16.08.2010
Lack of privacy protection for employee records
40.34 Stakeholders noted that employers may hold sensitive personal information about their employees, such as health or financial information;[51] criminal convictions; and the results of pre-employment psychological testing.[52] Employees may be under economic pressure to provide personal information to their employers. This means that they have no effective choice but to provide such information.[53]
In many cases information is collected from employees as a condition of their employment; for example, health information, criminal charges or convictions and financial matters such as bankruptcy or garnishee of wages. The exemption allows this information to be disclosed to others in circumstances which could be very damaging to the individual.[54]
40.35 Concern was expressed about the existing lack of privacy protection for employee records. National Legal Aid submitted that the broad definition of ‘employee records’ in the Privacy Act means that employers may accumulate a considerable range of personal information about employees covering sensitive matters, such as health, drug tests and disciplinary issues, without being accountable for the way the information is handled.[55] The Centre for Law and Genetics suggested that there was a real potential for individuals to be harmed if such sensitive personal information was used or disclosed inappropriately.[56]
40.36 Several stakeholders raised particular concerns about the privacy of employees’ health information.[57] For example, the Victorian Office of the Health Services Commissioner stated that it has received many inquiries and complaints from employees about their health information being inappropriately collected or disclosed, or not being stored securely.[58] The Mental Health Legal Centre expressed concern about the release of information about a person’s mental health to prospective employers, which could affect their future job options. It noted that such information could include the fact that a potential employee was found not guilty on the grounds of mental impairment.[59] One stakeholder who opposed removing the employee records exemption indicated that it would support the exclusion of health information from the exemption, given the sensitive nature of health information.[60]
40.37 Some stakeholders noted gaps in the protection of employees’ privacy in legislation[61] and, in particular, the limited protection provided by the workplace relations legislation.[62] For example, the OPC observed that, in the Second Reading Speech for the Privacy (Private Sector) Amendment Bill, the then Attorney-General stated that employee records were ‘deserving of privacy protection’ but that such protection was ‘more properly a matter for workplace relations legislation’.[63] The OPC noted that, despite this statement, workplace relations legislation has not been amended to enhance the privacy protection of employee records.[64] Privacy NSW submitted that:
while the employee records exemption … was predicated on the idea that employee records would be protected under workplace relations legislation, the failure by the federal government to do so has left private sector employees in an information privacy void.[65]
40.38 National Legal Aid noted that access to employee records under the Workplace Relations Act was limited, and submitted that employees should have better access to their employment records.[66] In contrast, other stakeholders submitted that granting employees the right to access personal information in their personnel files could be problematic. One stakeholder submitted that allowing employees to access security-sensitive information contained in personnel files collected during background checks on the employee could jeopardise the security of the workplace.[67] The Australian Bankers’ Association Inc (ABA) submitted that certain categories of information in a workplace context should be excluded from the access regime under the Privacy Act, including investigation and management of workplace issues, and industrial relations activities where the information involved is not protected by a duty of confidence. The ABA argued that, where these categories of information are not excluded, employers may utilise external avenues to resolve issues.[68]
40.39 Some stakeholders contended that there is sufficient privacy protection for employees under existing federal and state laws, including laws concerning workplace relations, equal employment opportunity, anti-discrimination, occupational health and safety (OH&S), workers compensation, contracts and unfair dismissal.[69] The Australian Chamber of Commerce and Industry (ACCI) also suggested that, under the Workplace Relations Act and similar state and territory legislation, the keeping of certain employee records is regulated by a well-resourced inspectorate and employers could be subject to substantial penalties for non-compliance.[70]
40.40 Some stakeholders submitted that employers already handle employee records with care.[71] For example, the ABA advised that ‘each member bank has its own policies and practices in relation to the keeping, maintenance and control of and access to its employees’ records’.[72] UNITED Medical Protection stated that their human resources department operates on the basis of preserving employees’ confidentiality.[73] The ACCI submitted that the existence of the employee records exemption does not mean that employers would not have adequate safeguards in place to protect employee records from misuse or exploitation.[74]
40.41 Some stakeholders noted that the employee records exemption is limited in its scope,[75] and strongly objected to narrowing the scope of the exemption.[76] DEWR stated that limiting the scope of the exemption,
for instance, by retaining some of the NPPs for employee records or restricting the exemption by excluding sensitive information from it, would only contribute to the complexity of the privacy framework.[77]
40.42 The ACCI noted that the exemption was confined to records of current or former employees that were related directly to the employment relationship. It submitted that, where the exemption does not apply, any misuse of personal information could have two adverse consequences for employers. First, it potentially would expose the employer to common law actions, such as breach of the implied duty of mutual trust and confidence, the tort of negligence and breach of contract. Secondly, handling personal information inappropriately could damage the reputation and goodwill of a business. These two potential consequences helped to ensure that businesses handle personal information about employees appropriately.[78]
Level of complaint
40.43 A significant number of complaints closed by the OPC as falling outside its jurisdiction concern the employee records exemption.[79] Stakeholders also submitted that experience in other jurisdictions shows that employees need to exercise privacy rights.[80] Privacy NSW receives a significant number of complaints by, and inquiries from, employees against public sector agencies in New South Wales and stated that:
10% of internal review applications conducted in 2005–06 related to employee records. In addition 4.5% of complaints and 5.5% of enquiries received by [Privacy NSW] in the same year related to employee records. From this it is clear that employees in NSW have concerns about the way their personal information has been dealt with by their employers.[81]
40.44 The Cyberspace Law and Policy Centre stated that the high number of complaints concerning employee records were unsurprising because the consequences of misuse could be serious and far-reaching in an employment context.[82] Individuals expressed concern, for example, about: résumés containing personal information, including tax file numbers, being misused;[83] employers making inquiries about their employees without the employees’ permission;[84] and recruitment companies collecting information from previous employers.[85]
40.45 Other stakeholders maintained that there is no evidence of any systemic problems or detriments caused by the exemption that justifies its removal.[86] For example, DEWR stated that submissions to the AGD and DEWR’s discussion paper on employee records privacy ‘did not disclose any significant detriment caused by the employee records exemption that warranted changing the status quo and imposing additional compliance costs on business’.[87]
40.46 The ACCI submitted that the onus should be on those parties who wished to alter the status quo to provide evidence that the exemption should be removed. The ACCI did not consider that the number of inquiries made to the OPC constitutes sufficient evidence that employers are handling personal information about employees inappropriately.[88] The Australian Industry Group (AIG) and the Australian Electrical and Electronic Manufacturers’ Association (AEEMA) submitted that mandatory regulation only should be considered if there is widespread abuse and if other measures such as education are ineffective.[89] Telstra submitted that, if there are concerns that employee records have not been handled properly, workplace relations legislation should be reformed to address those concerns in a manner that is consistent with other employment-related legislation.[90]
Differential treatment between public and private sectors
40.47 Stakeholders expressed concern that the Privacy Act protects the records of public sector employees but not those employed in the private sector.[91] This differential treatment is highlighted by the handling of employee records by Australian Government agencies that are subject to the IPPs in their non-commercial activities and the NPPs in their commercial activities. Australian Post, for example, noted that:
staff who are employed by Australian Post in connection with its commercial activities do not have the same rights of access to their employment records under the law as their colleagues who are employed by the Corporation with its non-commercial activities.[92]
40.48 Stakeholders observed that it seems wrong for the privacy rights of public sector employees to be different from those in the private sector.[93] The Australian Council of Trade Unions stated that:
The moral case for employers being required to respect the confidentiality of information acquired by them about their employees in the course of the latter’s employment seems unassailable. It is consistent with the common law duty of trust and confidence which courts have found employers to owe their employees, including in respect of information provided by employees.[94]
40.49 The Office of the Victorian Privacy Commissioner (OVPC) highlighted that, ‘besides simple equity’, the repeal of the employee records exemption is desirable because
Australia’s workforce is increasingly mobile, and an agile economy should encourage that mobility. Many employees will operate in the private sector and as contracted service providers to government in outsourcing arrangements. Privatisation may take a workforce from a public sector to a private sector environment. The human resources management aspects of these kinds of factors, in practice, are likely to be simplified if basic privacy protection standards apply consistently across all sectors and across borders.[95]
40.50 Other stakeholders did not consider that the differential treatment of employee records in the public and private sectors is a sufficient reason for removing the employee records exemption.[96] For example, Australian Business Industrial submitted that:
private industry and public sector agencies have very different stakeholders, objectives and operative environments, and it is neither appropriate nor fair to compare or expect consistency for the sake of consistency.[97]
Regulatory inconsistency and fragmentation
40.51 Some stakeholders submitted that retaining the employee records exemption likely would lead to further fragmentation of privacy regulation in states that have enacted legislation regulating the area of workplace privacy.[98] These stakeholders were of the view that, in the interests of national consistency, the Privacy Act should apply to the personal information of employees in place of existing state legislation in this area.[99]
40.52 Stakeholders submitted that removing the employee records exemption would help promote national consistency in privacy regulation.[100] The OPC noted, in particular, that sensitive information—including that held by employers about their employees—should be covered fully by the Privacy Act.[101]
40.53 The OVPC submitted that removing the exemption also would promote consistency among federal and state privacy commissioners and other relevant authorities in dealing with employee records matters.[102] The Queensland Government stated that the ALRC’s proposal to remove the employee records exemption, together with the proposed removal of the small business exemption, would address both a gap in privacy coverage and ensure national consistency.[103]
40.54 In contrast, other stakeholders expressed concern that removing the employee records exemption would create another layer of regulation.[104] The Australian Retailers Association, for example, submitted that ‘abolishing the employee records exemption within the Privacy Act only would increase the complexity of the Act and cause confusion’.[105] The ACCI stated that subjecting employers to the Privacy Act in their handling of employee records would add to existing multiple regulation in the employment area, including OH&S, workers compensation, equal employment opportunity and unfair dismissal.[106] The ACCI also expressed concern that:
State and Territory privacy legislation is not consistent with the Commonwealth Act and ultimately leads to uncertainty. ACCI advocates that an employee records exemption is so fundamental that it should not only be retained, but also applied at the State and Territory level.[107]
40.55 The Motor Traders Association of NSW submitted that the complexity of privacy regulation of health information in Australia would cause problems for employers within the motor vehicle industry involving, for example, pre-employment medical examinations, medical certificates and other medical records, drug and alcohol testing, communicable diseases in the workplace, and the transfer of employees’ health records where businesses are transferred. The problems could include:
• increased compliance costs, particularly where businesses are conducted across jurisdictional boundaries;
• confusion about which regime regulates particular businesses;
• forum shopping to exploit differences in regulation; and
• uncertainty among consumers (both employer and employees) about their rights and obligations.[108]
International standards and overseas jurisdictions
40.56 Some stakeholders submitted that compatibility with international standards and overseas jurisdictions should be a factor in considering whether the employee records exemption should remain.[109] The New Zealand Privacy Commissioner noted the desirability of trans-Tasman compatibility, which could be facilitated, for example, by ‘a seamless application of privacy protections for the information of prospective employees applying for work in the other country’, or ‘former employees after they return home’.[110]
40.57 Other stakeholders noted that the employee records exemption is an obstacle to the EU determining that Australia’s privacy laws are adequate for the purposes of cross-border data flows under the EU Directive.[111] Professor Graeme Greenleaf, Nigel Waters and Associate Professor Lee Bygrave noted that the Article 29 Working Party has expressed concern that human resource data often were traded across borders and often contained sensitive information. Although there were no empirical data on the quantity and nature of information flows from Europe to Australia,
there can be little doubt that personal data are being transferred along this channel and that at least some of these relate to current or past employment matters, and are, in addition, sensitive.[112]
40.58 The OVPC submitted that the removal of the employee records exemption would increase the likelihood of Australia achieving EU adequacy.[113] The Public Interest Advocacy Centre (PIAC) submitted that the employee records exemption also was likely to be an obstacle to any assessments of adequacy under the privacy law of other countries and other privacy instruments, such as the APEC Privacy Framework.[114]
40.59 While supportive of the ALRC’s proposal to remove the employee records exemption, the Australasian Compliance Institute stated that the removal of the exemption needed to be reconciled with other legislative requirements, such as those under workplace relations legislation. It submitted that any reform should balance the interests of the individual with the need of the organisation to operate effectively.[115]
Other benefits of removing the exemption
40.60 The OPC noted that, in its 2007 survey on the Australian community’s attitude towards privacy, 86% of the respondents considered that employees should have access to their personal information held by their employers.[116] It submitted that removing the employee records exemption would reflect community expectations.[117] In addition, the OPC stated that removing the exemption could have a number of other benefits, including:
offering an appropriate balance between the interests of the parties, just as it offers such a balance between organisations and their customers
providing a minimum set of standards for privacy protection of employee records, consistent with protection of an employee’s rights as a private citizen
providing certainty about rights and obligations for employers and employees
eliminating regulatory difficulties in interpreting the exemption
providing access to a conciliation-based complaints process through the Office of the Privacy Commissioner.[118]
40.61 The OVPC submitted that removing the exemption would promote a wider awareness and acceptance of privacy laws by private sector employees handling consumers’ personal information. Further, it would result in better corporate decision-making and accountability, because privacy principles require improved information-handling practices. In addition, removing the exemption would standardise personal information-handling practices, which would be desirable in light of technologies such as email, DNA testing, radio frequency identification, and various workplace security and authentication measures using biometrics.[119]
40.62 Australia Post suggested that removing the exemption also could result in the streamlining and standardisation of work flows, and a reduction in costs relating to information technology, staff training and compliance.[120]
[51] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; ACTU, Submission PR 155, 31 January 2007; Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007.
[52] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[53] Ibid; Privacy NSW, Submission PR 468, 14 December 2007; ACTU, Submission PR 155, 31 January 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007.
[54] ACTU, Submission PR 155, 31 January 2007.
[55] National Legal Aid, Submission PR 521, 21 December 2007. See also H Fisher, Submission PR 582, 31 March 2008.
[56] Centre for Law and Genetics, Submission PR 127, 16 January 2007.
[57] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Mental Health Legal Centre Inc, Submission PR 184, 1 February 2007; Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.
[58] Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007.
[59] Mental Health Legal Centre Inc, Submission PR 184, 1 February 2007.
[60] Confidential, Submission PR 529, 21 December 2007.
[61] Privacy NSW, Submission PR 468, 14 December 2007; Law Institute of Victoria, Submission PR 200, 21 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; ACTU, Submission PR 155, 31 January 2007; UNITED Medical Protection, Submission PR 118, 15 January 2007.
[62] Privacy NSW, Submission PR 468, 14 December 2007; Law Institute of Victoria, Submission PR 200, 21 February 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; Legal Aid Commission of New South Wales, Submission PR 107, 15 January 2007.
[63] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; citing Commonwealth, Parliamentary Debates, House of Representatives, 12 April 2000, 15749 (D Williams—Attorney-General), 15752.
[64] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[65] Privacy NSW, Submission PR 468, 14 December 2007.
[66] National Legal Aid, Submission PR 521, 21 December 2007. See also H Fisher, Submission PR 582, 31 March 2008.
[67] Confidential, Submission PR 536, 21 December 2007.
[68] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.
[69] Confidential, Submission PR 536, 21 December 2007; Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007; Australian Retailers Association, Submission PR 131, 18 January 2007.
[70] Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007.
[71] Motor Trades Association of Australia, Submission PR 470, 14 December 2007; ANZ, Submission PR 467, 13 December 2007; Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007 (endorsed by the National Australia Bank, Submission PR 408, 7 December 2007); Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007; UNITED Medical Protection, Submission PR 118, 15 January 2007.
[72] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007 (endorsed by the National Australia Bank, Submission PR 408, 7 December 2007).
[73] UNITED Medical Protection, Submission PR 118, 15 January 2007.
[74] Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007.
[75] Optus, Submission PR 532, 21 December 2007; Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007.
[76] Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007.
[77] Ibid.
[78] Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007.
[79] See, eg, Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007.
[80] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007.
[81] Privacy NSW, Submission PR 468, 14 December 2007.
[82] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[83] Confidential, Submission PR 535, 21 December 2007.
[84]Confidential, Submission PR 374, 5 December 2007.
[85] D Collins, Submission PR 369, 4 December 2007.
[86] Optus, Submission PR 532, 21 December 2007; Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007; Australian Business Industrial, Submission PR 444, 10 December 2007; Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007; Abacus–Australian Mutuals, Submission PR 174, 6 February 2007; UNITED Medical Protection, Submission PR 118, 15 January 2007.
[87] Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007, referring to Australian Government Attorney-General’s Department and Australian Government Department of Employment and Workplace Relations, Employee Records Privacy: A Discussion Paper on Information Privacy and Employee Records (2004).
[88] Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007.
[89] Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007.
[90] Telstra Corporation Limited, Submission PR 459, 11 December 2007.
[91] Government of Victoria, Submission PR 288, 26 April 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007; Australia Post, Submission PR 78, 10 January 2007.
[92] Australia Post, Submission PR 78, 10 January 2007.
[93] ACTU, Submission PR 155, 31 January 2007; AAMI, Submission PR 147, 29 January 2007.
[94] ACTU, Submission PR 155, 31 January 2007.
[95] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007. See also Government of Victoria, Submission PR 288, 26 April 2007.
[96] Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007; Australian Business Industrial, Submission PR 444, 10 December 2007; Retail Motor Industry, Submission PR 407, 7 December 2007(endorsed by Motor Traders Association of NSW, Submission PR 429, 10 December 2007).
[97] Australian Business Industrial, Submission PR 444, 10 December 2007.
[98] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Telstra, Submission PR 185, 9 February 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007.
[99] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Telstra, Submission PR 185, 9 February 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007.
[100] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Queensland Government, Submission PR 490, 19 December 2007.
[101] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. The OPC argued, however, that the employee records held by small business operators should remain exempt because there were ‘clear and compelling’ policy reasons for retaining the small business exemption. The small business exemption is discussed in Ch 39.
[102] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[103] Queensland Government, Submission PR 490, 19 December 2007.
[104] Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007; Motor Traders Association of NSW, Submission PR 429, 10 December 2007.
[105] Australian Retailers Association, Submission PR 131, 18 January 2007.
[106] Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007.
[107] Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007. The ACCI also noted that, given changes to the workplace relations system brought about by the passage of the ‘Work Choices’ legislation and further change subsequent to the change of government in the November 2007 election, reform of the employee records exemption should not be considered at this time.
[108] Motor Traders Association of NSW, Submission PR 429, 10 December 2007.
[109] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; New Zealand Privacy Commissioner, Submission PR 128, 17 January 2007.
[110] New Zealand Privacy Commissioner, Submission PR 128, 17 January 2007.
[111] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007. See also Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[112] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007.
[113] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[114] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[115] Australasian Compliance Institute, Submission PR 419, 7 December 2007.
[116] See Wallis Consulting Group, Community Attitudes Towards Privacy 2007 [prepared for the Office of the Privacy Commissioner] (2007), 52.
[117] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[118] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[119]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[120] Australia Post, Submission PR 445, 10 December 2007.