Employer obligations when handling employee personal information

A look at privacy and disclosure

As a matter of routine, businesses collect a great deal of personal information about potential and current employees. There is the obvious basic information that most people don’t think twice about disclosing to an employer, like their full name and their work experience. However, employers are often required to collect much more sensitive information about employees such as health records, bank details and background checks. Such information needs to be carefully handled.

In the face of recent cyber attacks against large organisations, it’s now more important than ever that employers understand their ethical and legal obligations in order to prevent personal information breaches. The costs and resources committed to responding to breaches and handling complaints are significant, not to mention the loss of trust and damage to the reputation of a business.

Employers must adhere to relevant legislation when it comes to collecting and storing personal information. Failure to correctly adhere to legal requirements can lead to regulatory actions.

Legislation applicable to employee personal information

The key piece of legislation governing the collection and use of employee details is the Australian Privacy Act 1988.

The purpose of the Act is to promote and protect the privacy of personal information. The Privacy Act includes 13 legally binding Australian Privacy Principles (APPs) which form the cornerstone of the privacy protections in the Act. The legislation gives individuals certain rights in relation to their personal information and regulates the way personal information is handled by businesses.

The Privacy Act and APPs apply to:

  • Most Australian Government agencies and,
  • All private sector and not-for-profit organisations with an annual turnover of more than $3m.

In addition to the Privacy Act, the Fair Work Act requires employers to collect (and store for seven years after the end of the individual’s employment) accurate and complete records for all their employees including general records, pay records, hours of work, leave and superannuation contributions.

Understanding employer obligations under these legislations can be a bit confusing. There are exemptions to the rules which complicate things somewhat. Let’s take a look at some key considerations:

What to consider when collecting personal information from employees

Collecting personal information should always be done with great care. There are several questions an employer needs to ask before collecting details from an employee;

  1. What exact information needs to be collected?
  2. Why does the company need this information? What is the purpose of the collection?
  3. Is this collection lawful and fair?
  4. What might be an unlawful purpose?
  5. Does the information need to be identifiable?
  6. Who is the information being collected from?
  7. Is the information actually accurate?

Employers need to also consider whether the information is sensitive, as sensitive information must be handled with a higher standard of care.

Notifying employees about the collection of personal information is an absolute must.  Employers should generally notify employees before collecting their personal information or at the time of collection. If that cannot be done, notification should be done as soon as possible after the collection.

Notice can be given either verbally or in writing. A Collection Statement is one way to provide notice in writing and should ideally be separate from an employers’ Privacy Statement. The Collection Statement should detail why a company is collecting certain information, how the information will be used and how an employee can request access to the information.

What exactly is an employee record?

As stated above, the Fair Work Act requires employers to collect and store employee record details for seven years after the end of the individuals’ employment.

An employee record is defined as a record of personal information that an employer holds which relates to the employment of a potential, current or former employee. There are some blurred lines between what is and is not considered necessary to include in an employee record.

Examples of information which is appropriate to include in an employee record are;

  • Job application details including CV and on-boarding
  • Engagement, training, disciplining, resignation or termination of employment
  • Contract or terms and conditions of employment
  • Personal and emergency contact details
  • Hours of employment
  • Salary/wages
  • Membership of a professional or trade association or trade union membership
  • Recreation, long service, sick, maternity, paternity or other leave related information
  • Personal taxation, banking and superannuation details

Exemptions to information handling legislation

The handling of employee records in relation to current and former employment relationships is exempt from the Australian Privacy Principles in certain circumstances.

The exemption applies if the organisations’ act or practice is directly related to:

  • Either a current or former employment relationship between the employer and the individual
  • An employee record held by the organisation relating to the individual

This means that an employer does not need to comply with the Privacy Act when it handles current and past employee records for purposes directly related to the employment relationship.

However, not all information is necessarily considered to be “relating to the employment” of an employee, so employers should not assume a blanket exemption applies.

For example, in Jeremy Lee v Superior Wood Pty Ltd [2019], the employer introduced fingerprint scanners for employees to sign on and off a work site. An employee refused to use the scanners. The Fair Work Commission held that the collection of personal information in the form of fingerprint scanning did not fall under the employee records exemption, as it related to the collection, and not the use, of the employee’s personal information.

Examples of when the exemption does not apply to employee records are:

  • Processing job applications: the information of candidates or job applicants is not part of an employee record until they become an employee – privacy rules apply until then.
  • Employee health information: existing State health records laws (in Victoria, NSW and ACT) apply instead.
  • During collection: the exemption only usually applies to personal information already held by the employer. This means collection and notice privacy rules apply when collecting information and consent is required to collect sensitive information such as health, biometrics, gender or race.
  • Employee information is shared with or collected by a third party on the employer’s behalf: the third party must comply with the privacy rules and their contract with the employer must require this.
  • Tax File Numbers: strict privacy laws as well as other laws apply to TFNs.
  • Surveys: depending on the purpose, the questions, the information collected and who conducts it, the exemption may not apply and the privacy or health records laws will.
  • Next of kin or emergency contact details: to the extent this information is about other individuals, the privacy rules apply.
  • Use or sharing by the employer for a purpose not directly related to or necessary for employment: the usual privacy rules apply.

Using and disclosing personal information

An employer ‘uses’ personal information when it maintains control of the information when it handles or manages it. When an employer makes the information accessible or visible to others outside the organisation, they no longer control the information, therefore the information is being ‘disclosed’.

Generally, an employer can use or disclose personal information for the same reason it was collected (primary purpose). The personal information can only be used or disclosed for another purpose where the individual consents or where an exception applies (secondary purpose).

A closer look at consent

In order for an employee to consent to their personal information being either used or disclosed, the following conditions must be met;

  • The person must be adequately informed
  • Consent must be voluntary
  • Consent must be current and specific
  • The person giving consent must have the capacity to understand and communicate consent.

The Fair Work Ombudsman recommends the best practice approach of asking for your employee’s consent each time you disclose personal information about them, such as in the case of information requested by a Fair Work Inspector, a government agency or union body.

Recommendations for employers

In summary, it is recommended that employers implement clear policies which advise employees of the requirements of the employer to provide personal information and set out the manner in which the employer will use and disclose the personal information. Good privacy practices in a workplace affirms an employer as trustworthy and protects against the legal and reputational repercussions of unauthorised access or misuse of personal information.

Sensitive information needs to be handled with a greater degree of care and employers need to have a clear understanding of what is and isn’t appropriate to incorporate into employee records.

Unsure about your employer obligation in regards to handling employee information? Contact the team at Harrison Human Resources for advice.


myHRexperts Membership


Have a HR question?

Arrange a confidential discussion with a HR specialist

recent posts


Discover your workplace score and increase your ability to attract and retain superstars

Human Resources Brisbane | Best Workplace Assessment



Scroll to Top