The nature of employment relationships requires employers to collect information about their employees. The rapid developments of the digital age have significantly impacted what it means to collect data and the appropriate ways to govern its use. Such issues have attracted particular attention in recent years, mirroring rising concerns regarding data breaches and other cyber-attacks.
While information is generally governed by the Privacy Act 1988 (Cth) (‘the Act’), the Act presently includes an exemption for record handling for employers (the ‘employee record exemption’), which allows private sector employers to collect, utilise and distribute personal information of employees, where such information relates to the employment relationship between the employer and the employee.
In February 2023, the government released the Privacy Act Review Report 2022 (‘the Report’), which proposed reforms to the Privacy Act 1988 (Cth), considering whether the Act’s enforcement mechanisms are fit for purpose in Australia’s current digital economy. This included proposing to remove or modify the employee record exemption with the intention that private sector employees would no longer be exempt from such protections.
Depending upon which of the proposed changes subsequently become law, there could be negative implications for employers. The Report detailed submissions from employers who raised concerns that the proposed changes, such as the requirement to obtain employees’ consent to collect sensitive information, could hinder employers’ ability to implement important workplace processes. For example, such laws may make achieving diversity and inclusion in the workplace more difficult, as employers will be limited in collecting sensitive information such as racial or ethnic origin and health information.
Employers also submitted that their ability to administer sensitive matters such as complaints, disciplinary action and performance management would be negatively impacted.
We cannot know for certain the extent of the proposed changes until the legislation is drafted for Parliament’s consideration in 2024.
In the meantime, employers should take this time to prepare for potential changes by reviewing their data collection policies and procedures, ensuring they are well protected against data breaches, are equipped to respond appropriately in the event of a cyber-attack review the information they hold in relation to their employees and consider removing any data which is not necessary.
If you would like assistance preparing for the proposed changes, contact one of our HR consultants directly or email mazarshr@mazars.com.au. Our specialised HR and IR consultants can ensure you are ready to comply with any privacy reforms.
Published: 12/12/2023
All rights reserved. This publication in whole or in part may not be reproduced, distributed or used in any manner whatsoever without the express prior and written consent of Mazars, except for the use of brief quotations in the press, in social media or in another communication tool, as long as Mazars and the source of the publication are duly mentioned. In all cases, Mazars’ intellectual property rights are protected and the Mazars Group shall not be liable for any use of this publication by third parties, either with or without Mazars’ prior authorisation. Also please note that this publication is intended to provide a general summary and should not be relied upon as a substitute for personal advice. Content is accurate as at the date published.
