Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Inquiry into the Fair Work Bill 2008; Submission to the Senate Education, Employment and Workplace Relations Committee (January 2009)

January 2009 Key Recommendations The Office of the Privacy Commissioner (the Office) notes that the Fair Work Bill 2008 (the Bill) is part of a wider policy initiative by the Department of Education, Employment and Workplace Relations to provide a balanced framework for cooperative and productive workplace relations. ...

pdfInquiry into the Fair Work Bill 2008; Submission to the Senate Education, Employment and Workplace Relations Committee (January 2009)

January 2009

Key Recommendations

The Office of the Privacy Commissioner (the Office) notes that the Fair Work Bill 2008 (the Bill) is part of a wider policy initiative by the Department of Education, Employment and Workplace Relations to provide a balanced framework for cooperative and productive workplace relations. 

Work plays a major role in the lives of most individuals. Ensuring effective and adequate privacy protection in the workplace can be seen as part of that balanced framework for cooperative and productive workplaces.   

The Office has a number of suggestions to enhance the current provisions of the Bill to achieve that objective:

  • It would be beneficial if the Bill were to clarify that the handling of employee's personal information for the purposes of the 'right of entry' provisions of the Bill does not form part of the private sector 'employee records exemption' of that Act - see 'Employee records in the private sector', pages 4-5
  • A term such as 'employee personal information' rather than 'employee records' could be used in the Bill to prevent confusion with the latter terms use in the Privacy Act - see 'Employee records and the Bill', pages 5-6
  • Organisations with permits to enter workplaces, that would ordinarily fall outside the jurisdiction of the Privacy Act, should be brought under that Act's coverage for their collection and handling of information under the 'right of entry' provisions of the Bill - see 'Privacy Act coverage of organisations', pages 6-7
  • The powers of organisations with permits to enter workplaces to inspect and make copies of any record or document containing the personal information of individuals, should be limited to those records and documents that are directly relevant to the investigation of a suspected breach - see 'Limiting the collection of information', page 8
  • Fair Work Australia, in consultation with the Office of the Privacy Commissioner, should produce good privacy practices guidance material:
    • for those organisations brought into Privacy Act coverage for the purposes of the 'right of entry' provisions - see 'Privacy Act requirements', page 8-9
    • for non-Australian Electoral Commission (non-AEC) protected ballot agencies. For those non-AEC protected ballot agencies not covered by the Privacy Act abiding by such guidelines could be made a condition of being able to conduct such a ballot - see 'Protected Action Ballots', page 9
  • Further consideration be given to determining whether clauses 504 and 510 of the Bill meet their objective to provide additional remedies for misuse of employee's personal information - see 'Application to Individuals', page 7

Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia.  The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT Government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. 

Overview

The Office appreciates the opportunity to make a submission to the Senate Education, Employment and Workplace Relations Committee Inquiry into the Fair Work Bill 2008 (the Bill)[1]

The Office understands that the Bill is part of the Australian Government's commitment to implementing a new workplace relations system as set out in its Forward with Fairness policy documents[2].  The Offices notes that the object of the Bill is to provide a balanced framework for cooperative and productive workplace relations that promotes national economic prosperity and social inclusion for all[3].  

Work plays a major role in the lives of most individuals. Ensuring effective and adequate privacy protection in the workplace can be seen as part of that balanced framework for cooperative and productive workplaces.   

Employers collect personal information about employees to manage the obligations and responsibilities that arise out of the employment relationship. It is reasonable for individuals to have an expectation that the personal information about them held by their employer will generally only be used for the purpose for which it was collected. The Office welcomes the civil remedies included in the Bill for the misuse of personal information by 'permit holders'. The Office believes this is a situation where additional privacy protections, in the form of civil remedies and 'right of entry' permit revocation, are relevant. 

The Office has a number of suggestions to clarify and enhance the privacy protections applying to information collected and handled under the 'right of entry' and 'protected action ballot' provisions of the Bill. These include, firstly, clarifying that all organisations with permits to enter workplaces under the 'right of entry' provisions and collect employee's personal information are subject to the Privacy Act for that collection and handling of personal information and, secondly, clarifying that the collection of personal information under the 'right of entry' provisions is subject to the Privacy Act and not part of the current private sector 'employee records exemption' of the Privacy Act. 

These clarifications will mean that the handling of any personal information by organisations with permits to enter workplaces in relation to the 'right of entry' provisions are regulated by the Privacy Act. The Office understands this is the policy intention behind the Bill. This clarification will put that intention beyond doubt. The Office also suggests that guidance material on good privacy practices be developed for those organisations brought under Privacy Act coverage for the 'right of entry' provisions.

In addition, the Office believes that the purpose of the collection of personal information through the 'right of entry' provisions should more clearly reflect the stated intention of the Australian Government that the personal information collected be 'directly' related to the potential breach being investigated by using that term in the Bill.

In relation to protected ballot agents the Office would like to see any potential gap in privacy protections for the personal information handled by those agents, if the agent is not covered by the Privacy Act, being addressed through either contractual arrangements where that is appropriate or through guidance material on best practice in collecting and handling personal information being prepared in consultation with the Privacy Commissioner.

Finally the Office considers that further consideration should be given to determining whether clauses 504 and 510 of the Bill meet their objective to provide additional remedies for misuse of employee's personal information gathered through the 'right of entry' provisions of the Bill.

These issues are discussed in more detail below.

Employee records in the private sector

When the National Privacy Principles (NPP)[4] were introduced into the Privacy Act in 2001, it was acknowledged that employee records deserved privacy protection.  However, it was envisaged that workplace relations law rather than the Privacy Act was the appropriate mechanism for such regulation in the private sector.[5]  Consequently employee records held in private sector organisations were exempted from the coverage by the Privacy Act.[6] However, the Office is not aware that any comprehensive privacy protection of private sector employee records has been enacted through workplace relations law since 2001.

Recently the Australian Law Reform Commission (ALRC) has looked at this issue again and, in its 'Report 108 For Your Information: Australian Privacy Law and Practice', proposes that the private sector employee records exemption should be removed from the Privacy Act.  In its submissions to the ALRC's inquiry leading to that report the Office on balance supported the removal of the employee record exemption given the desirability of national consistency of privacy regulation and community expectations.[7]

In reaching this position the Office considered that, in the event that the Information Privacy Principles (IPPs) and NPPs were replaced by a single set of privacy principles, the removal of the employee records exemption would improve the consistent application of the principles to both the public and private sectors.  It also noted a number of benefits that may result from coverage of employee records under the Privacy Act, including being consistent with protection of an employee's rights as a private citizen, providing certainty about rights and obligations for employers and employees, eliminating regulatory difficulties in interpreting the exemption, and providing access to a conciliation-based complaints process through the Office.[8]

While the handling of employee records by private sector organisations is currently exempt under section 7B(3) of the Privacy Act, the scope of this exemption is qualified by the definition of 'employee records' in section 6 of the Privacy Act, and the acts and practices defined in section 7B(3).   

The Privacy Act defines an employee record as a record of personal information relating to the employment of the employee including, as examples, information about an employee's terms and conditions of employment, salary, leave details, taxation, banking or superannuation affairs as well as the employee's trade union membership[9]. Further, for the employee records exemption to apply, the act or practice must be directly related to the employment relationship between the employer and the employee[10].

As the Office understands it the employee record exemption was drafted in this way to ensure that it only captures personal information and acts and practices directly related to the employment relationship between an employer and employee. 

The Office's view is that the use or disclosure of personal information by employers, for the purposes of the 'right of entry' provisions of the Bill, would not appear to be covered by the 'employee record' exemption in the Privacy Act. Therefore the handling of the employee's personal information in this context would appear to be protected by the Privacy Act. However, the Office believes that it would be beneficial if the Bill were to clarify that this is the case.

Employee records and the Bill

The Bill defines the term 'employee record' as having the same meaning given by the Privacy Act. Specifically the Office notes that, in defining the meaning of employee records, the Bill refers directly to the definition as set out in s6 of the Privacy Act.  However,  the use of that term in the Privacy Act is for the purpose of defining exemptions to the Privacy Act and the personal information that could be collected and/or disclosed under the Bill appears to be a much broader set than that which falls under the definition of 'employee record' as set out in the Privacy Act. 

The Office submits that the use of the term 'employee record' in the Bill has the potential to create confusion and uncertainty for employers in terms of how they handle the personal information they hold and the disclosures they may make under the Bill.       

The Office recommends that the term 'employee record' not be used in the Bill. An alternate such as 'employee personal information' may be more appropriate and this could be linked to the definition of personal information in the Privacy Act.

This should have the effect of eliminating any confusion that the use of the term 'employee record' in the Bill may create in the minds of employers and employees. It may also ensure the type of personal information captured by the provisions of the Bill dealing with additional privacy protections will be consistent with that covered by the Privacy Act.

Privacy Act coverage of organisations

The Privacy Act contains ten NPPs which apply to all businesses with an annual turnover of more than $3 million, all health service providers and a range of small businesses.  

Whilst the Office believes that most organisations with permits to enter workplaces would have a turnover in excess of $3 million and, consequently, would already fall within the jurisdiction of the Privacy Act, there may be some organisations with permits to enter workplaces that would not be covered.

To avoid any doubt, the Office suggests that one of a number of existing Privacy Act mechanisms be utilised to bring those organisations with permits to enter workplaces, and which are not already covered by the Privacy Act, under that Act's coverage for their collection and handling of information under the 'right of entry' provisions of the Bill.

This could be achieved through a regulation under the Privacy Act prescribing that organisations obtaining permits to enter, which are not already subject to the Privacy Act, will be treated as organisations under the Privacy Act. This provision[11] has most recently been used to prescribe residential tenancy database operators as organisations for the purposes of the Privacy Act.[12]

Alternatively an amendment to the provisions of the Privacy Act dealing with treating small business operators as organisations could be used. This method was most recently used to bring 'reporting entities' under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the AML/CTF Act) under the coverage of the Privacy Act (for specific acts or practices relating to their activities under the AML/CTF Act).[13]

Application to Individuals

The Office is uncertain as to the intention of clause 504(2) of the Bill.  It appears that the purpose of this clause is to bring individuals within the coverage of the Privacy Act if the individuals are involved in the unauthorised use or disclosure of employee's personal information gathered through the 'right of entry' provisions in the Bill. However, the Privacy Act does not currently apply to individuals, but rather to the activities of organisations and agencies.

Bearing this in mind, if the intention is to enable complaints under the Privacy Act in relation to a contravention of clause 504(1) by an individual as opposed to a contravention by an organisation, with a permit to enter workplaces under the 'right of entry' provisions, the Office is not sure that the clause will be effective in practice. As well, if the clause also has the intention of enabling the civil penalty associated with clause 504 to be determined by reference to the provisions of the Privacy Act, the Office has similar concerns.

The Office also notes that under clause 510 of the Bill one of the circumstances in which Fair Work Australia (FWA) must revoke or suspend an entry permit is when the Privacy Commissioner has, under paragraph 52(1)(b) of the Privacy Act, substantiated a complaint relating to action taken by the permit holder under clauses 482 or 483.

The Office is uncertain whether a determination by the Privacy Commissioner under section 52 of the Privacy Act is the most appropriate trigger to use for the revocation or suspension of an entry permit. Historically the Office has tended to resolve complaints by way of conciliation and, consequently, the Privacy Commissioner has only needed to use the determination power in a limited number of cases. Further, as discussed above, the Privacy Act does not currently apply to individuals, but rather to the activities of organisations and agencies. For these reasons, it is not clear whether this sub clause would be effective in practice.

The Office believes that the above issues require further consideration.

Privacy of employee's personal information

Limiting the collection of information

The Privacy Act requires agencies and organisations to limit the information they collect about individuals to what is necessary for their functions or activities. [14]

In a practical sense, if an organisation cannot effectively carry out its function or activity without collecting an individual's personal information, then this information would be interpreted as being necessary.  However organisations should not collect information on the off chance it may be useful for one of its functions or activities later on.

The Office encourages organisations to take a narrow view of what information is necessary. Reducing the amount of information that is collected also benefits organisations in reducing the compliance costs of handling personal information and assists in meeting the obligation to keep information secure from loss or misuse.

As the Office understands it the intention of the Bill is that organisations with permits to enter workplaces will be allowed right of entry to inspect only those documents that are directly relevant to the investigation of a suspected breach[15].

As currently drafted, the Office believes the Bill may allow organisations with permits to enter workplaces to access and retain copies of a broader range of records and documents containing personal information of employees than is necessary.  Consistent with the Privacy Act, and the stated intention of the Bill, the Office recommends that the powers of organisations with permits to enter workplaces under clauses 482 and 483 are limited to records and documents that contain personal information that are directly relevant to the investigation of the suspected breach.

Privacy Act requirements

The Office notes that if the clarifications above are undertaken organisations with permits to enter and collect information will be required to abide by all of the obligations set out in the ten National Privacy Principles in the Privacy Act including in relation to giving notice to individuals about the collection of their personal information from a third party (NPP 1.5), to securing the information (NPP 4.1), destroying the information when no longer required (NPP 4.2), and in relation to not collecting 'sensitive information' without the consent of the individual (NPP10.1)

The National Privacy Principles provide higher privacy standards for 'sensitive information' including that it generally only be collected with the consent of the individual. [16]  Types of sensitive information include information about an individual's health, racial or ethnic origin, criminal record or trade union membership.  Information employers collect about employees as part of the employment relationship may include sensitive information. For example, an employee's personnel file may contain health information or details of a criminal record check.

In conjunction with the Office's recommendations above, that organisations not currently subject to the Privacy Act are brought into coverage for the purposes of the 'right of entry' provisions dealing with collecting and handling personal information, the Office suggests FWA, in consultation with the Office, produce guidance material for these organisations on good privacy practices.

Protected Action Ballots

The Office notes that under clause 437 of the Bill, FWA is able to authorise persons other than the Australian Electoral Commission (AEC) to conduct protected action ballots.  As part of conducting these ballots, the non-AEC agents would receive a roll containing personal information of employees including information about whether or not the individuals on the list are members of an employee association.

The Office notes the Bill does not provide details as to how practically the ballot process will operate. In addition, there is insufficient information in the Bill and the Explanatory Memorandum for the Office to determine whether all non-AEC agents will be covered by the Privacy Act.  Presumably, non-AEC agents will mostly likely be employee associations, but could also be state or territory electoral offices or other bodies or associations as authorised by the FWA.  It is also unclear whether these agents will be contracted to the AEC or the FWA, making them Commonwealth contractors who would then be subject to privacy obligations pursuant to the provisions of section 95B of the Privacy Act.[17]

This situation potentially creates a gap where there may be inadequate privacy protection for individuals participating in a protected action ballot. To address this potential gap in privacy protection the Office suggests FWA produce guidance material in consultation with the Office for non-AEC ballot agencies on good privacy practices.

For those organisations not covered by the Privacy Act, abiding by these guidelines could be made a condition of being able to conduct such a ballot. This will ensure that for all protected action ballots, regardless of whether such a ballot is conducted by the AEC or a non-AEC organisation, the handling of personal information is undertaken with good privacy practice principles in play.

 

 

[1]http://www.aph.gov.au/Senate/committee/eet_ctte/fair_work/index.htm

[2]Hansard, Senate Standing Committee on Education, Employment and Workplace Relations, 11 December 2008, Canberra p2

[3]Section 3, Fair Work Bill 2008

[4]http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/sch3.html

[5] Attorney General, the Hon Daryl Williams QC, Second Reading Speech for the Privacy (Private Sector) Amendment Bill 2000(Cth) Parliamentary Debates (Hansard), House of Representatives, 12 April 2000, p. 15075.

[6] Note that Australian and ACT Government agencies employee records are covered by the Privacy Act's Information Privacy Principles.

[7] See the Office's submission to the ALRC's Discussion Paper 72, Chapter 36, p 461 available at http://www.privacy.gov.au/publications/submissions/alrc_72/PartE.html#ach6

[8] See the Office's submission to the ALRC's Review Privacy Issues Paper 31, chapter 5, paragraph 111, at p.183, available at http://www.privacy.gov.au/publications/submissions/alrc/c5.html#L18164.

[9]http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html

[10]http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s7b.html  

[11] See section 6E (1) and (2) of the Privacy Act

[12] See, Privacy (Private Sector) Amendment Regulations 2007 (No. 3) available at http://www.comlaw.gov.au/ComLaw/Legislation/LegislativeInstrument1.nsf/0/40617C959BA055ECCA25732B00150FEB?OpenDocument

[13] See section 6E(1A) http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6e.html

[14] NPP1 (at: http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/sch3.html)

[15] Hansard, Senate Standing Committee on Education, Employment and Workplace Relations, 11 December 2008, Canberra p5

[16] Sensitive information is defined in section 6 of the Privacy Act: http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html

[17]Section 95B of the Privacy Act requires Australian Government agencies to take contractual measures to ensure that a contracted service provider does not do an act or practice that would breach an Information Privacy Principle.