Privacy Issues for Employers

As an employer you may already possess or wish to collect personal information about your employees. In an evolving workplace, what information can you legally ask your employees to give you and when can you ask for it? Most importantly, what can you do if an employee refuses to provide you with the personal information requested?

Privacy act

Employee information is protected under the Privacy Act 1988 (Cth) (the Privacy Act). Personal information usually includes such identifying information as names, emails, addresses and telephone numbers but it can also include ‘sensitive’ information such as race, political affiliation, sexual orientation and health or genetic information.

Employers must handle all personal information carefully and sensitive information very carefully because it could be used to discriminate against someone. In our experience, most issues arise in a workplace when an employee is improperly asked to provide sensitive information, is not asked to give consent to the collection of the information or it has been mishandled by an employer.

Australian privacy principles

In 2014 the Australian Government introduced into the Privacy Act the requirement that certain businesses falling within the definition of an ‘APP entity’ comply with 13 Australian Privacy Principles (the APPs) when dealing with the personal information of their employees. The APPs are rules that outline how employee data must be handled by APP entities including:

  • the management, collection, use and disclosure of certain information;
  • the steps that organisations must take to ensure the quality and security of information; and
  • an individual’s right to access and correct information.

All entities carrying on a business with an annual turnover of more than $3 million are APP entities, as well as:

  • Private sector health service providers (including medical practitioners, pharmacists, gyms and weight loss clinics);
  • Complementary therapists, such as chiropractors or psychologists;
  • Childcare centres or private educational institutions;
  • Employee associations registered or recognised under the Fair Work Act 2009 (Cth);
  • Businesses that sell or purchase personal information;
  • Credit reporting bodies; and
  • Businesses that are related to an APP entity.

Employee record exemption

The Privacy Act contains an Employee Record Exemption - as a rule, all private sector businesses can use the personal information of their employees for purposes directly relating to an employee’s employment, for example, their bank account details for payroll purposes. However, if you collect information from your employees that is not directly related to their employment, the Privacy Act applies as well as any workplace laws that deal with the collection, maintenance, and access to employee records. Consider whether the information you are collecting about your employees is directly related to their employment and if not, what does the Privacy Act say about the collection of this information?

Can employers force  employees to hand over personal information?

Employees are required to comply with lawful and reasonable directions from their employers, and this may sometimes include asking employees to divulge personal information. If an employee refuses to follow such a direction, the employer may have the right to terminate that person’s employment. However, employers need to be extremely careful before terminating someone’s employment if the ‘direction’ is ‘unreasonable and unlawful’.

Fingerprints

In the case of Lee v Superior Wood, the employer, Superior Wood, requested its employees provide their fingerprints for the purposes of implementing a biometric entry and exit system that used fingerprint scanning technology. Lee was an employee and felt uncomfortable about providing this personal information. When he refused to give his fingerprints, his employment was terminated for failing to follow his employer’s lawful and reasonable direction. Lee brought an unfair dismissal application against Superior Wood in the Fair Work Commission.

The employer unsuccessfully tried to argue that the Employee Record Exemption applied in this case with the Full Bench of the Fair Work Commission finding that Lee’s termination was unlawful because:

  • Personal information can only be demanded if it is reasonably necessary. There were alternative methods the employer could use to record access to the workplace. Such a high security technology was not necessary for the business in question; and
  • Fingerprints are classified as sensitive information. The collection of sensitive information requires the express consent of the employee. In this case, the employee was not given the option to refuse.

It is worth noting that the Employee Record Exemption may have applied if Lee’s employment contract contained a condition of employment requiring him to provide his fingerprints and/or required him to comply with all workplace policies and procedures as and when updated.

Travel History

The case of Knight v One Key Resources (Mining) Pty Ltd t/as One Key Resources was a little different. In that case, the employer, One Key Resources, required all its employees to complete a COVID-19 survey confirming their travel history and upcoming travel plans. When Knight refused to comply with the direction claiming such information was sensitive under the Privacy Act, his employment was terminated. Knight subsequently made an unfair dismissal claim.

The Fair Work Commission held that in this instance, Knight’s termination was lawful as One Key Resources had issued a lawful and reasonable direction which he failed to comply with. The direction was considered lawful and reasonable for a few reasons, including the following:

  • The information requested was not sensitive under the Privacy Act;
  • Providing your employer with information about where you have travelled is required under workplace safety legislation to ensure a safe workplace (free of COVID-19); and
  • The Information Commissioner had issued a statement allowing employers to obtain information from their employees and visitors about COVID-19 (to the extent reasonably necessary).

Understanding your privacy obligations

As an employer, understanding your privacy obligations is key to successfully managing your employees. There are a few things you can do as an employer to make sure that you are taking reasonable steps to mitigate risks against privacy complaints and unfair dismissal applications:

  • Determine whether you are an APP entity that must comply with the Privacy Act.
  • Know what industry Awards, employment contracts and other workplace agreements say about the collection of employee personal information.
  • Generally, only collect personal information that directly relates to an employee’s employment.
  • Put in place a privacy policy which includes information about how the business collects, uses and protects employee information. The privacy policy should also set out how an employee can communicate concerns about how their information is being collected, held, maintained, and used.
  • Consider whether employment contracts should make employment conditional on compliance with certain workplace policies and procedures as updated from time to time.
  • When collecting sensitive employee information, ensure the employee can consent to the collection.

Finally, if you are considering dismissing an employee for not handing over personal information, know what your obligations are under the Privacy Act are before you do so.


The full contents of this article is only available to our members. Click here to become a member.

Already a member?

Please enter your username and password below to gain access.

Member's Login
Username  
Password  
  retrieve your password