Workplace Privacy has come to focus recently, in light of the recent fifth annual “Privacy Awareness Week” in Australia, an event organised by the Office of the Australian Information Commissioner to raise awareness about the country’s regulation of how businesses and agencies deal with private personal information.
The manner in which businesses and government agencies in Australia collect, use and disclose personal information is governed by the Privacy Act 1988 (Cth) (“Privacy Act”); in particular, by the 13 Australian Privacy Principles (“APPs”) set out within this legislation. Given the Privacy Act reads at a hefty 414 pages, it is little surprise that many employers in Australia are unfamiliar with their workplace privacy obligations – or if these obligations even apply to their business.
In this article, we provide a crash course on the Privacy Act, and consider (a) what are the APPs, (b) what businesses are bound to follow the APPs, and (c) the relationship between privacy law and employment law so that you an better understand your workplace privacy obligations.
To whom do the APPs apply?
The APPs apply to organisations defined as an “APP entity” by section 15 of the Privacy Act. This includes federal government agencies and “organisations”, which is broadly defined and may refer to an individual, body corporate, partnership, unincorporated association or trust. However, the APPs do not apply to “small business operators”, being operators of a business with an annual turnover of less than $3,000,000; registered political parties; and state of territory authorities, who are governed by state-based privacy laws.
Despite the “small business operator” exemption, there are a number of small businesses that are required to comply with the APPs nonetheless, if they:
- provide a health service or hold health information;
- disclose or collect personal information for a benefit, service or advantage (i.e. a business that sells customer lists to a marketing company);
- are related to another company which has an annual turnover above $3,000,000;
- are a credit reporting body; or
- are contracted to provide services to a Commonwealth agency.
What information is covered by the Privacy Act?
This article will refer to two types of information that are the subject of the provisions of the APPs – “personal information” and “sensitive information”.
Personal information is broadly defined by the Privacy Act as:
“Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
-
whether the information or opinion is true or not; and
-
whether the information or opinion is recorded in a material form or not.”
Common classes of personal information include an individual’s name, contact details, date of birth, and employment details.
The Privacy Act offers a higher level of protection to “sensitive information”, and imposes additional obligations as to how APP entities collect, use and disclose such information. Sensitive information includes information about an individual’s personal characteristics, such as their race, sexual orientation, criminal record, membership of a trade union, and political and religious views; in addition to the individual’s health, genetic, and biometric information.
Obligations under the Privacy Act
The 13 APPs are the cornerstone of the privacy protection framework established by the Privacy Act, and broadly govern rights and obligations with respect to the collection, use and disclosure of personal information; the accountability of APP entities; the integrity and correction of personal information; and the rights of individuals to access personal information held by an APP entity. Broadly, the APPs comprise of the following principles:
Title | Purpose |
APP 1: Open and transparent management of personal information
|
APP 1 requires that APP entities manage personal information in an open and transparent way. Under APP 1, an APP entity must implement and maintain a privacy policy that outlines how the organisation collects, holds, deals with and discloses personal information. An entity must provide a copy of this policy to individuals upon request. |
APP 2: Anonymity and pseudonymity
|
Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Multiple exceptions apply where it is impractical to allow anonymity. |
APP 3: Collection of solicited personal information
|
Prescribes that an APP entity may only request to collect personal information from an individual where it is reasonably necessary to do so.
APP 3 further stipulates that “sensitive information” may only be collected with the individual’s consent, or as required by law. |
APP 4: Dealing with unsolicited personal information | APP 4 prescribes that an APP entity that receives unsolicited personal information must destroy or deidentify that information, unless the entity would have had grounds to collect that information under APP 3. |
APP 5: Notification of the collection of personal information | Requires APP entities to notify an individual at or before the time of collection of “prescribed matters”, including the individual’s rights under the Privacy Act and a link to the entity’s privacy policy. |
APP 6: Use or disclosure of personal information | Prohibits APP entities from using or disclosing personal information other than for the purpose for which it was collected. A number of exceptions apply, including where the individual has consented to a secondary use or disclosure, or the individual would reasonably expect the APP entity to use or disclose their personal information for the secondary purpose. |
APP 7: Direct marketing
|
Generally prohibits the use of personal information for direct marketing purposes unless the individual has consented to, or would reasonably expect their information being used for this purpose. APP entities must ensure adequate “opt-out” mechanisms are in place to recipients of such marketing communications. |
APP 8: Cross-border disclosure of personal information | Imposes obligations on APP entities to adhere to the APPs in relation to disclosure of personal information to overseas recipients. APP 8 further prescribes that APP entities are liable for any breach of the APPs made by the overseas entity.
Significantly, APP 8 has the effect that entities operating outside of Australia will be subject to the conditions of the Privacy Act if they have an “Australian link” – for instance, if the entity was formed in Australia or otherwise carries on a business and collects or holds personal information in Australia. |
APP 9: Adoption, use or disclosure of government related identifiers
|
Outlines the limited circumstances when an organisation may adopt a government related identifier (such as a tax file number or licence number) of an individual, or use or disclose a government related identifier of an individual. |
APP 10: Quality of personal information
|
APP 10 imposes an obligation on APP entities to take reasonable steps to ensure the personal information it collects, uses, holds and discloses is accurate, up to date and complete. |
APP 11: Security of personal information
|
Requires APP entities to take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. |
APP 12: Access to personal information
|
States that APP entities must, upon request, provide an individual with access to the personal information the entity holds in relation to that individual. Limited exceptions apply. |
APP 13: Correction of personal information | Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals. |
Workplace privacy obligations and the employee records exemption
Broadly, personal information relating to employees is excluded from the ambit of the Privacy Act, and APP entities engaging in the collection and maintenance of ‘employee records’ need not comply with the APPs while undertaking that exercise. An ‘employee record’ refers to a record of personal information relating to the employment of an employee, and may include health information, terms and conditions of employment, performance or conduct, periods of leave and memberships of trade unions or professional bodies.
To best understand workplace privacy, it is important to understand when the exemption applies. In order for the employee record exemption to apply, the following must be satisfied:
- the employer is engaging in an act or practice of ‘holding’ an individual’s personal information;
- that is ‘directly related’ to;
- a current or former employment relationship between the employer and an individual.
It is clear from these requirements that the employee record exemption does not give employers carte blanche to collect and handle personal information about its workers. Specifically, employers (other than exempt small business operators) must continue to comply with the APPs when collecting:
- personal information about prospective employees, unless and until such time as they are employed by the employer;
- personal information about workers that are not employees, such as independent contractors, company officers, interns or volunteers, as they are not covered by the employee records exemption; and
- personal information which does not directly relate to the employee’s employment.
Workplace privacy in practice
The scope of the employee records exemption has been examined by the Court on a number of occasions.
In Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 (“Lee”), the Full Bench of the Fair Work Commission considered whether an employer’s introduction of fingerprint scanning devices to record employee attendance at work fell within the ambit of the employee records exemption.
In this case, Mr Lee lodged an unfair dismissal claim against Superior Wood Pty Ltd (“Company”) after he was dismissed for refusing to comply with a direction to sign on and off of shifts with the fingerprint scanner. Given biometric data falls within the definition of ‘sensitive information’ under the Privacy Act, Mr Lee argued that the employer records exemption did not apply, and therefore that the Company required his consent to obtain this data. Conversely, the Company argued that the data was directly related to Mr Lee’s employment, and therefore subject to the scope of the exemption – meaning that the Company did not require his consent to obtain this information.
In its decision, the Full Bench gave particular significance to the concept of an employer ‘holding’ records in relation to an employee’s personal information, finding that “a record is not held if it has not yet been created or is not yet in the possession or control of the organisation”. As the Company was actually creating the records in question, the Full Bench held that the employee records exemption did not apply to the collection of this information, although, curiously, that the exemption would then be enlivened once the information was collected.
In the context of this matter, this meant a finding that Mr Lee was entitled to refuse to consent to the information being collected, and therefore that he had been unfairly dismissed by the Company on the basis of this refusal.
Another element of the employee records exemption that has been subject to judicial consideration is the ‘direct relevance’ test – unless a record is directly relevant to the employment, the exemption will not apply.
In QF & Others and Spotless Group Limited (Privacy) [2019] AICmr 20 (“Spotless”), the Office of the Australian Information Commissioner (“Commissioner”) ordered Cleanevent, a subsidiary of Spotless Group Limited, to pay $60,000 compensation to 14 current and past employees for breaching their privacy.
The privacy breach occurred when Cleanevent sent random lists of the names of some of its employees to the Australian Workers’ Union, including a collection of members and non-members of the Union. When the employees discovered the lists had been sent without their consent, they made a complaint to the Commissioner about the disclosure of their personal information.
Cleanevent attempted to rely on the employee records exemption; however, this argument was rejected by the Commissioner. In the decision, the Commissioner held that, in order to be “directly related” to an employee’s employment, there needed to be an “absolute, exact or precise connection” between the use or disclosure of the information and the employment relationship – in Spotless, the Commissioner ruled that this threshold was not satisfied.
Although the employee records exemption may seem expansive and broad, the decisions in Lee and Spotless present a reminder to employers that this exemption does not offer businesses the unfettered right to deal with personal information belonging to its employees in whatever manner it sees fit.
Final thoughts on workplace privacy obligations
The world of privacy obligations can be difficult to navigate, especially workplace privacy, and costly to get wrong.
Employers that do not fall within the scope of the ‘small business operator’ exemption should review their operations for compliance with the Privacy Act on a regular basis. We recommend that such reviews should encompass the following matters:
- Is the business exempt from the principles and obligations of the APPs?
- Does the business have an up-to-date privacy policy, which is available to individuals upon request?
- What personal information is the business collecting, using, disclosing, or otherwise maintaining?
- Does the business collect or deal with any sensitive information?
- If the information relates to an employee – does the information directly relate to the employee’s employment with the business?
- Does the business deal with personal information of contractors, agents, interns, prospective employees, or volunteers?
- How does the business ensure the personal information it stores is secure and accurate?
For all other businesses that are covered by the Privacy Act, we recommend that they regularly audit compliance with the requirements of the APPs, and ensure that they are doing so in relation to information collected from or regarding prospective employees, volunteers, contractors and any other workplace participants who are not employees.
We are hosting a breakfast seminar on Wednesday, 8 June 2022 for our clients in Sydney, at which we will further discuss employers’ privacy obligations. If you would like further information regarding this seminar, or otherwise wish to discuss any aspect of this client alert or require specialist advice or assistance in relation to this article, please do not hesitate to contact the writers.
This alert is not intended to constitute, and should not be treated as, legal advice.
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please also note that the law may have changed since the date of this article.