Existing regulatory framework

34.11 Existing contractual and equitable principles may offer some level of privacy protection to individuals in a contract of employment. Employers have an implied duty of confidence and trust toward their employees.[7] This may include a duty to respect the confidentiality of genetic information obtained about an employee. It may preclude the employer from disclosing that information to third parties, such as insurance companies. While contractual duties will not apply to job applicants who do not enter into an employment relationship with the employer, the employer may still have an equitable duty to maintain the confidentiality of genetic information provided by them.[8]

34.12 At the federal level the collection, use, storage and disclosure of employees’ personal information is also regulated by the Privacy Act 1988 (Cth) (the Privacy Act). As discussed in Chapter 7, different privacy regimes apply to employment in the Commonwealth public sector, state and territory public sectors, and the private sector. The handling of employees’ personal information in the Commonwealth and Australian Capital Territory public sectors is regulated by the Information Privacy Principles set out in the Privacy Act. The Act does not apply to other state and territory government bodies, but employees in these organisations will be covered by state or territory privacy legislation where such legislation exists.

34.13 The handling of employees’ personal information in the private sector is now regulated under amendments to the Privacy Act, which came into force on 21 December 2001. Under the new legislation, private sector employers may choose to be bound by a privacy code approved by the Privacy Commissioner. In the absence of such a code, the National Privacy Principles in the legislation will apply. As discussed in Chapter 7, most small business operators are exempt from the operation of the Act under s 6C, but this does not include small business operators who provide health services and hold health information that is not contained in an employee record.

34.14 In relation to private sector employers who do not fall into the small business exemption and are therefore covered by the Privacy Act, s 7B(3) states:

An act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt for the purposes of paragraph 7(1)(ee) if the act or practice is directly related to:

(a) a current or former employment relationship between the employer and the individual; and

(b) an employee record held by the organisation and relating to the individual.

34.15 An ‘employee record’ is defined in s 6(1) of the Privacy Act as:

A record of personal information relating to the employment of the employee. Examples of personal information relating to the employment of the employee are health information about the employee and personal information about all or any of the following:

(a) the engagement, training, disciplining or resignation of the employee;

(b) the termination of the employment of the employee;

(c) the terms and conditions of employment of the employee;

(d) the employee’s personal and emergency contact details;

(e) the employee’s performance or conduct;

(f) the employee’s hours of employment;

(g) the employee’s salary or wages;

(h) the employee’s membership of a professional or trade association;

(i) the employee’s trade union membership;

(j) the employee’s recreation, long service, sick, personal, maternity, paternity or other leave;

(k) the employee’s taxation, banking or superannuation affairs.

34.16 The House of Representatives Standing Committee on Legal and Constitutional Affairs delivered an Advisory Report on the Privacy Amendment (Private Sector) Bill 2000, which included the following examples of how the exemption might operate in practice.

As a result of the exemption, an employer would be able to obtain information about sensitive issues such as health, criminal convictions or trade union membership from a previous employer or some other person without the employee being informed. This could also include information about disciplinary matters, financial records or health records … In the Committee’s view it is also important to note that, while the terms of the exemption offer some protection against disclosure by employers of employee information for commercial purposes, employee information may be disclosed to organisations for other reasons. An employer could, for example, provide personal information on all its employees to a superannuation fund for the purposes of securing superannuation benefits for its employees.[9]

34.17 The employee records exemption is limited in several ways. For example, it only applies to information held by an employer about its current and former employees, where that information is held in employee records, and its use or disclosure relates to the employment relationship with that employer. The exemption does not cover information held about applicants for employment who were unsuccessful and who, therefore, did not enter into an employment relationship. In addition, there is no exemption for employee records held in the public sector.

34.18 The Attorney-General’s Second Reading Speech on the Privacy Amendment (Private Sector) Bill 2000 included the following statement about the employee records exemption:

The bill also includes an exemption for employee records. An ‘employee record’ is defined to capture the types of personal information about employees typically held by employers on personnel and other similar files.

While this type of personal information is deserving of privacy protection, it is the government’s view that such protection is more properly a matter for workplace relations legislation.

It should be noted, however, that the exemption is limited to collection, use or disclosure of employee records where this directly relates to the employment relationship. This is designed to preclude an employer selling personal information contained in an employee record to a direct marketer, for example.[10]

34.19 Despite the government’s expressed preference for dealing with the privacy of an employee’s personal information in workplace relations legislation, the current provisions of the Workplace Relations Act 1996 (Cth) (WRA) have limited scope to protect the privacy of employee records. While regulations made under s 353A of the WRA,[11] permit employees to access, copy and correct employee records, the ACTU has expressed concern that the provisions in the regulations are intended to cover ‘time and wages’ information and are not wide enough to cover the broad range of information, including health information, that may be collected as an ‘employee record’ under the Privacy Act.[12]

[7] See eg Blaikie v SA Superannuation Board (1995) 65 SASR 85.

[8] M Otlowski, Implications of Genetic Testing for Australian Employment Law and Practice (2001) Centre for Law and Genetics, Hobart [4.4.1].

[9] Standing Committee on Legal and Constitutional Affairs, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (2000), House of Representatives, Parliament of the Commonwealth of Australia, Canberra [319].

[10] Commonwealth of Australia, Parliamentary Debates, House of Representatives, 12 April 2000, 15749 (The Hon Daryl Williams AM QC MP (Attorney-General)).

[11]Workplace Relations Regulations 1996 (Cth) rr 131K, 131L.

[12] Standing Committee on Legal and Constitutional Affairs, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (2000), House of Representatives, Parliament of the Commonwealth of Australia, Canberra, 27.