Personal and Confidential Information: Employer Obligations to Employees

Much has been written, and many cases have been litigated, in relation to the obligations of employees to keep confidential information of their employer confidential, and not to misuse the confidential information. There are, however, also obligations which an employer will owe to employees in relation to their personal information provided to the employer.

Information about an employee that is collected by an employer will be personal information as defined in the Privacy Act 1988 (Cth) [Privacy Act]. The definition of personal information in the Privacy Act is:

Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

1. whether the information or opinion is true or not; and
2. whether the information or opinion is recorded in material form or not.

Personal information of an employee that is disclosed to or collected by an employer may be subject to the Australian Privacy Principles [APPs] contained in the Privacy Act.

The APPs are available at https://www.oaic.gov.au/privacy/australian-privacy-principles/read-the-australian-privacy-principles and guidelines and information are available from the Office of the Australian Information Commissioner at https://www.oaic.gov.au.

The APPs establish standards for the way organisations must deal with personal information, including:

• openness and transparency in the management of personal information;
• collection of personal information;
• use and disclosure of personal information;
• data quality and security for storage and integrity of personal information;
• rights of access to, and correction of, personal information; and
• any international transfer of information.

Confidential information

As well as obligations under the APPs, personal information provided by an employee to an employer would most likely be treated by the law as being imparted in circumstances which imply an obligation of confidentiality. As noted above, this doctrine of confidentiality is usually relevant in relation to an employee’s obligations to the employer not to misuse the employer’s confidential information, but obligations can similarly exist in relation to the employee’s information imparted to the employer.

Employee records

An employer is entitled to keep records (“employee records”) of personal information relating to the employment of employees. Employee records are exempt from the requirements of the Privacy Act and the APPs.

Employee records may include all or any of the following personal information:

• the engagement, training, disciplining or resignation of the employee;
• the termination of the employment of the employee;
• the terms and conditions of employment of the employee;
• the employee’s personal and emergency contact details;
• the employee’s performance or conduct;
• the employee’s hours of employment;
• the employee’s salary or wages;
• the employee’s membership of a professional or trade association;
• the employee’s trade union membership;
• the employee’s recreation, long service, sick, personal, maternity, paternity or other leave; and
• the employee’s taxation, banking or superannuation affairs.

Employee records may also include health information about an employee. Health information includes:

• information or an opinion about:
  • the health, including an illness, disability or injury, (at any time) of an individual;
  • an individual’s expressed wishes about the future provision of health services to the individual; or
  • a health service provided, or to be provided, to an individual (see also comments in relation to COVID-19 vaccination certificates and Individual Healthcare Identifiers discussed below); and
• other personal information collected to provide, or in providing, a health service to an individual.

Acts done by an employer in relation to an employee record of an employee are exempt from the application of the APPs provided that the act directly relates to the current or former employment relationship between the employer and the employee.

Fair Work Regulations

Additionally, the Fair Work Regulations 2009 go a step further and require employers to keep certain information for each of their employees.

Pursuant to the Regulations, employers are required to keep the following information in relation to their employees:

• General
  • personal information; and
  • commencement date and nature of employment (casual or permanent).
• Pay
  • the rate of pay paid to the employee;
  • gross and net amounts paid; and
  • details of incentive based payments.
• Hours of work
  • number of overtime hours worked, including when the employee started and finished the overtime hours; and
  • the hours an employee works if the employee is a casual or irregular part-time employee who is paid based on time worked.
• Leave
  • any leave taken; and
  • how much leave an employee has.
• Superannuation contributions
  • amount paid;
  • pay period;
  • dates paid; and
  • name of superfund.
• Ending of employment
  • how the employment was terminated;
  • if notice was provided, how much; and
  • the name of the person who terminated the employment.

Employee records are private and confidential. Only the employer, payroll staff, the employee and authorised individuals such as an accountant should have access to the records.

If an employee asks to see their records, an employer must make them available to the employee. This includes after an employee has ceased employment.

If records aren’t kept or are incorrect, employers can be issued with a fine by the Fair Work Investigator, known as an infringement notice. If the Fair Work Commission takes a matter of this kind to court, employees who have failed to keep proper records or failed to make their records available for inspection may have to prove that they did not underpay the employee in question.

Acts that are not exempt

If an employer is an organisation to which the APPs apply, the exemption in relation to employee records will only apply, as noted above, where an act, or use or disclosure of the information, is directly related to the current or former employment relationship between the employer and the employee.

The exemption will also not apply in relation to:

• contractors or suppliers or other individuals who are not employees; and
• information provided by job applicants, unless the employer employs the applicant.
• Whether an act is directly related to an employment relationship may not always be clear, but the exemption would not apply, for example, to the use of employee personal information in employee records for direct marketing. This would, if the AAPs are applicable to the employer, be subject to APP 7.
• The employee records exemption in section 7B of the Privacy Act only applies to organisations that are private-sector employers, not to agencies (government employers).

Application of the APPs

In accordance with the Privacy Act, the APPs do not apply to all businesses or employers. The APPs apply to Australian Government agencies, organisations that are not small business operators (annual turnover of $3 million or less) and any business that has opted‑in to be covered by the APPs. However, organisations that are APP entities do include all:

• health service providers;
• a business that sells or purchases personal information;
• credit reporting bodies; and
• service providers for an Australian Government contract.

regardless of turnover.

Privacy policy

One of the principal obligations of an organisation to which the APPs applies is to have a privacy policy. This is required by APP 1.3. It is sometimes a misconception that an employer’s privacy policy will relate to employees’ personal information. As noted above, information in employee records is not subject to the APPs for the purposes for which employee records may be used, but the APPs and a privacy policy would cover any use outside of the uses permitted by the employee records exemption.

COVID-19 – Individual Healthcare Identifiers

Employers may wish to collect COVID-19 vaccination information in relation to employees, particularly if the employer has a mandatory COVID-19 vaccination policy.

Information about the vaccination status of an employee would be health information that is sensitive information subject to a higher level of protection under the APPs, but, as noted above, information which specifically may be included in employee records.

Considerable care, however, must be taken in collecting information in relation to COVID-19 vaccination status, particularly from the COVID-19 digital vaccination certificate. The certificate will contain the employee’s Individual Healthcare Identifier [IHI].

The IHI is a unique 16 digit number used to identify an individual for healthcare purposes, Medicare and other purposes. The IHI of an individual employee is just under their name on the COVID‑19 digital certificate. An IHI is related to an individual’s health and would be considered personal information of an employee in accordance with the Privacy Act, but the use and access of an IHI is governed by the Healthcare Identifiers Act 2010 (Cth) as well as the Privacy Act. An IHI can only be accessed, used, or disclosed for very limited purposes. There are strict criminal and civil penalties if it is used or accessed for a purpose that is not permitted.

The best practice approach for an employer that wishes to record the vaccination status of an employee is to view and note the information on the digital vaccination certificate of the employee. Employers should not keep a copy of the certificate or the IHI of the employee for their employee records. If a copy is required, for some reason, it would be best practice to have the employee redact their IHI from a copy of the digital vaccination certificate before providing this to the employer.

Best practice: employee information and privacy policy

Whether an employer is strictly required to comply with the APPs or not, it may be best practice for the employer to have a privacy policy to give comfort to customers and others that the business of the employer will respect personal information and treat personal information of individuals in accordance with the APPs. As well, it may be best practice for the employer to have an internal Information and Privacy Policy which explains to employees how the personal information of employees will be treated, what information that the employer may collect and the manner in which this will be used or disclosed.

The Fair Work Ombudsman makes recommendations for this best practice. Its recommendations can be found in its publication for Workplace Privacy, which can be found at https://www.fairwork.gov.au/sites/default/files/migration/711/workplace-privacy-best-practice-guide.pdf

Recommendations

Having regard to the recommendations of the Workplace Ombudsman and the obligations of an employer under the APPs, if applicable, and at common law, it is recommended that employers should:

• have a privacy policy and comply, where possible, with the requirements of the APPs;
• have an employee Information and Privacy Policy which advises employees of the requirements of the employer to provide personal information, and sets out the manner in which the employer will use and disclose the personal information, and rights of the employee to access all correct personal information; and
• exercise caution when viewing or obtaining copies of an employee’s COVID-19 vaccination record, and ideally not obtain or record the IHI of the employee.

If you need some assistance reviewing your obligations or actioning any of the above recommendations for your business, please get in touch with one of our experts.