16.08.2010
40.95 Employee records can contain a significant amount of personal information about employees, including sensitive information such as health and genetic information. There is a real potential for individuals to be harmed if employees’ personal information is used or disclosed inappropriately. The lack of adequate privacy protection for employee records in the private sector is of particular concern because employees may be under economic pressure to provide personal information to their employers.
40.96 According to the Australian Bureau of Statistics (ABS), 84% of Australians are employed in the private sector.[185] The lack of privacy protection for the majority of Australian employees is unjustifiable and represents a significant gap in privacy regulation. There is no sound policy reason why privacy protection for employee records only is available to public sector employees and not private sector employees; or for treating employees’ personal information differently from other personal information.
40.97 At the time the private sector provisions of the Privacy Act were introduced, the Australian Government acknowledged that employee records deserve privacy protection, but considered that the issue would be more appropriately dealt with in workplace relations legislation. More than seven years after the enactment of the private sector provisions, however, workplace relations legislation still does not provide sufficient privacy protection for employee records.
40.98 Privacy legislation in comparable overseas jurisdictions, such as the United Kingdom and New Zealand, does not contain an exemption that applies to employee records. Removing the employee records exemption would bring Australian privacy law closer to that in comparable overseas jurisdictions, and may facilitate recognition of the adequacy of Australian privacy law by the EU.
40.99 As discussed above, stakeholders raised a number of objections to the removal of the employee records exemption. These objections are considered below.
Management and the employment relationship
40.100 The application of the model UPPs to employee records need not interfere with the business or management interests of employers or with employment relationships. In general terms, the model UPPs require that the employer:
obtain the consent of its employees in appropriate circumstances—for example, where the employer wishes to collect sensitive information about an employee, or to use or disclose information for a purpose that is unrelated to the primary purpose of collection; and
take reasonable steps to ensure that its employees are aware of the matters listed in the ‘Notification’ principle, such as the purpose for which personal information is collected, and employees’ rights of access to, and correction of, that information.
40.101 The removal of the employee records exemption will not result in organisations being required to disclose otherwise confidential and sensitive information. There are a number of exceptions to the ‘Access and Correction’ principle in the model UPPs that would allow an employer to deny a request for access by an employee to his or her personal information in certain circumstances, including where, for example, providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process.[186]
40.102 The removal of the employee records exemption would not undermine the ability of businesses to manage their human resources effectively. On the contrary, good information-handling practices would assist in ensuring that organisations would be making sound business decisions based on accurate and up-to-date information that is held securely within the organisation.
40.103 Aspects of the employment relationship reinforce, rather than negate, the need to ensure that the privacy of employee records is protected adequately. Mutual trust and confidence, on which the employment relationship is said to be based, is enhanced by the open and fair handling of employee records in accordance with the privacy principles. Further, the fact that an employment relationship is ongoing, and employee records may be used for a range of business purposes over time, serves to highlight, rather than diminish, the need for privacy protection.
Interaction with other legal obligations
40.104 The removal of the employee records exemption from the Privacy Act would not interfere with employers’ existing obligations under other laws—such as laws concerning workplace relations, OH&S, workers compensation, anti-discrimination and unfair dismissal.
40.105 The model UPPs contain specific exceptions to the ‘Collection’, ‘Use and Disclosure’ and ‘Access and Correction’ principles that allow organisations to collect, use, disclose and deny access to personal information (including sensitive information) about an individual where this is ‘required or authorised by or under law’. Accordingly, employers would be able to collect, use, disclose or deny access to personal information where this is necessary to enable them to meet their legal obligations under other laws.
40.106 In particular, the ‘Collection’ principle in the model UPPs allows the collection of sensitive information where the collection is ‘required or authorised by or under law’ instead of ‘required by law’, as is presently the case under NPP 10.1(b).[187] This reform addresses the concerns that employers may be prevented from collecting medical certificates for the approval of paid personal leave under the Workplace Relations Act.[188]
Outsourcing arrangements
40.107 The fact that the employee records exemption currently allows an organisation to disclose personal information about employees to an unrelated company suggests that the exemption should be removed. There is no good policy reason why organisations should be permitted to disclose employees’ personal information other than in accordance with the ‘Use and Disclosure’ principle in the model UPPs.
40.108 The ‘Use and Disclosure’ principle would allow an organisation to disclose personal information about an employee for a secondary purpose where the disclosure: is related to the primary purpose of collection of that information (or, in the case of sensitive information, directly related to the primary purpose of collection); and is within the reasonable expectations of the individual.
40.109 Where outsourced activities are employment related, the disclosure of an employee’s personal information to a contractor may be related to the primary purpose of collection and within the reasonable expectations of the employee. Where this is not the case, the employer should ensure that the individual consents to the disclosure.
Sale of businesses
40.110 The removal of the employee records exemption would not hamper the ability of organisations to buy and sell businesses. Guidance issued by the OPC and, in the United Kingdom by the ICO, suggests a number of ways in which vendors and prospective purchasers can handle personal information during the sale and purchase of a business, while ensuring compliance with privacy principles.
40.111 First, the vendor should provide aggregate, non-identifiable information about employees to the prospective purchaser whenever possible. Such information would not fall within the definition of ‘personal information’ in the Privacy Act and therefore would not be covered by the Act.[189] The prospective purchaser may conduct due diligence inquiries by inspecting records and making a note of the fact that the records have been inspected (without recording the details of the personal information inspected), which would not constitute ‘collection’ of the personal information for the purposes of the Privacy Act. Secondly, where disclosure of personal information about employees to the prospective purchaser is required, the vendor is not necessarily obliged to obtain the consent of the employee. Arguably, the disclosure of employee records to a prospective purchaser of a business is directly related to the primary purpose of collection, and within the individual’s reasonable expectation.[190] In some cases, the vendor also may have a legal obligation to avoid alerting employees to the possibility of a transmission of business, for example, where to do so is prevented by a prohibition against ‘insider trading’.[191]
40.112 Further, where the prospective purchaser collects personal information about employees from the vendor, the prospective purchaser is not necessarily required to take steps to advise the employee about the matters listed in the ‘Notification’ principle. Due diligence processes may need to be conducted confidentially in order to protect the interests of the organisations involved. The OPC has stated that:
the [Privacy] Commissioner takes the view that, even if personal information is recorded by a prospective purchaser, it would generally be reasonable at this time for the prospective purchaser organisation to take no steps under NPP 1.5 to advise the individual about whom personal information is collected of the NPP 1.3 matters. However, taking no steps would only be reasonable where the prospective purchaser organisation decides not to proceed with the purchase of the business, and returns or destroys all records of personal information to the vendor organisation.[192]
Regulatory burden and compliance costs
40.113 The removal of the employee records exemption would result in some additional compliance costs for some employers. The ALRC is not persuaded, however, that avoiding these costs provides a sufficient policy basis to support the retention of the employee records exemption. In any case, the costs to businesses resulting from removal of the exemption should not be overestimated.
40.114 The organisations which will carry the greatest burden—that is, large businesses—already are required to comply with the Privacy Act in relation to other personal information and therefore, already have in place mechanisms and procedures for the handling of personal information. Additionally, many businesses already handle employee records in the same way they handle other personal information.
40.115 Further, more than half of existing Australian businesses are not employers. According to the ABS’s most recent figures, as at June 2007, there were 2,011,770 actively trading businesses in Australia, of which 1,171,832 (58%) were non-employing.[193] There will be more than one million actively trading businesses, therefore, that will not be affected by the removal of the employee records exemption.
40.116 Elsewhere in this Report, the ALRC makes a number of recommendations aimed at reducing the complexity of the existing privacy regime. These include recommendations that the Privacy Act be amended to achieve greater logical consistency, simplicity and clarity, and that the privacy principles be streamlined.[194] The simplification of the legislation should go some way towards reducing the costs of compliance for employers.
40.117 The requirements under the ‘Cross-border Data Flows’ principle would not result in any significant additional burden for those organisations that transfer and hold internal human resources data overseas. The principle does not prevent personal information from being transferred or require any additional steps to ensure compliance with the Privacy Act. It merely requires that an organisation remain accountable for any transfer of personal information overseas, except in defined circumstances.[195]
Application of the UPPs to existing employees
40.118 As discussed above, removing the employee records exemption would not result in employers being required to obtain the consent of existing employees for the use and disclosure of their personal information in every case. The employer only would have to obtain the consent of its employees if: it wishes to use or disclose the employees’ personal information for a secondary purpose that is not related—or in the case of sensitive information, not directly related—to the primary purpose of collection; and the use or disclosure is not within the reasonable expectations of the employee. Since existing employee records generally would have been collected for the primary purpose of the employment relationship, in most cases, there would not be a need to obtain the consent of existing employees for the use and disclosure of their personal information.
40.119 Where an employer wishes to use or disclose an employee’s personal information for a secondary purpose that is unrelated to the employment relationship, such use and disclosure would not form part of the employment relationship and therefore the requirement to obtain the employee’s consent would not amount to a variation of the employment contract.
Privacy codes or non-binding guidelines
40.120 The use of privacy codes or non-binding guidelines is not a substitute for legislative protection and would not be a sufficient response to the significant concerns raised about the lack of privacy protection for employee records. Such initiatives would not resolve the issue of inconsistent regulation of employee records between the public and private sectors. Again, there is no good policy basis to justify treating employee records differently from other personal information.
Conclusion
40.121 For these reasons, the ALRC recommends that the employee records exemption be removed. Removing the exemption would ensure that the privacy of employee records held by organisations is protected under the Privacy Act, and that employees’ sensitive information, such as health and genetic information, is given a higher level of protection under the Act. This protection should be in addition to that provided by other laws, such as the relevant provisions in the Workplace Relations Regulations.
40.122 Having regard to the various concerns raised by employers and employer groups, the OPC should develop and publish specific guidance on the application of the UPPs to employee records to assist employers in fulfilling their obligations under the Privacy Act. This guidance should address, in particular, concerns about when it is and is not appropriate to disclose to an employee concerns or complaints by third parties about the employee. These concerns are discussed in detail below, in relation to the handling of ‘evaluative material’ about employees.
Recommendation 40-1 The Privacy Act should be amended to remove the employee records exemption by repealing s 7B(3) of the Act.
Recommendation 40-2 The Office of the Privacy Commissioner should develop and publish guidance on the application of the model Unified Privacy Principles to employee records, including when it is and is not appropriate to disclose to an employee concerns or complaints by third parties about the employee.
[185] As at May 2007, there were 10,439,700 employed persons who were aged 15 and over, of which 1,662,300 were federal, state and local government employees: Australian Bureau of Statistics, Australian Labour Market Statistics, 6105.0 (2008), 13, 35.
[186] The treatment of ‘evaluative material’ under the Privacy Act is discussed in more detail below.
[187] See Ch 22, Rec 22–2.
[188] See Workplace Relations Act 1996 (Cth) s 254.
[189]Office of the Federal Privacy Commissioner, Application of Key NPPs to Due Diligence and Completion when Buying and Selling a Business, Information Sheet 16 (2002), 3–4. See also United Kingdom Government Information Commissioner’s Office, The Employment Practices Code (2005), [2.12.1].
[190] See, by analogy, the OPC’s guidance relating to the disclosure of other personal information to the prospective purchaser of a business: Office of the Federal Privacy Commissioner, Application of Key NPPs to Due Diligence and Completion when Buying and Selling a Business, Information Sheet 16 (2002), 2–3. See also United Kingdom Government Information Commissioner’s Office, The Employment Practices Code—Supplementary Guidance (2005), [2.12.3].
[191] See United Kingdom Government Information Commissioner’s Office, The Employment Practices Code (2005), [2.12.3].
[192]Office of the Federal Privacy Commissioner, Application of Key NPPs to Due Diligence and Completion when Buying and Selling a Business, Information Sheet 16 (2002), 4.
[193] Australian Bureau of Statistics, Counts of Australian Businesses, 8165.0 (2007), 18.
[194] See Recs 5–2, 18–2.
[195] See Ch 31.