This best practice guide is for employers and managers. It explains the Australian Privacy Principles and your obligations when managing employees’ personal information. Show
It also has practical tips and case studies to help you move your business towards best practice. Download the best practice guide: Working at best practiceBest practice employers know how important it is to keep their employees’ personal information private. They have clear policies that set out what information the business can collect and keep, and when it can be passed on to others. Every workplace can enjoy the benefits of taking a best practice approach to workplace privacy. These may include:
Privacy and personal informationPrivacy is our ability to keep our personal information to ourselves, and to control what happens if we share it with others. Personal information is information that can be used to identify someone. Names, addresses, phone numbers, email addresses, photos, bank account details, tax file numbers, super fund information, drivers licence details and academic records are a few examples. Personal information can be sensitive in nature, for example, information about a person’s health, sexuality, religious beliefs, criminal record, professional or trade union memberships. Commonwealth privacy laws set a higher standard for collecting and handling sensitive personal information. Legal requirementsThe Privacy Act 1988 sets out requirements for collecting, storing, using and disclosing personal information. These are called the Australian Privacy Principles. They apply to:
If you’re required to follow the Australian Privacy Principles, you must have a privacy policy. For more information, refer to the Office of the Australian Information Commissioner’s website at www.oaic.gov.auAll businesses should aim to comply with the privacy principles as a matter of best practice. However, not all businesses are subject to Commonwealth privacy laws. Rules about employee’s personal informationThe Fair Work Act 2009 requires all employers to keep certain personal information about employees in their employee records. Personal information held by an employer, relating to someone’s current or former employment, isn’t covered by the Australian Privacy Principles, but only when used by the employer directly in relation to their employment. This information includes:
The Australian Privacy Principles do apply to personal information about unsuccessful job candidates. This can include applicants’ resumes, contact details, references and academic transcripts. Third parties providing recruitment, training, human resources, payroll or other services to the employer under a contract may need to comply with the Australian Privacy Principles. Disclosing employee personal information to third partiesYou can legally disclose employee records to a third party in some circumstances, for example as detailed below. Employees are also entitled to access to their own employment records. Information requested by a Fair Work InspectorA Fair Work Inspector can request information about employees to check your business is meeting its employment obligations. Employers are legally required to provide requested employment records to a Fair Work Inspector in some circumstances, for example if they issue a ‘notice to produce’ that requires records or documents to be produced. For further information about the powers of Fair Work Inspectors see our Record-keeping and pay slips online course at www.fairwork.gov.au/learning Information requested by other government agencies or by lawCertain government agencies (such as the Australian Tax Office and Centrelink) may ask you to provide personal information about your employees. Also, you may need to provide information to police or under court orders. If you receive such a request, ask the person making the request which law requires or allows you to disclose the information. Information requested by a permit holderThere may be times when a permit holder with a right of entry permit (usually a union official) wants to enter your workplace to investigate a suspected breach of workplace laws. While there, they may ask to do things like inspect or copy documents or interview people. Permit holders can inspect and copy any record or document that’s directly relevant to the suspected breach if that record or document is kept on the premises or accessible from a computer kept on the premises. They can also give written notice requiring you to produce, or provide access to, records or documents later. The records must substantially or entirely relate to a member of the union unless the Fair Work Commission allows otherwise. You don’t need to let the permit holder inspect and copy documents if doing so would contravene a Commonwealth law (including Commonwealth privacy laws) or a state or territory law. See our Unions entering the workplace page for more information, including entry permit requirements and giving notice of entering a workplace, available from www.fairwork.gov.au Information requested by an employee or former employeeIf an employee or former employee requests access to their own employment records, you must make a legible copy available for them to inspect and copy. If the employee record is kept at the workplace, you must make the copy available there within 3 business days or post a copy to the employee within 14 days after receiving the request. If the employee record is not kept at the workplace, you must make a copy available or post it to the employee as soon as practicable. Providing referencesYou may be approached to provide employment references about former or current employees. You won’t breach Commonwealth privacy laws if you provide personal information that relates directly to the employee’s employment, but you can still ask for their consent. This can usually be assumed if they have already asked you to be a referee. If they haven’t, you should consider seeking their consent before disclosing information about them. Consider what information is appropriate to provide in a reference. Keep your comments focused on the employment relationship to avoid any possible privacy issues. This includes the employee’s skills, performance, conduct, their type of employment and length of employment. It is generally not appropriate to disclose private information about a current or former employee (for example, their medical history). As mentioned, Commonwealth privacy laws set a higher standard for collecting and handling sensitive personal information.
Create a policy on employment references. This could include in what circumstances references will or won’t be given, the form of reference (written or verbal), the process for requesting a reference and a consent form. Some employers have a policy of not providing references, and only confirming whether the employee worked for their organisation. If you adopt this policy tell the reference checker that it is a general policy and not a reflection on the specific employee. Using best practice to protect personal informationBest practice doesn’t look the same for all employers. The way to achieve best practice will vary depending on the industry, number of employees, and the business environment. Below are initiatives and suggestions that can help you move your business towards best practice. Commit to the privacy principlesBest practice employers choose to meet the requirements of the Australian Privacy Principles even if they aren’t required to. They also apply the principles to employee records although this isn’t required by law. Tell employees what happens to their personal informationBest practice employers tell employees:
You can include this information in your induction training, a workplace privacy policy and other staff communications. Set clear expectations about electronic communications, social media and use of monitoring technologiesThe use of internet, email, social media and employer-supplied devices (such as smart phones and tablets) affects many aspects of our working lives, including privacy. Best practice employers have clear workplace policies to help employees understand the expectations that apply to social media, email, internet use and the use of surveillance or other data collection technologies in their workplace. The key points to communicate to your staff are:
Businesses are increasingly using technology (such as apps, monitoring software or tracking devices) to supervise their employees. Things employers monitor can include:
There may be privacy implications when employers use technology to monitor the behaviour of their employees, including during the coronavirus outbreak. For more, see the Office of the Australian Information Commissioner’s guidance on privacy obligations to staff during Coronavirus , at www.oaic.gov.au/covid-19Develop a workplace privacy policyDeveloping a workplace privacy policy can help you apply good privacy practices in your workplace. Having a clear policy helps you ensure a consistent approach to workplace privacy. It also lets your workforce know that you take protecting their personal information seriously. Your policy should:
The Australian Privacy Principles may require you to have a clear and up-to-date privacy policy, detailing the kinds of personal information your company holds, how you collect and store that information, and the purposes you can use the information for, as well as about accessing stored information, whether information is likely to be sent overseas, and how to complain about breaches of privacy.
Helen owns a wholesale business. People call the general number sometimes asking for information about employees. Helen included a procedure in the workplace privacy policy that requires these requests to come to her. This process lets Helen find out what information is being requested and why. It also allows Helen to discuss the request with the employee concerned.
It’s essential you regularly review and update your privacy policy. This is especially important in workplaces where there are rapid developments or changes in the way employees, managers and business owners are using technology, which can have implications for the protection of personal information. Make sure you consult with employees and managers about what they think is working and what could be improved when it’s time to review your policy. Help your managers and employees understand workplace privacyBest practice employers give their managers and employees training about workplace privacy. This builds confidence in understanding how personal information is handled within the workplace. It could also encourage employees to keep their information up to date and discuss any issues with you or their managers. Consider providing information and resources to reinforce your training. This could include:
Marco is the Human Resources Manager in a professional services business. Marco explains to employees that the business will take disciplinary action for repeated breaches of its privacy and electronic communications policies. He does this during the induction of new employees and when training managers. Marco believes these reminders help drive home the responsibilities of employees and the importance of protecting the privacy of personal information. It also makes sure staff know they’re accountable if they don’t comply. Best practice checklistA best practice workplace involves more than just understanding and complying with the law. This checklist will help you work towards best practice when managing and protecting your employees’ personal information:
Links and resourcesResourcesLinksFair Work Ombudsman State & territory bodies |