The Privacy Act

The federal Privacy Act exempts employee records from its coverage - this means that records falling within the exemption do not have to be managed within the rules of the legislation. A consideration of what comes within this exemption is set out in this article.

 
The federal Privacy Act exempts employee records from its coverage — this means that records falling within the exemption do not have to be managed within the rules of the legislation. A consideration of what comes within this exemption is set out below.
 
Employer practices in relation to employee records
 
As stated, in some circumstances, the handling of employee records in relation to current and former employment relationships by an employer is exempt from the National Privacy Principles (NPPs) (section 7B(3)).
 
Background to the exemption
 
At the time the private sector amendments passed through Parliament in December 2000, the Attorney-General stated that:
 
'While employee records deserve privacy protection, it is the Government's view that such protection is more properly a matter for Workplace Relations legislation. . .  The Government will review existing Commonwealth, State and Territory laws to consider the extent of privacy protection for employee records and whether there is a need for further regulation.'
 
In the meantime, the Federal Privacy Commissioner encourages employers to consider the privacy of their employee records even if their acts and practices in relation to them are covered by this exemption.
 
Must be employment related
 
To be exempt, an act or practice relating to the employee record must be directly related to the employment relationship.
 
This means that acts or practices of an employer that are outside the scope of the employment relationship are not exempt. For example, an employer could not sell a list of employees to another organisation for marketing purposes.
 
Current or former employment relationship
 
Also, the act or practice must be directly related to a current or former employment relationship. This does not cover future employment relationships.
 
This means that personal information collected from prospective employees who are subsequently not employed by an organisation, such as unsuccessful job applicants, will not be covered by the employee records exemption.
 
However, once an employment relationship is formed with an individual, the records the employer holds relating to that individual's pre-employment checks become exempt.
 
Employee records
 
An employee record means a record of personal information relating to the employment of the employee (section 6(1)). It includes health information about an employee and personal information relating to:
  • the engagement, training, disciplining, resignation or termination of employment of an employee
  • the terms and conditions of employment of an employee
  • the employee's performance or conduct, hours of employment; salary or wages; personal and emergency contact details
  • the employee's membership of a professional or trade association or trade union membership
  • the employee's recreation, long service, sick, maternity, paternity or other leave
  • the employee's taxation, banking or superannuation affairs.
Employers would not necessarily be able to assume that all the information they hold that relates to an individual employee would be an employee record. For example, emails that an employee has received from third parties outside the organisation may not necessarily be an employee record. Depending on the circumstances, the exemption may also not cover the content of many other employee emails.
 
Contractors of employers
 
This exemption does not cover contractors and subcontractors when they handle the personal information of the employees of another organisation, notwithstanding those contractual arrangements.
 
In many circumstances, the employee records exemption may not apply to organisations that provide recruitment, human resource management services, medical, training or superannuation services under contract to an employer.
 
An organisation that collects employee records about a person from the organisation employing that person will have to comply with the notice requirements of NPP 1.
 
This exemption does not cover workers compensation insurers that are not the employer of an individual.
 
Privacy scenario
 
Consider the following hypothetical scenario concerning an employee who makes an informal complaint about harassment in the workplace. The complainant simply wants to inform HR that there is objectionable behaviour taking place. The complainant does not wish to carry the matter further at this stage and stresses a wish for it to remain informal. The complainant also wants to remain anonymous. The HR manager chooses to make a record of the information provided, for example, a diary entry. The next step  is to have a low-key meeting with the person who is the alleged harasser with the aim of achieving a solution.
 
The alleged harasser then directly requests access to the private record and the name of the person who lodged the complaint.
 
So how does privacy law affect such a scenario? The answer is not clear. It could well come within the access rights of the National Privacy Principle extract below.
 
Questions arise such as: would providing the requested information to the alleged harasser create an unreasonable impact upon the privacy of other individuals? If not, the alleged harasser is entitled to see the record/document. This creates a potentially divisive and difficult scenario within the work group as the initial complainant may feel that their trust has been breached and there may be difficulties between the complainant and the alleged harasser, as a result.
 
It would seem that ways of managing these awkward situations may need to be reassessed if the privacy law is interpreted to allow access to file notes in the type of situation described.

Extract from National Privacy Principles re access by individual
 
"6 Access and correction
 
6.1 If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that:
a. in the case of personal information other than health information-providing access would pose a serious and imminent threat to the life or health of any individual; or
b. in the case of health information-providing access would pose a serious threat to the life or health of any individual; or
c. providing access would have an unreasonable impact upon the privacy of other individuals; or
d. the request for access is frivolous or vexatious; or
e. the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings.
6.5 If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up to date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up to date.
 
6.6 If the individual and the organisation disagree about whether the information is accurate, complete and up to date, and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up to date, the organisation must take reasonable steps to do so.
 
6.7 An organisation must provide reasons for denial of access or a refusal to correct personal information."

WantToReadMore

Get unlimited access to all of our content.