Background

Current law

40.6 Section 6 of the Privacy Act defines ‘employee record’ to mean a record of personal information relating to the employment of the employee. Examples of such personal information include health information about the employee, and personal information about:

(a) the engagement, training, disciplining or resignation of the employee;

(b) the termination of the employment of the employee;

(c) the terms and conditions of employment of the employee;

(d) the employee’s personal and emergency contact details;

(e) the employee’s performance or conduct;

(f) the employee’s hours of employment;

(g) the employee’s salary or wages;

(h) the employee’s membership of a professional or trade association;

(i) the employee’s trade union membership;

(j) the employee’s recreation, long service, sick, personal, maternity, paternity or other leave;

(k) the employee’s taxation, banking or superannuation affairs.[4]

40.7 Acts and practices of an organisation are exempt from the operation of the Privacy Act if they are related directly to a current or former employment relationship.[5] Accordingly, the exemption does not apply to: acts and practices of an employer that are beyond the scope of the employment relationship;[6] the handling of personal information about unsuccessful job applicants;[7] and the handling of employee records by contractors and subcontractors to the employer.[8]

40.8 The Revised Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 (Cth) stated that:

The act or practice must be directly related to a current or former employer relationship so as to ensure that employers cannot use ‘employee records’ for commercial purposes unrelated to the employment context.[9]

40.9 The reason given for the employee records exemption was that:

While this type of personal information is deserving of privacy protection, it is the government’s view that such protection is more properly a matter for workplace relations legislation.[10]

40.10 The website of the Attorney-General’s Department (AGD) indicates that:

The potential also exists for Commonwealth privacy regulation of employee records to have unintended consequences where it intersects with State and Territory laws dealing with employee records.[11]

40.11 Currently, there is little privacy protection for private sector employees under the federal workplace relations regime. Regulations 19.18 and 19.19 of the Workplace Relations Regulations 2006 (Cth) allow employees to access certain records. This, however, only applies to records about conditions under which employees are hired, overtime and reasonable additional hours worked, remuneration, leave, superannuation contributions and termination.[12] It does not include other personal information that falls within the definition of ‘employee record’ in the Privacy Act, for example, employees’ health information, or their taxation or banking affairs. The regulations only require employers to maintain, provide access to, and correct records for official inspection for auditing purposes, rather than to protect the privacy of those records.[13] In addition, under the Workplace Relations Act 1996 (Cth), privacy protection is not a term that may be included in awards. As a consequence, the Australian Industrial Relations Commission does not have jurisdiction to make an award about privacy.[14]

40.12 At the state level, legislation only requires employers to maintain, and in most cases, provide an employee with access to, certain basic records about employees, such as time and wage records.[15] At common law, an employer is under a duty of mutual trust and confidence not to ‘conduct itself in a manner likely to destroy or seriously damage the relationship of confidence and trust between employer and employee’.[16] Professor Margaret Otlowski argues that,

existing contractual and equitable principles for maintaining confidentiality … may offer some protection to employees. However, such actions are in practice, costly to pursue (involving private litigation in the civil courts) and not easy to establish.[17]

40.13 There is no exemption for the handling of employee records by agencies under the Privacy Act. Australian Government and ACT agencies, therefore, are required to comply with the Information Privacy Principles (IPPs) when dealing with employee records.[18] Privacy legislation in New South Wales, Victoria and the Northern Territory also applies to employee records of public sector employees.[19] In Tasmania, public sector bodies, councils, the University of Tasmania, prescribed bodies, and contractors to these entities have to comply with the personal information protection principles under the Personal Information Protection Act 2004 (Tas) in dealing with employee information, subject to certain exceptions.[20] The Victorian Health Records Act 2001 also regulates the handling of health information, including information contained in employee records, by public and private sector entities.

40.14 A number of overseas jurisdictions—including the United Kingdom, Ireland, New Zealand and Hong Kong—do not exempt employee records from the operation of their privacy or data protection legislation. They do, however, commonly provide for exceptions to their data protection principles when dealing with personal information for the purposes of recruitment, appointments and contracts for the provision of services.[21] Some overseas privacy legislation also provides an exception for personal references relevant to an individual’s suitability for employment or appointment to office.[22]

40.15 There is no general exemption for employee records under the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data issued by the Organisation for Economic Co-operation and Development (OECD Guidelines), the Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (EU Directive) issued by the European Parliament or the Asia-Pacific Economic Cooperation (APEC) Privacy Framework.[23]

40.16 In 2001, the Article 29 Data Protection Working Party of the European Commission released its advisory opinion on the Privacy Amendment (Private Sector) Act 2000 (Cth). The Working Party stated that employee records often contain sensitive information and saw no reason to exclude them from the protection provided for sensitive information by National Privacy Principle (NPP) 10. Further, the Working Party observed that the exemption allows information about previous employees to be collected and disclosed to a third party (eg, a future employer) without the employee being informed.[24]

40.17 For the period from 21 December 2001 to 31 January 2005, the OPC indicated that 12% of all the NPP complaints closed by the Office as outside of its jurisdiction concerned the employee records exemption.[25] In 2005–06, the OPC received 2,000 inquiries concerning exemptions, of which 43% related to the employee records exemption.[26]

Previous inquiries

40.18 In 2000, the House of Representatives Standing Committee on Legal and Constitutional Affairs concluded an inquiry into the Privacy Amendment (Private Sector) Bill (2000 House of Representatives Committee inquiry). The 2000 House of Representatives Committee inquiry was not satisfied that existing workplace relations legislation provided adequate protection for the privacy of private sector employee records, and expressed ‘grave concerns’ about the exemption.[27]

40.19 The 2000 House of Representatives Committee inquiry stated that employees are in need of privacy protection because employers frequently hold a large amount of information about their employees, some of which can be extremely sensitive—such as health information, genetic test results, financial details and results of psychological testing conducted before employment. The inquiry acknowledged that there are competing considerations and that employers should be able to disclose some information to future employers, such as confidential references. It considered that a distinction could be drawn in the nature, but not the sensitivity, of the information that may be held in employee records. It was the inquiry’s view that employees are entitled to expect confidentiality of their workplace records given that they have little choice about providing information to their employers.[28]

40.20 A particular issue was whether the health information of employees should be covered by the Privacy Act. The 2000 House of Representatives Committee inquiry strongly objected to the inclusion of ‘health information’ in the definition of ‘employee record’. It also noted that this was inconsistent with the more specific protection given to health information and sensitive information elsewhere in the Privacy Amendment (Private Sector) Bill.[29]

40.21 In the opinion of the 2000 House of Representative Committee inquiry, most employee records should be given the protection of the NPPs. The inquiry therefore recommended that the definition of ‘employee records’ should be revised to exempt only a limited list of personal information from the operation of the Privacy Act. These included a record of personal information relating to: the engagement, training, disciplining or resignation of the employee; the termination of the employment of the employee; and the employee’s performance or conduct.[30]

40.22 In rejecting the recommendations by the 2000 House of Representatives Committee inquiry, the Australian Government stated that:

The regulation of employee records is an area that intersects with a number of State and Territory laws on workplace relations, minimum employment conditions, workers’ compensation and occupational health and safety, some of which already include provisions protecting the privacy of employee records. The Government considers that to attempt to deal with employee records in the [Privacy Amendment (Private Sector)] Bill might result in an unacceptable level of interference with those State and Territory laws, and a confusing mosaic of obligations.[31]

40.23 In their 2003 report, Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC 96), the ALRC and the Australian Health Ethics Committee (AHEC) of the National Health and Medical Research Council recommended that the Privacy Act should be extended to cover genetic information contained in employee records.[32] The ALRC and AHEC further recommended that the forthcoming inter-departmental review of employee privacy by the AGD and the Department of Employment and Workplace Relations (DEWR) should consider whether the Privacy Act should be amended to cover other forms of health information contained in employee records.[33]

40.24 In February 2004, the AGD and DEWR released a discussion paper on the privacy of employee records.[34] The discussion paper examined the current level of privacy protection for employee records under existing federal, state and territory laws. It also considered some privacy concerns about employee records and suggested options for enhancing privacy. These options included: retaining the exemption; abolishing or modifying the exemption; establishing specific employee records privacy principles; and protecting employee records in workplace relations legislation.[35] No final recommendations were made after the release of the discussion paper.

40.25 In its report, Workplace Privacy—Final Report (2005), the Victorian Law Reform Commission (VLRC) commented that ‘the operation of the employee records exemption leaves a significant gap in the privacy protection of workers’ personal information’.[36]

40.26 In April 2006, the Standing Committee of Attorneys-General agreed to establish a working group to advise ministers on options for improving consistency in privacy regulation, including workplace privacy.[37] In its response to the 2006 report by the Productivity Commission’s Taskforce on Reducing Regulatory Burdens on Business, the Australian Government stated that the working group would liaise with—and not duplicate the work of—the ALRC in this area.[38]

40.27 In November 2006, the House of Representatives Standing Committee on Legal and Constitutional Affairs released a report on the harmonisation of legal systems within Australia and between Australia and New Zealand. In its report, the Committee recommended that ‘the Australian Government highlight the issue of regulatory inconsistency in privacy regulation, including in the area of workplace privacy regulation’, in its submissions to the current Inquiry.[39]

EU adequacy and the APEC Privacy Framework

40.28 The European Union (EU) has not granted Australia ‘adequacy status’ under the EU Directive.[40] The OPC’s review of the private sector provisions of the Privacy Act (OPC Review) noted that there were continuing negotiations with the European Commission regarding the adequacy of the Privacy Act, especially in relation to the small business and employee records exemptions.[41] The OPC Review concluded that, although there was ‘no evidence of a broad business push’ for achieving EU adequacy, there may be long-term benefits for Australia in achieving such adequacy. The OPC Review therefore recommended that the Australian Government continue to work with the EU on this issue.[42] The Australian Government agreed with this recommendation.[43]

40.29 In addition, the OPC Review noted that the increase in cross-border data flows makes implementation of international privacy frameworks important. The OPC, therefore, also recommended that the Australian Government continue to work within APEC to implement the APEC Privacy Framework.[44]

40.30 In its inquiry into the Privacy Act in 2005, the Senate Legal and Constitutional References Committee (2005 Senate Committee privacy inquiry) noted with concern that current workplace relations legislation does not protect workplace privacy adequately, and recommended that this Inquiry examine the precise mechanisms under the Privacy Act to protect employee records.[45] It also recommended that the current Inquiry investigate possible measures that could assist Australia in achieving EU adequacy.[46] The Australian Government disagreed with this recommendation, on the basis that ‘international negotiations are a matter for the Australian Government and negotiations with the European Union are ongoing’.[47] The issue of EU adequacy is discussed further in Chapter 31.

[4] Privacy Act 1988 (Cth) s 6(1). This list was not intended to be exhaustive: Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), notes on clauses [22]. Some information held by employers relating to individual employees—for example, emails received by an employee from third parties—may not necessarily be an ‘employee record’: Office of the Privacy Commissioner, Coverage of and Exemptions from the Private Sector Provisions (Updated with Minor Amendments 27 November 2007), Information Sheet 12 (2001), 3.

[5] Privacy Act 1988 (Cth) ss 7(1)(ee), 7B(3).

[6] For example, employers cannot sell a list of employees for marketing purposes: Office of the Privacy Commissioner, Coverage of and Exemptions from the Private Sector Provisions (Updated with Minor Amendments 27 November 2007), Information Sheet 12 (2001), 3­–4. See also C v Commonwealth Agency [2005] PrivCmrA 3, in which the Privacy Commissioner determined that the disclosure of an employee record by an employer to the employer’s legal counsel in connection with proceedings that did not concern the employee was not an act that was related directly to the employment relationship, and therefore did not fall within the employee records exemption.

[7] Once an employment relationship is established, however, records of pre-employment checks on the individual employee become exempt: Office of the Privacy Commissioner, Coverage of and Exemptions from the Private Sector Provisions (Updated with Minor Amendments 27 November 2007), Information Sheet 12 (2001), 3.

[8] Ibid, 4. The Office of the Privacy Commissioner has stated that ‘in many circumstances, the employee records exemption may not apply to organisations that provide recruitment, human resource management services, medical, training or superannuation services under contract to an employer’: Office of the Privacy Commissioner, Coverage of and Exemptions from the Private Sector Provisions (Updated with Minor Amendments 27 November 2007), Information Sheet 12 (2001), 3–4.

[9] Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [109].

[10] Commonwealth, Parliamentary Debates, House of Representatives, 12 April 2000, 15749 (D Williams—Attorney-General), 15752. See also Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), 4, [109].

[11] Australian Government Attorney-General’s Department, Employee Records (2000) <www.ag.gov.au> at 8 May 2008.

[12]Workplace Relations Regulations 2006 (Cth) regs 19.7–19.14.

[13] Ibid ch 2, pt 2, divs 2–3. See also M Otlowski, ‘Employment Sector By-Passed by the Privacy Amendments’ (2001) 14 Australian Journal of Labour Law 169, 175.

[14]Workplace Relations Act 1996 (Cth) s 513. See also M Otlowski, ‘Employment Sector By-Passed by the Privacy Amendments’ (2001) 14 Australian Journal of Labour Law 169, 175.

[15] See, eg, Industrial Relations Act 1996 (NSW) s 129; Industrial Relations Act 1999 (Qld) ch 11 pt 1; Minimum Conditions of Employment Act 1993 (WA) pt 6; Industrial Relations Act 1984 (Tas) s 75. The New South Wales legislation does not provide for the right of an employee to access his or her records.

[16] Malik v Bank of Credit & Commerce International SA (in liq) [1998] AC 20 45–46; Blaikie v South Australian Superannuation Board (1995) 65 SASR 85; Brackenridge v Toyota Motor Corporation Australia Ltd (1996) 142 ALR 99; Burazin v Blacktown City Guardian Pty Ltd (1996) 142 ALR 144; Jager v Australian National Hotels Pty Ltd (1998) 7 Tas R 437.

[17] M Otlowski, ‘Employment Sector By-Passed by the Privacy Amendments’ (2001) 14 Australian Journal of Labour Law 169, 175.

[18] A slightly amended version of the Privacy Act 1988 (Cth) applies to ACT government agencies: Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (Cth) s 23.

[19] Privacy and Personal Information Protection Act 1998 (NSW); Information Privacy Act 2000 (Vic); Information Act 2002 (NT).

[20] Personal Information Protection Act 2004 (Tas) ss 3 (definition of ‘personal information custodian’), 10, sch 1, cl 2(1)(i)–(j).

[21] See, eg, Data Protection Act 1998 (UK) sch 7, cls 3, 4; Data Protection Act 1988 (Ireland) s 4(13); Personal Data (Privacy) Ordinance (Hong Kong) s 55.

[22] See, eg, Data Protection Act 1998 (UK) sch 7, cl 1; Privacy Act 1993 (NZ) s 29(1)(b); Personal Data (Privacy) Ordinance (Hong Kong) s 56.

[23] Article 8(2)(b) of the EU Directive, however,provides that processing of certain sensitive personal data may be allowed if it is ‘necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards’: European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), art 8(2)(b). The APEC Privacy Framework provides that when using personal information for employment purposes, employers may not need to comply with the principle that individuals be provided with mechanisms to exercise choice in relation to the collection, use and disclosure of their personal information in certain situations: Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), [20].

[24] European Union Article 29 Data Protection Working Party, Opinion 3/2001 on the Level of Protection of the Australian Privacy Amendment (Private Sector) Act 2000, 5095/00/EN WP40 Final (2001), 4. One commentator suggests that this misstates the position in that the exemption does not allow a past employer to forward information to a prospective employer without informing the employee: P Ford, ‘Implementing the EC Directive on Data Protection—An Outside Perspective’ (2003) 9 Privacy Law & Policy Reporter 141, 145.

[25] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 328.

[26] Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2005–30 June 2006 (2006), 27. There were no similar statistics in the OPC’s most recent annual report: see Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2006–30 June 2007 (2007).

[27] Parliament of Australia—House of Representatives Standing Committee on Legal and Constitutional Affairs, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (2000), [3.29].

[28] Ibid, [3.30]–[3.33].

[29] Ibid, [3.37].

[30] Ibid, [3.28], recs 5–7.

[31] Australian Government Attorney-General’s Department, Government Response to House of Representatives Standing Committee on Legal and Constitutional Affairs, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (2000) <www.ag.gov.au> at 1 August 2007. During the OPC’s review of the privacy sector provisions of the Privacy Act, a number of submissions and consultations commented on the employee records exemption, despite the fact that it was expressly excluded from the terms of reference for the Review: Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 285.

[32] Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), Rec 34­–1.

[33] Ibid, Rec 34­–2.

[34] Australian Government Attorney-General’s Department and Australian Government Department of Employment and Workplace Relations, Employee Records Privacy: A Discussion Paper on Information Privacy and Employee Records (2004).

[35] Ibid, [4.15]­–[4.42]. The review of the Privacy Act by the Senate Legal and Constitutional References Committee expressed disappointment at the slow progress of the AGD and DEWR review, and considered the finalisation and release of the results of the review a matter of urgency: Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [7.35].

[36] Victorian Law Reform Commission, Workplace Privacy: Final Report (2005), [1.19].

[37] Regulation Taskforce 2006, Rethinking Regulation: Report of the Taskforce on Reducing Regulatory Burdens on Business, Report to the Prime Minister and the Treasurer (2006), 26.

[38] Australian Government, Rethinking Regulation: Report of the Taskforce on Reducing Regulatory Burdens on Business—Australian Government’s Response (2006), 26.

[39] Parliament of Australia—House of Representatives Standing Committee on Legal and Constitutional Affairs, Harmonisation of Legal Systems within Australia and between Australia and New Zealand (2006), rec 25.

[40] See European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), art 14(b).

[41] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 74.

[42] Ibid, rec 17.

[43] Australian Government Attorney-General’s Department, Government Response to the Privacy Commissioner’s Report: Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2006), 4.

[44] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 17.

[45] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [7.36]–[7.38]; recs 13, 14.

[46] Ibid, rec 16.

[47] Australian Government Attorney-General’s Department, Government Response to the Senate Legal and Constitutional References Committee Report: The Real Big Brother: Inquiry into the Privacy Act 1988 (2006), 5.