Fair Work Act Review; Supplementary Submission to the Fair Work Act Review Panel

(By letter)

Fair Work Act Review Panel
Department of Education, Employment and Workplace Relations
Via email: fairworkactreview@deewr.gov.au.

Dear Review Panel

Fair Work Act Review - Supplementary submission

I would like to take this opportunity to respond to the concerns raised in the Ai Group supplementary submission as to revocation of the employee records exemption in the Privacy Act 1988 (Cth) (the Privacy Act).

In making the following comments I acknowledge that it is up to the Panel to decide whether or not such a recommendation to revoke the employee records exemption would fall within their terms of reference. My interest in this review lies only in ensuring that consideration is given to appropriate standards for the handling of employee records as part of a balanced framework for workplace relations.

Privacy and the private sector

At the time the private sector provisions of the Privacy Act were introduced, the then Australian Government acknowledged that employee records deserve privacy protection. However, a different mechanism for achieving this protection was envisaged and an employee records exemption was included on the basis that:

While this type of personal information is deserving of privacy protection, it is the government's view that such protection is more properly a matter for workplace relations legislation.[1]

Consequently employee records held in private sector organisations were exempted from the coverage by the Privacy Act. In that regard, I am not aware that any comprehensive privacy protection of private sector employee records has been enacted through workplace relations law since the introduction of the private sector provisions of the Privacy Act in 2001.

As a result, and as mentioned in my earlier submission, the Australian Law Reform Commission (ALRC) supported the removal of the employee records exemption in its examination of Australian privacy law.[2] While the Australian Government has indicated that it will be considering this recommendation as part of a second stage response to the ALRC's Report, no timeframe has been announced for the second stage response.

Employers and the employment relationship

It is my view that the revocation of the employee records exemption need not interfere with the business interests of organisations or with the effective management of employment relationships. Moreover, a stronger privacy framework and minimum standards for information handling may assist in the promotion of trust and confidence in the employment relationship.

The Privacy Act is principle based law. The aim of principle based law is to promote the intentions and objectives of the law rather than to set down in detail what the regulated party may or may not do in their own circumstances. Accordingly, the Privacy Act is sufficiently flexible to account for the business practices of individual organisations and a wide range of information handling necessary for legitimate business purposes.

I would suggest that this has been demonstrated in regard to employee records held by Australian Government and Australian Capital Territory agencies, which have been required to comply with the Information Privacy Principles when dealing with employee records since the commencement of the Privacy Act in 1988.[3] The ALRC has also identified a number of overseas jurisdictions that do not exempt employee records from the operation of their privacy or data protection legislation, yet at the same time recognise the need for flexibility in the in the use of this information as part of the employment relationship.[4]

Similarly, I believe that in Australia the removal of the employee records exemption would not undermine the ability of organisations to manage their human resources effectively. Whilst providing clear standards for personal information handling, there are a number of exceptions to the National Privacy Principles (NPPs) that would enable organisations to continue to keep and utilise employee records.[5]

Relevantly, under NPP 2 organisations are able to use and disclose personal information within the reasonable expectations of the individual. In accepting employment with an organisation, individuals generally expect that their employer will keep and utilise a wide range of personal information as part of managing the employment relationship.

The NPPs also allow organisations to collect, use, disclose and deny access to personal information about an individual where this is 'required or authorised by or under law'. The removal of the employee records exemption from the Privacy Act would not interfere with employers' existing obligations under other laws, such as those concerning workplace safety, workers compensation, anti-discrimination or unfair dismissal.

Additionally, the removal of the employee records exemption would not result in organisations being required to disclose otherwise confidential information held about an employee. There are a number of exceptions to NPP 6 'Access and Correction' that would allow an employer to deny a request for access by an employee to their personal information in certain circumstances. This includes where providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations.

I trust these comments are useful.

Yours sincerely

[signed]

Timothy Pilgrim
Australian Privacy Commissioner

12 March 2012

---

[1] Commonwealth, Parliamentary Debates, House of Representatives, 12 April 2000, 15749 (D Williams-Attorney-General), 15752. See also Revised Explanatory Memorandum, Privacy Amendment (Private Sector) 2000 (Cth), 4, [109].

[2] For Your Information: Australian Privacy Law and Practice (Report 108), Recommendation 40-1.

[3] A slightly amended version of the Privacy Act 1988 (Cth) applies to ACT government agencies see Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (Cth) s 23.

[4] For example, United Kingdom, Ireland, New Zealand and Hong Kong. See For Your Information: Australian Privacy Law and Practice (Report 108) paragraph 40.14.

[5] The NPPs set out in Schedule 3 to the Privacy Act regulate the way that private sector organisations handle personal information.