How Far Does The Privacy Act Employee Record Exemption Go?

Employee records of current or former private sector employees are exempt from the Australian Privacy Act.  But how does that exemption extend? 

The employee exemption has now been considered in two different cases:

  • ALI and ALJ (Privacy) [2024] AICmr 131

Both cases outline the limits on the exemption

Background

Unlike other jurisdictions, the Australian Privacy Act exempts from its application employment records held by private entities, often referred to as the ’employee record exemption.’  The exemption applies to: An act done, or a practice engaged in, by an employer that is directly related to a current or former employment relationship between the employer and the individual and an employee record held by the organisation and relating to the individual.’ 

“Employee record” is also a defined term and in relation to an employee, means a record of personal information relating to the employment of that employee.

The original rationale for this exemption was that employee privacy was better regulated through workplace relations laws. In fact, this did not happen, and there is little coverage of employee records in employment or enterprise agreements.

Lee v Superior Wood

The application of the employee exemption was first considered  in Lee v Superior Wood, where the court found that the exemption only applied to records already held by the employer, that is, only after the record had been collected.  In that case, it meant that the employee record exemption did not cover requiring consent from employees to the collection of sensitive information such as biometric data (in the case of Mr Lee, it was his thumb print which was required as part of an employee check in system).

Prior to Lee v Superior Wood, most commentators believed that the employee record exemption covered the collection as well as the subsequent use, disclosure, storage and other handling of any employee related information.  However, in Lee v Superior Wood the application of the exemption was interpreted narrowly – perhaps to protect the rights of employees.  We covered more on this case here.

ALI and ALJ

This more recent case was a determination by the OAIC.  It involved an employee who suffered a medical emergency in the employer’s carpark and was taken by ambulance to hospital. Several employees observed the incident, some of whom attempted CPR, and there was a level of concern about the impacted individual. A colleague contacted the employee’s husband for an update on her condition. Using this information, the manager emailed all staff, updating them on the injured employee’s condition.

The employee returned to work and complained to the employer’s Privacy Officer about the all-staff email (saying it was a disclosure of her personal information for an unauthorised purpose). The complaint could not be resolved, so the employee resigned and lodged a complaint with the OAIC, claiming that her employer had interfered with her privacy. She argued that emailing all 110 staff members about the medical event that she suffered was not directly related to her employment and the personal information about the medical event in the email was not the subject of an employee record when the email was sent.

Her employer argued that there was no interference with the employee’s privacy and in any case that the employee record exemption under the Privacy Act applied to exempt the transmission of the email from the Privacy Act

The OAIC decided that the employee record exemption did not apply to the employer’s conduct of sending an email specifically naming the complainant and providing an update regarding her health status to all staff. 

In the decision, the OAIC emphasised that the scope of the employee records exemption under the Privacy Act should be interpreted narrowly. To be covered by the employee record exemption, the use of information about the employee must be directly related to the employment relationship between the employer and the employee.

The employer was required to pay $3,000 for non-economic loss and a small sum for reasonably incurred expenses.

Privacy Act Amendments: The future of the employee record exemption

As part of its review of the Privacy Act, the Attorney General’s Department did not recommend the removal of the exemption altogether. 

It did however recommend enhanced privacy protections for private sector employees including:

  1. enhanced transparency regarding what their personal and sensitive information is being collected and used for
  2. ensuring that employers have the flexibility to collect, use and disclose employees’ information as reasonably necessary for the employment relationship, 
  3. ensuring that employees’ personal information is protected from misuse, loss or unauthorised access and is destroyed when it is no longer required, and
  4. notifying employees and the Information Commissioner of any data breach involving employee’s personal information which is likely to result in serious harm.

It also suggested that further consultation be undertaken with employer and employee representatives on how the protections should be implemented in legislation, including how privacy and workplace relations laws should interact. 

The Government agreed in principle that further consultation should be undertaken. They also noted that the implementation of reforms to the employee records exemption should consider the impact and timing of new privacy obligations on small businesses. This suggests that we may not see any legislative extension of privacy protections of employees any time soon.

However, it’s likely that any future cases where the employee record exemption is relied on are also likely to be interpreted narrowly. So, employers should take care and perhaps re-consider how appropriate it is to rely on the exemption.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.