Peter A Clarke

Chapter 7 of the Attorney Generals’ Report into the Privacy Act 1988 considers the employee records exemption in the Privacy Act 1988. The employee records exemptionwas considered at length by the Australian Law Reform Commission in its 2008 Report on the Privacy Act 1988 (Report 108, For your information).  The Australian Law Reform Commission unequivocally recommended that the it be removed by the repeal of section 7B(3) of the Privacy Act.  Unfortunately this Report has ummed and ahhed in face of vociferous and largely spurious objections by employer bodies who wish to retain the exemption come what may.  As a result the Proposal is far from unequivocal and seeks to find a half way house of improving privacy protections of those records but not entirely removing the exemption.  It also wants further consultation. Because years and years of consultation is not enough.  It is a very disappointing chapter.  Not as poorly analysed as the small business exemption but not good nevertheless.

The exemption applies to an act or practice of an organisation that is or was an employer as it directly related to its employment relationship with an individual.  In that circumstance an employee record it holds relating to the individual is exempt.  As the exemption applies to acts or practices of ‘organisations’ it covers non-public sector entities in their capacity as employers or former employers.  It does not extend to ‘agencies’.

As with the small business exemption the basis for this exemption is based on flawed assumptions and poor public policy.  Here the rationale was that the ‘handling of employee records is a matter better dealt with under workplace relations legislation.’

The exemption has led to anomolous outcomes.  The exemption applies even in relation to  the National Data Breach Notification scheme;.  As such any data breach involving personal information of employees in an employee record  is not subject to the scheme’s reporting requirements.

The Discussion Paper questioned whether the personal information of private sector employees is currently adequately protected.   It posited three possible reforms:

• removing the exemption: noting that this would not affect most employers unless the small business exemption was also removed

• modifying the exemption: to allow better protection of private sector employee records (such as by applying security and destruction requirements and accountability for disclosure of information overseas) while retaining the flexibility that employers need to administer the employment relationship, or

• enhancing protections in workplace relations legislation: which might impact a larger number of employees if they applied to small business employers, but would result in further fragmentation of privacy protections.

The resistence to the removal of this amendment has come from the usual suspects.  For example the ACCI submitted that employers collect and maintain employment records to comply with the law, and that  ‘no serious issues of employer over-collection of personal information have been brought to ACCI’s attention’ and that widespread misuse of information by employers is rarely demonstrated by those who object to the employee records exemption. The ACCI would say that wouldn’t it.   Others justify the exemption on the basis that they need to collect sensitive information as part of reasonable administrative action, particularly in response to the COVID-19 pandemic, a particularly useful excuse these days, and the need for employers to comply with workplace health and safety measures to protect employees. Other submitters noted however employers collect large amounts of personal, and often sensitive information.

The Report noted that the Fair Work Commission considered the attempted collection of Mr Lee’s fingerprint in Lee v Superior Wood,  The Full Bench held that an employer’s direction to an employee to submit to the collection of his fingerprints where the employee’s consent was not obtained as required by APP 3.3 was not a lawful direction, because the employee records exemption does not apply to the solicitation of sensitive information not yet contained in an employee record.  Consequently, organisations have treated APP 3, including the requirement to obtain consent to collect sensitive information, as applying to them in their capacity as employers.  Since the Discussion Paper was issued, the Fair Work Commission has considered the Lee decision in CFMMEU v BHP Coal,^[6] which was a case concerning a request by BHP Coal for evidence of employees’ COVID-19 vaccination status. .

Those in favour of retaining the exemption submitted:

• the requirement to obtain employees’ consent to collect sensitive information could hamper employers’ ability to implement important workplace policies and processes.
• employers had been restricted from directing employees to provide information necessary to implement COVID-19 protections in the workplace.
• requiring consent could jeopardise its ability to achieve diversity and inclusion in the workplace as this involves collecting and using employees’ sensitive information such as racial and ethnic origin and health information.
• whether valid consent is possible in the employment context.  Any consent would likely be ‘vitiated by the threat of termination of employment’, submitters questioned whether consent in the context of the employment relationship could be freely given.

These arguments are quite spurious.  Issues of consent is dealt with throughout the collection of other personal information without the drama generated by employer groups.  The core of their submission is”we like the exemption, it suits us so we will say and do what it takes to frighten off any reviewers.”  And they did.

There was a real split in submissions about whether despite the exemption private sector employees’ privacy is adequately protected or whether the employee records exemption requires reform. Not surprisingly submissions from employers and their representatives express a strong desire to retain the exemption or strengthen it. Submissions ran the other way from employee representatives and other stakeholders consider that reform is needed.

The Proposal summarised the legitimate concerns regarding:

• the amount and highly sensitive nature of employees’ personal and sensitive information being collected, used and disclosed in the context of the employment relationship
• limited transparency about what employees’ personal and sensitive information is being used and disclosed for and whether it is in fact reasonably necessary to administer the employment relationship

• the difficulties which requiring employees’ consent to collect their sensitive information poses for employers and employees, including whether consent can be considered to be freely given in the employment and pre-employment context, and
• the fact that employee records containing often highly sensitive information are not subject to security and destruction or data breach reporting requirements.

The Report noted that extending enhanced protections under the Act would guard against fragmenting privacy regulation:

• for individuals in their private capacity and as employees,
• for APP entities as regards employees’ information and other information they hold, and
• enforcement by virtue of the OAIC being the specialised privacy regulator responsible for complaint resolution, enforcement and code development.

The Report then suggests that there are benefits in keeping protections within the Fair Work Act.

The ultimate proposal is a classic half way house.  It makes generalised recommendations, which clearly remain within the bailiwick of the Privacy Act but then recommends further consultation on how the protections should be legislated and how Privacy and Workplace legislation should interact. It  provides:

7.1 Enhanced privacy protections should be extended to private sector employees, with the aim of: a)     providing enhanced transparency to employees regarding what their personal and sensitive information is being collected and used for b)     ensuring that employers have adequate flexibility to collect, use and disclose employees’ information that is reasonably necessary to administer the employment relationship, including addressing the appropriate scope of any individual rights and the issue of whether consent should be required to collect employees’ sensitive information c)     ensuring that employees’ personal information is protected from misuse, loss or unauthorised access and is destroyed when it is no longer required, and d)     notifying employees and the Information Commissioner of any data breach involving employee’s personal information which is likely to result in serious harm. Further consultation should be undertaken with employer and employee representatives on how the protections should be implemented in legislation, including how privacy and workplace relations laws should interact. The possibility of privacy codes of practice developed through a tripartite process to clarify obligations regarding collection, use and disclosure of personal and sensitive information should also be explored.

[9] Ibid [160]–[164].

[10] Ibid [79] and [91].

[11] Ibid [164].