Much has been written, and many cases have been litigated, in relation to the obligations of employees to keep confidential information of their employer confidential, and not to misuse the confidential information. There are, however, also obligations which an employer will owe to employees in relation to their personal information provided to the employer.

Information about an employee that is collected by an employer will be personal information as defined in the Privacy Act 1988 (Cth) [Privacy Act]. The definition of personal information in the Privacy Act is:

Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in material form or not.

Personal information of an employee that is disclosed to or collected by an employer may be subject to the Australian Privacy Principles [APPs] contained in the Privacy Act.

The APPs are available at https://www.oaic.gov.au/privacy/australian-privacy-principles/read-the-australian-privacy-principles and guidelines and information are available from the Office of the Australian Information Commissioner at https://www.oaic.gov.au.

The APPs establish standards for the way organisations must deal with personal information, including:

  • openness and transparency in the management of personal information;
  • collection of personal information;
  • use and disclosure of personal information;
  • data quality and security for storage and integrity of personal information;
  • rights of access to, and correction of, personal information; and
  • any international transfer of information.

Confidential information

As well as obligations under the APPs, personal information provided by an employee to an employer would most likely be treated by the law as being imparted in circumstances which imply an obligation of confidentiality. As noted above, this doctrine of confidentiality is usually relevant in relation to an employee’s obligations to the employer not to misuse the employer’s confidential information, but obligations can similarly exist in relation to the employee’s information imparted to the employer.

Employee records

An employer is entitled to keep records (“employee records”) of personal information relating to the employment of employees. Employee records are exempt from the requirements of the Privacy Act and the APPs.

Employee records may include all or any of the following personal information:

  • the engagement, training, disciplining or resignation of the employee;
  • the termination of the employment of the employee;
  • the terms and conditions of employment of the employee;
  • the employee’s personal and emergency contact details;
  • the employee’s performance or conduct;
  • the employee’s hours of employment;
  • the employee’s salary or wages;
  • the employee’s membership of a professional or trade association;
  • the employee’s trade union membership;
  • the employee’s recreation, long service, sick, personal, maternity, paternity or other leave; and
  • the employee’s taxation, banking or superannuation affairs.

Employee records may also include health information about an employee. Health information includes:

  • information or an opinion about:
    • the health, including an illness, disability or injury, (at any time) of an individual;
    • an individual’s expressed wishes about the future provision of health services to the individual; or
    • a health service provided, or to be provided, to an individual (see also comments in relation to COVID-19 vaccination certificates and Individual Healthcare Identifiers discussed below); and
  • other personal information collected to provide, or in providing, a health service to an individual.

Acts done by an employer in relation to an employee record of an employee are exempt from the application of the APPs provided that the act directly relates to the current or former employment relationship between the employer and the employee.

Fair Work Regulations

Additionally, the Fair Work Regulations 2009 go a step further and require employers to keep certain information for each of their employees.

Pursuant to the Regulations, employers are required to keep the following information in relation to their employees:

  • General
    • personal information; and
    • commencement date and nature of employment (casual or permanent).
  • Pay
    • the rate of pay paid to the employee;
    • gross and net amounts paid; and
    • details of incentive based payments.
  • Hours of work
    • number of overtime hours worked, including when the employee started and finished the overtime hours; and
    • the hours an employee works if the employee is a casual or irregular part-time employee who is paid based on time worked.
  • Leave
    • any leave taken; and
    • how much leave an employee has.
  • Superannuation contributions
    • amount paid;
    • pay period;
    • dates paid; and
    • name of superfund.
  • Ending of employment
    • how the employment was terminated;
    • if notice was provided, how much; and
    • the name of the person who terminated the employment.

Employee records are private and confidential. Only the employer, payroll staff, the employee and authorised individuals such as an accountant should have access to the records.

If an employee asks to see their records, an employer must make them available to the employee. This includes after an employee has ceased employment.

If records aren’t kept or are incorrect, employers can be issued with a fine by the Fair Work Investigator, known as an infringement notice. If the Fair Work Commission takes a matter of this kind to court, employees who have failed to keep proper records or failed to make their records available for inspection may have to prove that they did not underpay the employee in question.

Acts that are not exempt

If an employer is an organisation to which the APPs apply, the exemption in relation to employee records will only apply, as noted above, where an act, or use or disclosure of the information, is directly related to the current or former employment relationship between the employer and the employee.

The exemption will also not apply in relation to:

  • contractors or suppliers or other individuals who are not employees; and
  • information provided by job applicants, unless the employer employs the applicant.
  • Whether an act is directly related to an employment relationship may not always be clear, but the exemption would not apply, for example, to the use of employee personal information in employee records for direct marketing. This would, if the AAPs are applicable to the employer, be subject to APP 7.
  • The employee records exemption in section 7B of the Privacy Act only applies to organisations that are private-sector employers, not to agencies (government employers).

Application of the APPs

In accordance with the Privacy Act, the APPs do not apply to all businesses or employers. The APPs apply to Australian Government agencies, organisations that are not small business operators (annual turnover of $3 million or less) and any business that has opted‑in to be covered by the APPs. However, organisations that are APP entities do include all:

  • health service providers;
  • a business that sells or purchases personal information;
  • credit reporting bodies; and
  • service providers for an Australian Government contract.

regardless of turnover.

Privacy policy

One of the principal obligations of an organisation to which the APPs applies is to have a privacy policy. This is required by APP 1.3. It is sometimes a misconception that an employer’s privacy policy will relate to employees’ personal information. As noted above, information in employee records is not subject to the APPs for the purposes for which employee records may be used, but the APPs and a privacy policy would cover any use outside of the uses permitted by the employee records exemption.

COVID-19 – Individual Healthcare Identifiers

Employers may wish to collect COVID-19 vaccination information in relation to employees, particularly if the employer has a mandatory COVID-19 vaccination policy.

Information about the vaccination status of an employee would be health information that is sensitive information subject to a higher level of protection under the APPs, but, as noted above, information which specifically may be included in employee records.

Considerable care, however, must be taken in collecting information in relation to COVID-19 vaccination status, particularly from the COVID-19 digital vaccination certificate. The certificate will contain the employee’s Individual Healthcare Identifier [IHI].

The IHI is a unique 16 digit number used to identify an individual for healthcare purposes, Medicare and other purposes. The IHI of an individual employee is just under their name on the COVID‑19 digital certificate. An IHI is related to an individual’s health and would be considered personal information of an employee in accordance with the Privacy Act, but the use and access of an IHI is governed by the Healthcare Identifiers Act 2010 (Cth) as well as the Privacy Act. An IHI can only be accessed, used, or disclosed for very limited purposes. There are strict criminal and civil penalties if it is used or accessed for a purpose that is not permitted.

The best practice approach for an employer that wishes to record the vaccination status of an employee is to view and note the information on the digital vaccination certificate of the employee. Employers should not keep a copy of the certificate or the IHI of the employee for their employee records. If a copy is required, for some reason, it would be best practice to have the employee redact their IHI from a copy of the digital vaccination certificate before providing this to the employer.

Best practice: employee information and privacy policy

Whether an employer is strictly required to comply with the APPs or not, it may be best practice for the employer to have a privacy policy to give comfort to customers and others that the business of the employer will respect personal information and treat personal information of individuals in accordance with the APPs. As well, it may be best practice for the employer to have an internal Information and Privacy Policy which explains to employees how the personal information of employees will be treated, what information that the employer may collect and the manner in which this will be used or disclosed.

The Fair Work Ombudsman makes recommendations for this best practice. Its recommendations can be found in its publication for Workplace Privacy, which can be found at https://www.fairwork.gov.au/sites/default/files/migration/711/workplace-privacy-best-practice-guide.pdf

Recommendations

Having regard to the recommendations of the Workplace Ombudsman and the obligations of an employer under the APPs, if applicable, and at common law, it is recommended that employers should:

  • have a privacy policy and comply, where possible, with the requirements of the APPs;
  • have an employee Information and Privacy Policy which advises employees of the requirements of the employer to provide personal information, and sets out the manner in which the employer will use and disclose the personal information, and rights of the employee to access all correct personal information; and
  • exercise caution when viewing or obtaining copies of an employee’s COVID-19 vaccination record, and ideally not obtain or record the IHI of the employee.

If you need some assistance reviewing your obligations or actioning any of the above recommendations for your business, please get in touch with one of our experts.

This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this article, or what it means for you, your business or your clients' businesses, please feel free to contact us.

For more information, please contact...

Sandy Donaldson

View Profile →

Ben Duggan

View Profile →

Related Articles

View All News
October 08, 2024 Transferring Intellectual Property in a Business Sale
Intellectual Property (IP)
October 08, 2024 When Restraint Clauses Protect Confidentiality
Employment, Workplace Relations & Safety
October 08, 2024 Restraint Clauses in Australia: Changes on the Horizon
Employment, Workplace Relations & Safety
October 08, 2024 New Modern Award Rights for Workplace Delegates: What Employers Need to Know
Employment, Workplace Relations & Safety
October 08, 2024 The Concepts of Consent for Personal Information
Intellectual Property (IP)
August 27, 2024 Podcast - Industrial Manslaughter
Employment, Workplace Relations & Safety
June 19, 2024 When Reputation Assists in Protecting Your Brand
Intellectual Property (IP) Dispute Resolution & Insolvency
June 19, 2024 Do Not Disturb: What Employers Need to Know About the Fair Work ‘Right to Disconnect’
Employment, Workplace Relations & Safety
June 04, 2024 Fair Work Commission Annual Wage Review: Minimum Wage Increase Less Than Expected
Employment, Workplace Relations & Safety
April 18, 2024 2025 Edition of Best Lawyers: Celebrating Our Leaders and a Rising Star
Firm News Corporate & Commercial Employment, Workplace Relations & Safety + 6
April 02, 2024 Introducing DW Fox Tucker Lawyers Newest Director
Firm News Employment, Workplace Relations & Safety Workers Compensation & Self Insurance
December 20, 2023 Workplace Criminalisation: Labor Governments Criminalise Workplace Manslaughter and Wage Theft
Employment, Workplace Relations & Safety
December 20, 2023 Is a Trade Mark License a Franchise?
Intellectual Property (IP)
December 20, 2023 Trade Mark Use/Copyright and Fair Dealing – AGL v Greenpeace
Intellectual Property (IP)
December 05, 2023 It’s Time to Fix Your Fixed-Term Contracts!
Employment, Workplace Relations & Safety
November 28, 2023 Payroll Tax and Medical Practices: An Update and Warning to Others
Tax Health & Aged Care Employment, Workplace Relations & Safety
September 15, 2023 Payroll Tax and Medical Practices
Tax Employment, Workplace Relations & Safety Health & Aged Care
September 11, 2023 Taking Reasonable Care to Ensure Your Acts or Omissions Don’t Land You in Court
Employment, Workplace Relations & Safety
September 06, 2023 Hospitality and Retail Brace for Impact
Hospitality Employment, Workplace Relations & Safety
August 02, 2023 Increase in Minimum Award Rates of Pay
Employment, Workplace Relations & Safety