within the employee records exemption, but this is a discretionary exception rather than a prohibition. Under APP 13, employees also have the right to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. If the employer refuses a correction request, it must take reasonable steps to associate with the information a notation that the individual has requested the correction and why. Employers are not permitted to charge a fee for making an access or correction request, although they may charge a reasonable fee for the costs of giving access if the request is complex.

Generally, the Privacy Act 1988 (Cth) only applies to organisations with an annual turnover exceeding $3 million. Small businesses with a turnover of $3 million or less are generally exempt from the Privacy Act, which means the Australian Privacy Principles (APPs) do not apply to them. However, there are several important exceptions. Small businesses that provide health services and hold health records are covered by the Privacy Act regardless of turnover. Small businesses that opt in to the Privacy Act regime are also covered. Small businesses that disclose personal information about another person for a benefit, service, or advantage are subject to the APPs in respect of that disclosure. Furthermore, even if a small business employer is exempt from the federal Privacy Act, they may still be subject to state and territory privacy legislation that regulates the handling of health information about employees (such as the Health Records and Information Privacy Act 2002 in NSW or the Health Records Act 2001 in Victoria). All employers are also subject to the common law duties of confidence and to specific statutory provisions regarding tax file numbers. Small business employers who handle employee health information or who deal with customers' personal information should seek legal advice about their specific privacy obligations.