Much has been written, and many cases have been litigated, in relation to the obligations of employees to keep confidential information of their employer confidential, and not to misuse the confidential information. There are, however, also obligations which an employer will owe to employees in relation to their personal information provided to the employer.
Information about an employee that is collected by an employer will be personal information as defined in the Privacy Act 1988 (Cth) [Privacy Act]. The definition of personal information in the Privacy Act is:
Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
Personal information of an employee that is disclosed to or collected by an employer may be subject to the Australian Privacy Principles [APPs] contained in the Privacy Act.
The APPs are available at http://www.oaic.gov.au/privacy-resources/privacy-fact-sheets/other/privacy-fact-sheet-17-australian-privacy-principles and guidelines and information are available from the Office of the Australian Information Commissioner at https://www.oaic.gov.au.
The APPs establish standards for the way organisations must deal with personal information, including:
As well as obligations under the APPs, personal information provided by an employee to an employer would most likely be treated by the law as being imparted in circumstances which imply an obligation of confidentiality. As noted above, this doctrine of confidentiality is usually relevant in relation to an employee’s obligations to the employer not to misuse the employer’s confidential information, but obligations can similarly exist in relation to the employee’s information imparted to the employer.
An employer is entitled to keep records (“employee records”) of personal information relating to the employment of employees. Employee records are exempt from the requirements of the Privacy Act and the APPs.
Employee records may include all or any of the following personal information:
Employee records may also include health information about an employee. Health information includes:
Acts done by an employer in relation to an employee record of an employee are exempt from the application of the APPs provided that the act directly relates to the current or former employment relationship between the employer and the employee.
Additionally, the Fair Work Regulations 2009 go a step further and require employers to keep certain information for each of their employees.
Pursuant to the Regulations, employers are required to keep the following information in relation to their employees:
Employee records are private and confidential. Only the employer, payroll staff, the employee and authorised individuals such as an accountant should have access to the records.
If an employee asks to see their records, an employer must make them available to the employee. This includes after an employee has ceased employment.
If records aren’t kept or are incorrect, employers can be issued with a fine by the Fair Work Investigator, known as an infringement notice. If the Fair Work Commission takes a matter of this kind to court, employees who have failed to keep proper records or failed to make their records available for inspection may have to prove that they did not underpay the employee in question.
If an employer is an organisation to which the APPs apply, the exemption in relation to employee records will only apply, as noted above, where an act, or use or disclosure of the information, is directly related to the current or former employment relationship between the employer and the employee.
The exemption will also not apply in relation to:
In accordance with the Privacy Act, the APPs do not apply to all businesses or employers. The APPs apply to Australian Government agencies, organisations that are not small business operators (annual turnover of $3 million or less) and any business that has opted‑in to be covered by the APPs. However, organisations that are APP entities do include all:
regardless of turnover.
One of the principal obligations of an organisation to which the APPs applies is to have a privacy policy. This is required by APP 1.3. It is sometimes a misconception that an employer’s privacy policy will relate to employees’ personal information. As noted above, information in employee records is not subject to the APPs for the purposes for which employee records may be used, but the APPs and a privacy policy would cover any use outside of the uses permitted by the employee records exemption.
Employers may wish to collect COVID-19 vaccination information in relation to employees, particularly if the employer has a mandatory COVID-19 vaccination policy.
Information about the vaccination status of an employee would be health information that is sensitive information subject to a higher level of protection under the APPs, but, as noted above, information which specifically may be included in employee records.
Considerable care, however, must be taken in collecting information in relation to COVID-19 vaccination status, particularly from the COVID-19 digital vaccination certificate. The certificate will contain the employee’s Individual Healthcare Identifier [IHI].
The IHI is a unique 16 digit number used to identify an individual for healthcare purposes, Medicare and other purposes. The IHI of an individual employee is just under their name on the COVID‑19 digital certificate. An IHI is related to an individual’s health and would be considered personal information of an employee in accordance with the Privacy Act, but the use and access of an IHI is governed by the Healthcare Identifiers Act 2010 (Cth) as well as the Privacy Act. An IHI can only be accessed, used, or disclosed for very limited purposes. There are strict criminal and civil penalties if it is used or accessed for a purpose that is not permitted.
The best practice approach for an employer that wishes to record the vaccination status of an employee is to view and note the information on the digital vaccination certificate of the employee. Employers should not keep a copy of the certificate or the IHI of the employee for their employee records. If a copy is required, for some reason, it would be best practice to have the employee redact their IHI from a copy of the digital vaccination certificate before providing this to the employer.
Whether an employer is strictly required to comply with the APPs or not, it may be best practice for the employer to have a privacy policy to give comfort to customers and others that the business of the employer will respect personal information and treat personal information of individuals in accordance with the APPs. As well, it may be best practice for the employer to have an internal Information and Privacy Policy which explains to employees how the personal information of employees will be treated, what information that the employer may collect and the manner in which this will be used or disclosed.
The Fair Work Ombudsman makes recommendations for this best practice. Its recommendations can be found in its publication for Workplace Privacy, which can be found at https://www.fairwork.gov.au/sites/default/files/migration/711/workplace-privacy-best-practice-guide.pdf
Having regard to the recommendations of the Workplace Ombudsman and the obligations of an employer under the APPs, if applicable, and at common law, it is recommended that employers should:
If you need some assistance reviewing your obligations or actioning any of the above recommendations for your business, please get in touch with one of our experts.
Sandy Donaldson
Consultant
p. +61 8 8124 1954
e. Email me
Ben Duggan
Director
p. +61 8 8124 1881
e. Email me
This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this article, or what it means for you, your business or your clients' businesses, please feel free to contact us.