Employers, brace for changes to the Privacy Act’s employee record exemption

With everything and everyone moving online, going paperless and adopting flexible work practices, it’s no wonder employers are collecting more and more personal information, including sensitive personal information, from their employees.

The employee record exemption

At present, an organisation acting in its capacity as the employer (or former employer) of an individual in relation to acts or practices directly related to the employment relationship is exempt from complying with the Privacy Act 1988 (Cth) (the Act). The exemption covers any record of personal information relating to the employment of an employee, including the terms of conditions of employment and the engagement of the employee.[1]

This exemption is likely to change in the near future. The privacy act review report released by the Attorney General’s department on 16 February 2023 (Report) recently concluded there should be greater transparency around employers’ collection and use of employee personal information.[2]

Potential changes to the exemption

The Report did not specify how the exemption would be changed to achieve such transparency and improve privacy protections for employees. That said, there are three options on the table for the employee record exemption:

1. complete removal,
2. modification to improve protections around employee personal information while keeping the employer’s ability to administer the employment relationship: or
3. keeping the exemption ‘as is’ and using other legislation to improve employee privacy protections.

What does this mean for you as an employer?

We are likely to see greater protection of employee personal information from misuse and limitations on retention of that personal information, regardless of the approach taken.

It is not yet clear whether employers will need to update their policies to require consent from employees to collect personal information. The Report acknowledges that it would be impracticable to obtain an employee’s consent each and every time personal information is requested (regardless of the information being collected) to comply with Australian Privacy Principles (APPs) 3 and 5. It is likely that consent will only be required for certain sensitive information, at the beginning of the relationship or as a result of a change in role within the employer’s organisation.

Similarly, it is unclear whether employees will have a right to access and correct the personal information held by their employer under APPs 12 and 13. This is unlikely to extend to some types of information employers keep about their employees, such as performance reviews.

Employers should still prepare for the removal or modification of the employee record exemption. Some things employers can do now include:

• conducting an audit of employee personal information held,
• appointing a privacy officer, such as a senior employee,
• updating its data breach response plan to include employee personal information; and
• deleting any employee personal information if it is unnecessary for them to hold such information.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:
Dudley Kneller, Partner
Clare Cullen, Associate

[1] Privacy Act 1988 (Cth) s 7B(3).

[2] Australian Government, Attorney General’s Department (16 February 2022) Privacy Act Review Report, proposal 7.1(a) <https://www.ag.gov.au/sites/default/files/2023-02/privacy-act-review-report_0.pdf>.