Are you protecting your employees’ personal information? If not, you may be breaching your obligations under the Privacy Act 1988 (the Act).
Most employers collect information about current and former employees including their contact details, financial information and their work performance. However, there are strict obligations imposed on employers to ensure the security of this data and you could face serious monetary penalties if you breach these obligations.
In 2014, the Government introduced the Australian Privacy Principles (the APPs), 13 rules outlining how employee data must be handled by employers including:
- the management, collection, use and disclosure of certain information;
- the steps that organisations must take to ensure the quality and security of information; and
- an individual’s right to access and correct information.
Are you subject to the Privacy Act?
If you are an ‘APP entity’, i.e. a business with an annual turnover of more than $3 million you must comply with the APPs. If you are any one of the following you must comply with the APPs:
- A private sector health service provider (including medical practitioners, pharmacists, gyms and weight loss clinics);
- A complementary therapist, such as chiropractors or psychologists;
- A childcare centres or private educational institution;
- An employee association registered or recognised under the Fair Work Act;
- A businesses that sells or purchases personal information;
- A credit reporting body; or
- A business that is related to an APP entity.
Even if you do not fall into any of these categories it is good practice to ensure that you are compliant with the Act. You never know how your business may grow over the next few years and you don’t want to suddenly find that you are breaching your obligations.
What type of information are you handling?
The Act protects two types of information, ‘personal’ and ‘sensitive’, and the level of protection that you must offer the information depends on how it is classified.
Personal information is ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’. This means that any information which can be linked to an individual and would distinguish them from others in a group is protected by the Act. This is a broad definition and covers:
- information about a person’s private life including their name, signature, contact details, date of birth and bank account details;
- information about a person’s working habits or practices including their job title, salary and employment details; and
- certain commentary or opinion about a person.
This is a non-exhaustive list, and you should make an assessment about each type of information that you are handling. For example, a referee’s comments about a job applicant may be classified as personal information in certain circumstances.
Sensitive information includes information about an individual’s health, racial or ethnic origin, political opinions, membership of a political association, professional or trade association or trade union, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, and genetic or biometric information.
The Act imposes more stringent security obligations on an organisation that is handling sensitive information because of the possibility that if revealed, this information can leave an individual vulnerable to discrimination or harassment. If you must collect sensitive information because it is necessary to advance your business functions, you must seek your employee’s consent to the collection and use of this data.
In Jeremy Lee v Superior Wood Pty Ltd FWCFB 2946 the Fair Work Commission (FWC) held that an employee was unfairly dismissed for refusing to provide his fingerprints for the purpose of using a fingerprint scanner to sign in and out of shifts. The FWC held that because the information collected was sensitive information the employee was permitted to refuse his consent to provide it.
It is important that you understand what type of information you collect and store about your employees and why you collect that information so that you can assess and meet your obligations under the Act.
Does the employee records exception apply?
An employee record includes information about an employee’s terms and conditions of employment, salary and wages, membership of a trade or professional body, personal and emergency contact details, taxation, banking and superannuation information and health information.
An employer’s handling of employee records is exempt from the Act if the use of an employee’s personal information is directly related to a current or former employment relationship. For example, tracking an employer-provided car (and therefore the employee using the car) during an employee’s work hours is directly related to the employment relationship and exempt from the Act. However, tracking the location of the car (and employee) in the employee’s personal time is likely to result in the collection of personal information not directly related to the employee’s employment. The Act, and its compliance obligations, will therefore apply.
Further, the employee records exception does not cover contractors and subcontractors who may handle your employees’ information, such as recruitment or human resource management services nor does it apply to future employment relationships unless you end up hiring the potential candidate.
Additionally, the information contained in employee records may also be subject to State or Territory laws, such as those monitoring telecommunications or workplace surveillance.
While some employee information may fall within the employee records exception, good employers understand that trust is vital for a beneficial employment relationship. Compliance with the APPs is an effective way to guarantee your employees’ trust and confidence in you as an employer.
Under your policy you should ensure that you:
- Allow individuals to be anonymous or use pseudonyms in appropriate circumstances;
- Only collect information for a purpose that is reasonably necessary for one or more of your legitimate functions;
- Collect information directly from the individual (rather than a third party) unless it is not reasonable or practicable to do so;
- Only collect sensitive information with the consent of the individual;
- If you receive unsolicited information from someone other than the individual that the information is about, destroy or de-identify it unless it is reasonably necessary for one or more of your legitimate functions;
- Issue privacy collection notices outlining the information that has been collected and the purpose for which it was collected;
- Only use the information for the purpose for which it was collected or for a related secondary purpose;
- Do not use or disclose the information for direct marketing purposes unless an exception applies;
- Take all reasonable steps to ensure that the information is accurate, up to date and complete;
- Have adequate security measures in place, including ensuring that any foreign third parties that you disclose information to comply with the Act; and
- Allow an individual access to and the ability to correct information that you hold about them.
Some practical tips for SME employers
Here’s some practical steps you can take to comply with the Act and follow best practice when handling personal and sensitive information about your employees.
Obtain Employee Consents
It is best practice to obtain an employee’s consent before disclosing any of their personal information to a third party. If the reason for disclosure is confidential and it is not possible to obtain the employee’s consent, you should seek legal advice prior to making any disclosures.
Appoint a responsible person
You should also appoint a person in your business to be responsible for compliance with the Act and notifications of any data breaches. If you suspect that there has been a data breach and you are an APP entity, then you must carry out an assessment within 30 days to verify whether the breach has occurred and whether it is likely to cause serious harm to an individual. If this is the case, then you must notify any affected people and the Office of the Australian Information Commission of the breach.
De-identify information when appropriate
You should also have procedures in place to de-identify information when possible (i.e. altering the information so that the risk of an individual being re-identified in the data is very low).
Schedule periodic reviews of your privacy policies and procedures.
We recommend that at least annually, you schedule a comprehensive review of your privacy policies and procedures. This can be a relatively simple ‘health check’ to make sure you are keeping up with any changes to the law or best practice guidelines in this area.
If you are still unsure of your data privacy obligations or think that you may have breached them, call us on 1300 654 590. The potential consequences for your business are too severe not to.