Background

Current law

40.6 Section 6 of the Privacy Act defines ‘employee record’ to mean a record of personal information relating to the employment of the employee. Examples of such personal information include health information about the employee, and personal information about:

(a) the engagement, training, disciplining or resignation of the employee;

(b) the termination of the employment of the employee;

(c) the terms and conditions of employment of the employee;

(d) the employee’s personal and emergency contact details;

(e) the employee’s performance or conduct;

(f) the employee’s hours of employment;

(g) the employee’s salary or wages;

(h) the employee’s membership of a professional or trade association;

(i) the employee’s trade union membership;

(j) the employee’s recreation, long service, sick, personal, maternity, paternity or other leave;

(k) the employee’s taxation, banking or superannuation affairs.^[4]

40.7 Acts and practices of an organisation are exempt from the operation of the Privacy Act if they are related directly to a current or former employment relationship.^[5] Accordingly, the exemption does not apply to: acts and practices of an employer that are beyond the scope of the employment relationship;^[6] the handling of personal information about unsuccessful job applicants;^[7] and the handling of employee records by contractors and subcontractors to the employer.^[8]

40.8 The Revised Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 (Cth) stated that:

The act or practice must be directly related to a current or former employer relationship so as to ensure that employers cannot use ‘employee records’ for commercial purposes unrelated to the employment context.^[9]

40.9 The reason given for the employee records exemption was that:

While this type of personal information is deserving of privacy protection, it is the government’s view that such protection is more properly a matter for workplace relations legislation.^[10]

40.10 The website of the Attorney-General’s Department (AGD) indicates that:

The potential also exists for Commonwealth privacy regulation of employee records to have unintended consequences where it intersects with State and Territory laws dealing with employee records.^[11]

40.11 Currently, there is little privacy protection for private sector employees under the federal workplace relations regime. Regulations 19.18 and 19.19 of the Workplace Relations Regulations 2006 (Cth) allow employees to access certain records. This, however, only applies to records about conditions under which employees are hired, overtime and reasonable additional hours worked, remuneration, leave, superannuation contributions and termination.^[12] It does not include other personal information that falls within the definition of ‘employee record’ in the Privacy Act, for example, employees’ health information, or their taxation or banking affairs. The regulations only require employers to maintain, provide access to, and correct records for official inspection for auditing purposes, rather than to protect the privacy of those records.^[13] In addition, under the Workplace Relations Act 1996 (Cth), privacy protection is not a term that may be included in awards. As a consequence, the Australian Industrial Relations Commission does not have jurisdiction to make an award about privacy.^[14]

40.12 At the state level, legislation only requires employers to maintain, and in most cases, provide an employee with access to, certain basic records about employees, such as time and wage records.^[15] At common law, an employer is under a duty of mutual trust and confidence not to ‘conduct itself in a manner likely to destroy or seriously damage the relationship of confidence and trust between employer and employee’.^[16] Professor Margaret Otlowski argues that,

existing contractual and equitable principles for maintaining confidentiality … may offer some protection to employees. However, such actions are in practice, costly to pursue (involving private litigation in the civil courts) and not easy to establish.^[17]

40.13 There is no exemption for the handling of employee records by agencies under the Privacy Act. Australian Government and ACT agencies, therefore, are required to comply with the Information Privacy Principles (IPPs) when dealing with employee records.^[18] Privacy legislation in New South Wales, Victoria and the Northern Territory also applies to employee records of public sector employees.^[19] In Tasmania, public sector bodies, councils, the University of Tasmania, prescribed bodies, and contractors to these entities have to comply with the personal information protection principles under the Personal Information Protection Act 2004 (Tas) in dealing with employee information, subject to certain exceptions.^[20] The Victorian Health Records Act 2001 also regulates the handling of health information, including information contained in employee records, by public and private sector entities.

40.14 A number of overseas jurisdictions—including the United Kingdom, Ireland, New Zealand and Hong Kong—do not exempt employee records from the operation of their privacy or data protection legislation. They do, however, commonly provide for exceptions to their data protection principles when dealing with personal information for the purposes of recruitment, appointments and contracts for the provision of services.^[21] Some overseas privacy legislation also provides an exception for personal references relevant to an individual’s suitability for employment or appointment to office.^[22]

40.15 There is no general exemption for employee records under the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data issued by the Organisation for Economic Co-operation and Development (OECD Guidelines), the Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (EU Directive) issued by the European Parliament or the Asia-Pacific Economic Cooperation (APEC) Privacy Framework.^[23]

40.16 In 2001, the Article 29 Data Protection Working Party of the European Commission released its advisory opinion on the Privacy Amendment (Private Sector) Act 2000 (Cth). The Working Party stated that employee records often contain sensitive information and saw no reason to exclude them from the protection provided for sensitive information by National Privacy Principle (NPP) 10. Further, the Working Party observed that the exemption allows information about previous employees to be collected and disclosed to a third party (eg, a future employer) without the employee being informed.^[24]

40.17 For the period from 21 December 2001 to 31 January 2005, the OPC indicated that 12% of all the NPP complaints closed by the Office as outside of its jurisdiction concerned the employee records exemption.^[25] In 2005–06, the OPC received 2,000 inquiries concerning exemptions, of which 43% related to the employee records exemption.^[26]

Previous inquiries

40.18 In 2000, the House of Representatives Standing Committee on Legal and Constitutional Affairs concluded an inquiry into the Privacy Amendment (Private Sector) Bill (2000 House of Representatives Committee inquiry). The 2000 House of Representatives Committee inquiry was not satisfied that existing workplace relations legislation provided adequate protection for the privacy of private sector employee records, and expressed ‘grave concerns’ about the exemption.^[27]

40.19 The 2000 House of Representatives Committee inquiry stated that employees are in need of privacy protection because employers frequently hold a large amount of information about their employees, some of which can be extremely sensitive—such as health information, genetic test results, financial details and results of psychological testing conducted before employment. The inquiry acknowledged that there are competing considerations and that employers should be able to disclose some information to future employers, such as confidential references. It considered that a distinction could be drawn in the nature, but not the sensitivity, of the information that may be held in employee records. It was the inquiry’s view that employees are entitled to expect confidentiality of their workplace records given that they have little choice about providing information to their employers.^[28]

40.20 A particular issue was whether the health information of employees should be covered by the Privacy Act. The 2000 House of Representatives Committee inquiry strongly objected to the inclusion of ‘health information’ in the definition of ‘employee record’. It also noted that this was inconsistent with the more specific protection given to health information and sensitive information elsewhere in the Privacy Amendment (Private Sector) Bill.^[29]

40.21 In the opinion of the 2000 House of Representative Committee inquiry, most employee records should be given the protection of the NPPs. The inquiry therefore recommended that the definition of ‘employee records’ should be revised to exempt only a limited list of personal information from the operation of the Privacy Act. These included a record of personal information relating to: the engagement, training, disciplining or resignation of the employee; the termination of the employment of the employee; and the employee’s performance or conduct.^[30]

40.22 In rejecting the recommendations by the 2000 House of Representatives Committee inquiry, the Australian Government stated that:

The regulation of employee records is an area that intersects with a number of State and Territory laws on workplace relations, minimum employment conditions, workers’ compensation and occupational health and safety, some of which already include provisions protecting the privacy of employee records. The Government considers that to attempt to deal with employee records in the [Privacy Amendment (Private Sector)] Bill might result in an unacceptable level of interference with those State and Territory laws, and a confusing mosaic of obligations.^[31]

40.23 In their 2003 report, Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC 96), the ALRC and the Australian Health Ethics Committee (AHEC) of the National Health and Medical Research Council recommended that the Privacy Act should be extended to cover genetic information contained in employee records.^[32] The ALRC and AHEC further recommended that the forthcoming inter-departmental review of employee privacy by the AGD and the Department of Employment and Workplace Relations (DEWR) should consider whether the Privacy Act should be amended to cover other forms of health information contained in employee records.^[33]

40.24 In February 2004, the AGD and DEWR released a discussion paper on the privacy of employee records.^[34] The discussion paper examined the current level of privacy protection for employee records under existing federal, state and territory laws. It also considered some privacy concerns about employee records and suggested options for enhancing privacy. These options included: retaining the exemption; abolishing or modifying the exemption; establishing specific employee records privacy principles; and protecting employee records in workplace relations legislation.^[35] No final recommendations were made after the release of the discussion paper.

40.25 In its report, Workplace Privacy—Final Report (2005), the Victorian Law Reform Commission (VLRC) commented that ‘the operation of the employee records exemption leaves a significant gap in the privacy protection of workers’ personal information’.^[36]

40.26 In April 2006, the Standing Committee of Attorneys-General agreed to establish a working group to advise ministers on options for improving consistency in privacy regulation, including workplace privacy.^[37] In its response to the 2006 report by the Productivity Commission’s Taskforce on Reducing Regulatory Burdens on Business, the Australian Government stated that the working group would liaise with—and not duplicate the work of—the ALRC in this area.^[38]

40.27 In November 2006, the House of Representatives Standing Committee on Legal and Constitutional Affairs released a report on the harmonisation of legal systems within Australia and between Australia and New Zealand. In its report, the Committee recommended that ‘the Australian Government highlight the issue of regulatory inconsistency in privacy regulation, including in the area of workplace privacy regulation’, in its submissions to the current Inquiry.^[39]

EU adequacy and the APEC Privacy Framework

40.28 The European Union (EU) has not granted Australia ‘adequacy status’ under the EU Directive.^[40] The OPC’s review of the private sector provisions of the Privacy Act (OPC Review) noted that there were continuing negotiations with the European Commission regarding the adequacy of the Privacy Act, especially in relation to the small business and employee records exemptions.^[41] The OPC Review concluded that, although there was ‘no evidence of a broad business push’ for achieving EU adequacy, there may be long-term benefits for Australia in achieving such adequacy. The OPC Review therefore recommended that the Australian Government continue to work with the EU on this issue.^[42] The Australian Government agreed with this recommendation.^[43]

40.29 In addition, the OPC Review noted that the increase in cross-border data flows makes implementation of international privacy frameworks important. The OPC, therefore, also recommended that the Australian Government continue to work within APEC to implement the APEC Privacy Framework.^[44]

40.30 In its inquiry into the Privacy Act in 2005, the Senate Legal and Constitutional References Committee (2005 Senate Committee privacy inquiry) noted with concern that current workplace relations legislation does not protect workplace privacy adequately, and recommended that this Inquiry examine the precise mechanisms under the Privacy Act to protect employee records.^[45] It also recommended that the current Inquiry investigate possible measures that could assist Australia in achieving EU adequacy.^[46] The Australian Government disagreed with this recommendation, on the basis that ‘international negotiations are a matter for the Australian Government and negotiations with the European Union are ongoing’.^[47] The issue of EU adequacy is discussed further in Chapter 31.