16.08.2010
40.63 In response to DP 72, stakeholders raised a number of arguments in support of retaining the employee records exemption. These arguments are discussed below.
Management and the employment relationship
40.64 Some stakeholders submitted that the exemption strikes an appropriate balance between the interests of employers and those of employees.[121] The AIG and AEEMA argued, for example, that this balance should take into account the employer’s need to keep and utilise records for a wide range of legitimate business purposes.[122] When a person accepts employment with an organisation, it was suggested, he or she accepts that the employer will retain and use personal information for these purposes.[123]
40.65 Some stakeholders expressed concern that removing the employee records exemption would undermine the capacity of organisations to manage employees.[124] For example, Telstra submitted that removing the exemption, together with the introduction of the proposed statutory cause of action for a serious invasion of privacy,[125] would result in privacy claims that would either prevent an organisation from collecting employees’ personal information, or require organisations to disclose otherwise confidential and sensitive information. Such privacy claims, it was argued, would undermine and frustrate significantly a business’s capacity to deal with matters that would otherwise be regulated by the contract of employment.[126]
40.66 Another stakeholder submitted that removing the employee records exemption would restrict its routine management activities, such as the conduct of investigations, liaison with insurers and activities undertaken to comply with its statutory obligations under other legislation.[127] The ACCI stated that the employee records exemption provided employers with certainty, efficiency and flexibility in their human resources management practices. It argued that the removal of the exemption would undermine the ability of a business to manage its human capital effectively and would require changes in human resource management practices.[128]
40.67 Some stakeholders suggested that the special nature of the employment relationship, compared to other commercial relationships, justifies retaining the employee records exemption.[129] They argued that, unlike most relationships regulated by the NPPs, the employment relationship is ongoing,[130] is often fiduciary,[131] and places a range of unique duties and obligations on the parties, such as the obligation of mutual trust and confidence.[132]
40.68 The ACCI argued that, if the employee records exemption were removed, any unintentional mistakes made by employers in the handling of their employees’ personal information would diminish the relationship of trust and confidence between employers and employees.[133] Telstra submitted that removing the employee records exemption could affect adversely the sharing of personal information in the workplace in appropriate circumstances, such as the provision and administration of flexible work arrangements, team building exercises and personal development programs.[134]
Interaction with other legal obligations
40.69 Stakeholders noted that the employment relationship is subject to multiple laws relating to workplace relations, surveillance, whistleblowing and anti-discrimination.[135] Some employer groups submitted that employers handle employee records mostly for the purposes of complying with statutory requirements aimed at protecting the interests of employees.[136]
40.70 The handling of such records, it was argued, is an essential consequence of the employment relationship.[137] In particular, the collection, use and disclosure of health information about employees was said to be a necessary part of the employment contract.[138] Employers need to collect, use and disclose employees’ health information, for example, in order to fulfil their legal obligations to protect the health and safety of their employees and the public.[139]
40.71 Australian Business Industrial expressed concern that removing the employee records exemption could prevent employers from requiring employees to present medical certificates for the approval of paid personal leave. The Workplace Relations Act authorises, but does not require, an employer to collect a medical certificate from an employee for the purposes of approving the taking of paid personal leave by the employee.[140] Requirements concerning the collection of sensitive information could, it was submitted, prevent the collection of sensitive health information contained in a medical certificate.[141]
40.72 The Recruitment and Consulting Services Association Australia and New Zealand submitted that, if the employee records exemption were removed, specific exceptions should be enacted to permit an employer or a recruitment company to collect, use or disclose an individual’s personal health information without consent in certain circumstances—provided that the individual reasonably would expect the employer or recruitment company to handle such information for those purposes.[142]
40.73 Some employers contended that removing the employee records exemption could have an adverse impact on their ability to handle workers compensation claims and other associated employment-related litigation.[143] One stakeholder noted that it provided to its insurer personal information about its employees for the purpose of workers compensation claims on a regular basis. It argued that, if an employer were required to obtain the consent of the employee before disclosing such information, the insurance and rehabilitation approval process would be delayed significantly, to the detriment of the employee.[144]
Outsourcing arrangements
40.74 Optus noted that it is not uncommon for employers to outsource some of their employment-related activities to other companies. Examples of such outsourced activities included the recruitment of contractors and casual staff, the conduct of exit interviews and the provision of a salary package. Optus stated that there is uncertainty about whether the disclosure by employers of personal information about their employees to such companies would fall within the reasonable expectations of the employees. It suggested that removing the employee records exemption could prevent the exchange of information on a commercial-in-confidence basis in this context.[145]
Sale of businesses
40.75 The sale and purchase of a business may involve the collection and disclosure of personal information about different individuals, including employees, contractors, customers, trading partners and business associates.[146] Before the completion of a sale, the vendor may disclose such personal information to the prospective purchaser for the purposes of ‘due diligence’ investigations.[147]
40.76 Under existing law, the employee records exemption may apply to exempt the disclosure of employee records by a vendor organisation during the potential sale of its business. This would be the case where the disclosure relates directly to a current or former employment relationship between the vendor and the individual concerned.[148]
40.77 Some stakeholders considered that removing the employee records exemption would prevent an employer from disclosing personal information about employees to a potential purchaser of the employer’s business, and interfere substantially with a potential purchaser’s ability to conduct due diligence for the purposes of a business acquisition.[149]
40.78 Stakeholders submitted that prospective vendors of a business should be allowed to use and disclose employees’ personal information without the consent of the employees.[150] Employee records that would be relevant in this context include records concerning: time and wage records;[151] terms and conditions of employment,[152] including enterprise bargaining agreements, and applicable state and federal awards and agreements;[153] the level of leave entitlement;[154] details of trade unions of which employees are members;[155] records of claims made by employees;[156] potential issues related to OH&S or workers compensation;[157] and employees’ conduct that may give rise to potential legal actions, such as unfair dismissal or anti-discrimination claims.[158]
40.79 In DP 72, the ALRC expressed the view that an exception or exemption for the use and disclosure of employee records in the context of due diligence is not warranted because the vendor organisation can either disclose aggregate information that does not identify individual employees, or obtain the consent of the individual employee where it is necessary to disclose the employee’s personal information.[159]
40.80 In response, Telstra submitted that aggregated information about employees would be sufficient only for the early stages of a business transaction that involves the potential transfer of staff. It argued that, in order to complete the sale of the business, the vendor would have to disclose personal information about individual employees so that the potential purchaser may assess the quality or capability of the business and decide which employees to retain.[160]
40.81 The Motor Traders Association of NSW also submitted that prospective purchasers of a business and their lawyers, financial advisers and corporate advisers may need to review both aggregated and personal information about employees. It argued that, where the value of a business is linked directly to the expertise of its staff, more personal information about employees would need to be disclosed during the due diligence process than would otherwise be the case. Removal of the employee records exemption would have cost implications for the performance of due diligence inquiries.[161]
40.82 Some stakeholders expressed concern that it could be impractical, and in some cases, unlawful, for an employer to seek the consent of its employees to the disclosure of their personal information for the purposes of the potential sale of the employer’s business.[162] For example, GE Money Australia contended that it often would be impossible for an employer to seek such consent because there could be legal obligations or considerations of commercial sensitivity that would prevent an employer from disclosing the fact of a potential sale of the business.[163] The ACCI argued that:
The process of obtaining individual consent may not cause undue delay in a small business involving a few employees, but where large mergers and acquisitions of businesses occur, hundreds (and often thousands) of employees accept employment with the new employer. Delays and costs will undoubtedly ensue if each and every transferring employee is required to provide consent to disclose information contained in employment records.[164]
40.83 One stakeholder argued that if the employee records exemption were removed, there should be an exception to the ‘Use and Disclosure’ principle in the model UPPs to allow an organisation to disclose personal information to third parties for the purposes of due diligence as part of the sale of a business, or the transfer of employees as a result of the restructure of corporate entities.[165]
40.84 The OPC, in collaboration with the Law Council of Australia, has developed detailed guidance on the application of key NPPs to due diligence and completion for the sale and purchase of a business.[166] While the vendor’s handling of employee records in the course of the sale generally are exempt from the operation of the Privacy Act, the OPC’s guidance is relevant to a consideration of how personal information about employees should be handled after the removal of the exemption for two reasons:
the vendor’s handling of other personal information—such as the personal information of contractors, customers, trading partners and business associates—during the sale are not exempt from the operation of the Privacy Act; and
the employee records exemption does not apply to the actions of the prospective purchaser in its handling of the vendor’s employee records—unless and until it becomes the employer of the individual concerned.[167]
40.85 In the United Kingdom, the Data Protection Act 1998 (UK)—which does not contain an exemption for employee records—also has been the subject of guidance issued by the Information Commissioner’s Office (ICO) concerning mergers, acquisitions or business re-organisation.[168]
Regulatory burden and compliance costs
40.86 Stakeholders suggested that removing the employee records exemption would result in an additional regulatory burden and an increase in the costs of compliance for businesses.[169] The ABA, for example, noted the size and cost of tracking information collected about an employee from various sources within an organisation that is as large and complex as a bank. Further, such information may not be held centrally or in a readily retrievable form.[170]
40.87 The ACCI argued that, while education campaigns and funding would assist employers to understand regulatory changes, it would not reduce initial and ongoing compliance costs on businesses, such as legal advice, data storage, staff training and loss of productivity due to the need to deal with requests for access to personal information. The ACCI also submitted that any removal or modification of the exemption would involve a substantial increase in administrative resources, including the possibility that employers may have to appoint a dedicated privacy compliance officer.[171]
40.88 Another stakeholder stated that it regularly discloses information about its employees to a range of third parties, such as rehabilitation providers, employed medical practitioners and unions. It submitted that any requirement to obtain its employees’ consent each time it sought to use and disclose information about its employees other than for the primary purpose of its collection would significantly increase the cost and resources required to manage its business effectively.[172]
40.89 Some stakeholders expressed concern that removing the employee records exemption, together with the requirements under the ‘Cross-border Data Flows’ principle, would result in an additional regulatory burden for those organisations that transfer and hold internal human resources data overseas.[173] GE Money Australia noted that organisations that operate in a number of countries commonly maintain information about all their employees in a single system that may be hosted in one country. GE Money expressed concern that removing the employee records exemption, coupled with the requirements under the ‘Cross-border Data Flows’ principle, could impede the collection and recording of employees’ personal information in an accurate and efficient way.[174]
40.90 On the other hand, some stakeholders submitted that the additional costs of compliance resulting from removing the employee records exemption could be mitigated by certain factors.[175] The OPC submitted:
The Office understands that many large businesses already apply the privacy principles to their handling of employee records. For those businesses any removal of the exemption may not create an added compliance cost. Conversely for those businesses that do not currently apply the NPPs to their employee records there would be costs to implement and maintain a compliance regime.[176]
40.91 Similarly, AAMI submitted that, in practice, larger businesses already had procedures in place to ensure that their employees’ personal information would be treated in the same way as other personal information that was covered by the Privacy Act.[177]
40.92 The Office of the Information Commissioner (Northern Territory) submitted that ‘in the absence of clear evidence to the contrary … the extent of the additional costs to business of removal of the employee records exemption should not be assumed or overstated’. The Office stated that the increase in resources required to include private sector employee records within the existing scheme may be ‘marginal’, on the basis that:
since most businesses that are currently subject to the Privacy Act are required to handle personal information (other than employee records) in accordance with the Act, they already would have in place mechanisms for developing policies to implement the NPPs and procedures for dealing with complaints about breaches of the NPPs;
there is growing expertise in dealing with privacy issues within the workforce because of the extensive coverage of privacy legislation; and
removing the employee records exemption would simplify the structure of the Privacy Act, reducing the current costs of interpreting and applying the exemption.[178]
Application of the UPPs to existing employees
40.93 Some stakeholders suggested that, if the employee records exemption were removed, there would be administrative difficulties in obtaining the consent of existing employees to the handling of personal information by their employers.[179] It was suggested that the Privacy Act should not apply to existing employees because consent to the use and disclosure of their records could amount to a variation of the employment contract. Further,
If an employee refused to consent to his or her information being used or disclosed, for example, to monitor the employee’s conduct or performance, this could hinder [its] disciplinary procedures and compromise the safety of its employees.[180]
Privacy codes or non-binding guidelines
40.94 Some stakeholders supported promoting privacy protection of employee records through the use of non-binding best practice guidelines or privacy codes, rather than by removing the employee records exemption.[181] DEWR stated that guidelines were likely to be met with greater support from employer groups.[182] Another stakeholder submitted that guidelines would assist in ensuring fairness in workplace practices concerning the collection and utilisation of employees’ personal information, while privacy codes developed by organisations would be more flexible than legislation in that they could be tailored to meet the needs of a particular organisation.[183] In addition to guidelines and privacy codes, the ACCI also supported ‘the formulation of educational initiatives to better inform employers and employees of their rights and obligations regarding employee records’.[184]
[121] Confidential, Submission PR 529, 21 December 2007; Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007.
[122] Legitimate business purposes were said to include: the efficient operation of the business; compliance with legal obligations, such as those under OH&S laws; obtaining information for staff recruitment and selection processes; facilitating staff development; identifying poor performance, or inappropriate or unlawful behaviour, by an employee; defending legal claims brought by employees and former employees; and conducting due diligence when businesses are being outsourced or sold: Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007.
[123] Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007.
[124] Confidential, Submission PR 536, 21 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007; Australian Business Industrial, Submission PR 444, 10 December 2007.
[125] The statutory cause of action for invasion of privacy is discussed in Ch 74.
[126] Telstra Corporation Limited, Submission PR 459, 11 December 2007.
[127] Confidential, Submission PR 536, 21 December 2007.
[128] Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007. See also Australian Business Industrial, Submission PR 444, 10 December 2007.
[129] Confidential, Submission PR 529, 21 December 2007; Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007.
[130]Confidential, Submission PR 536, 21 December 2007.
[131] Telstra Corporation Limited, Submission PR 459, 11 December 2007.
[132] Confidential, Submission PR 536, 21 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007. Case law characterises the employment relationship as a relationship of mutual trust and confidence: Malik v Bank of Credit & Commerce International SA (in liq) [1998] AC 20 ; Blaikie v South Australian Superannuation Board (1995) 65 SASR 85; Brackenridge v Toyota Motor Corporation Australia Ltd (1996) 142 ALR 99; Burazin v Blacktown City Guardian Pty Ltd (1996) 142 ALR 144; Jager v Australian National Hotels Pty Ltd (1998) 7 Tas R 437. Both the employer and the employee have a duty ‘not to abuse or destroy the relationship of trust’: R Owens and J Riley, The Law of Work (2007), 255.
[133] Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007.
[134] Telstra Corporation Limited, Submission PR 459, 11 December 2007.
[135] Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007.
[136] Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; Motor Trades Association of Australia, Submission PR 470, 14 December 2007; Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007; Australian Business Industrial, Submission PR 444, 10 December 2007.
[137] Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; Motor Trades Association of Australia, Submission PR 470, 14 December 2007; Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007; Australian Business Industrial, Submission PR 444, 10 December 2007.
[138] Australian Business Industrial, Submission PR 444, 10 December 2007; Motor Traders Association of NSW, Submission PR 429, 10 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.
[139] Motor Traders Association of NSW, Submission PR 429, 10 December 2007.
[140]Workplace Relations Act 1996 (Cth) s 254.
[141] Australian Business Industrial, Submission PR 444, 10 December 2007.
[142] Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.
[143] Confidential, Submission PR 536, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007. See also Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.
[144] Confidential, Submission PR 536, 21 December 2007.
[145] Optus, Submission PR 532, 21 December 2007.
[146] See Office of the Federal Privacy Commissioner, Application of Key NPPs to Due Diligence and Completion when Buying and Selling a Business, Information Sheet 16 (2002), 1–2.
[147] ‘Due diligence’ is ‘the process of acquiring objective and reliable information on a person or a company as required, especially before a commercial acquisition’: Macquarie Dictionary (online ed, 2007). The collection, use and disclosure of employee records during due diligence may be protected by confidentiality agreements between vendors and prospective purchasers of the business: Optus, Submission PR 532, 21 December 2007.
[148] Privacy Act 1988 (Cth) s 7B(3).
[149] Optus, Submission PR 532, 21 December 2007; Confidential, Submission PR 529, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007; Motor Traders Association of NSW, Submission PR 429, 10 December 2007.
[150] Optus, Submission PR 532, 21 December 2007; Confidential, Submission PR 529, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007; Motor Traders Association of NSW, Submission PR 429, 10 December 2007.
[151] Confidential, Submission PR 529, 21 December 2007; Motor Traders Association of NSW, Submission PR 429, 10 December 2007.
[152] Confidential, Submission PR 529, 21 December 2007.
[153] Motor Traders Association of NSW, Submission PR 429, 10 December 2007.
[154] Confidential, Submission PR 529, 21 December 2007; Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007.
[155] Motor Traders Association of NSW, Submission PR 429, 10 December 2007.
[156] Ibid.
[157] Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007.
[158] Ibid.
[159] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [36.83].
[160] Telstra Corporation Limited, Submission PR 459, 11 December 2007.
[161] Motor Traders Association of NSW, Submission PR 429, 10 December 2007.
[162] GE Money Australia, Submission PR 537, 21 December 2007; Confidential, Submission PR 529, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007. See also Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007.
[163] GE Money Australia, Submission PR 537, 21 December 2007.
[164] Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007.
[165] Confidential, Submission PR 529, 21 December 2007.
[166]Office of the Federal Privacy Commissioner, Application of Key NPPs to Due Diligence and Completion when Buying and Selling a Business, Information Sheet 16 (2002).
[167] See Ibid, 3.
[168]United Kingdom Government Information Commissioner’s Office, The Employment Practices Code (2005).
[169] Confidential, Submission PR 536, 21 December 2007; Motor Trades Association of Australia, Submission PR 470, 14 December 2007; Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007; Australian Business Industrial, Submission PR 444, 10 December 2007; Motor Traders Association of NSW, Submission PR 429, 10 December 2007; IBM Australia, Submission PR 405, 7 December 2007; Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007 (endorsed by the National Australia Bank, Submission PR 408, 7 December 2007); Abacus–Australian Mutuals, Submission PR 174, 6 February 2007; Australian Retailers Association, Submission PR 131, 18 January 2007.
[170]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.
[171] Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007.
[172] Confidential, Submission PR 536, 21 December 2007.
[173]GE Money Australia, Submission PR 537, 21 December 2007; Australian Information Industry Association, Submission PR 410, 7 December 2007; IBM Australia, Submission PR 405, 7 December 2007.
[174] GE Money Australia, Submission PR 537, 21 December 2007.
[175] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; AAMI, Submission PR 147, 29 January 2007.
[176] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[177] AAMI, Submission PR 147, 29 January 2007.
[178] Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.
[179] Confidential, Submission PR 536, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007. Employee records include not only formal records held in a centralised and secure area, but also day-to-day operational records kept by an employee’s immediate manager, such as conversations about the employee’s performance and staff training records: Suncorp-Metway Ltd, Submission PR 525, 21 December 2007.
[180] Confidential, Submission PR 536, 21 December 2007.
[181] Confidential, Submission PR 529, 21 December 2007; Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007; Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007.
[182] Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007.
[183] Confidential, Submission PR 529, 21 December 2007.
[184] Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007.