Publication date: December 2015
A private sector employer’s handling of employee records in relation to current and former employment relationships is exempt from the Australian Privacy Principles in certain circumstances.
The exemption applies if the organisation’s act or practice is directly related to:
- either a current or former employment relationship between the employer and the individual
- an employee record held by the organisation relating to the individual
Current or former employment relationships
The act or practice must directly relate to a current or former employment relationship. The exemption does not cover future employment relationships. This means that the exemption will not apply to the collection of personal information about prospective employees who are subsequently not employed by an organisation, such as unsuccessful job applicants. However, once an employment relationship is formed with an individual, the records the employer holds relating to that individual's pre-employment checks become exempt.
This exemption does not apply to acts or practices of an organisation that are outside the scope of the employment relationship. For example, an employer that intends to sell a list of employees to another organisation for marketing purposes would need to comply with the Australian Privacy Principles.
An employee record
The employee record must be held by the organisation and must relate to the individual. An employee record is defined under section 6(1) of the Privacy Act 1988 (Cth) to mean a record of personal information relating to the employment of the employee. Examples include health information about an employee, as well as personal information relating to:
- the engagement, training, disciplining, resignation or termination of employment of an employee
- the terms and conditions of employment of an employee
- the employee's personal and emergency contact details, performance or conduct, hours of employment or salary or wages
- the employee's membership of a professional or trade association or trade union membership
- the employee's recreation, long service, sick, maternity, paternity or other leave
- the employee's taxation, banking or superannuation affairs.
Employers may not be able to assume that all the information they hold that relates to an individual employee would be an employee record. For example, whilst an employee’s bank details may form part of an employee record, emails an employee receives from their financial institution via their work email account may not necessarily be part of an employee record as they may not relate to the employment of the employee. Whether or not the content of emails sent or received by an employee forms part of their employee record will depend on the circumstances in any particular case.
Contractors of employers
This exemption does not cover contractors and subcontractors when they handle the personal information of the employees of another organisation, notwithstanding their contractual arrangements. For example, the employee records exemption is unlikely to apply to organisations that provide recruitment, human resource management services, or medical, training or superannuation services under contract to an employer. This exemption also does not cover workers compensation insurers that are not the employer of an individual.
An organisation that is a contractor or subcontractor that collects employee records about an individual from an employer will have to comply with the Australian Privacy Principles in handling that information, including the notice requirements in APP 5.
This exemption does not cover an organisation when it handles the personal information of a volunteer, as an organisation and a volunteer are not considered to have an employee relationship for the purposes of the employee record exemption in s7B(3).