The recent spate of cyber attacks and data breaches in Australia has renewed focus on the Australian Government’s ongoing review of the Privacy Act 1988 (Cth) (Privacy Act). The new Attorney-General, Mark Dreyfus, had already promised “sweeping reforms” and a suite of proposals before the end of the year. However, expectations – of both the scope of those reforms and the speed with which they are introduced – are likely to be heightened in light of recent events.
The key focus of any reforms is likely to be consumer personal data rights. However, there is likely to also be a significant, perhaps monumental, shift in how employers are able to collect, use and disclose their employees’ personal information.
In this article, we look at what Australian employers need to know about the proposals for reform.
What is the review?
The former Coalition Government announced a wide-ranging review of the Privacy Act in December 2019. There have been two rounds of public consultation, in late 2020 (in respect of an ‘Issues Paper’) and late 2021 (in respect of a ‘Discussion Paper’), and roundtable discussions with stakeholders on some specific issues. The final report with recommendations for reform is expected by the end of 2022.
What’s at stake for employers?
The big-ticket item for employers is potential reform of the employee records exemption (ER Exemption). Three options are being considered:
- removing the ER Exemption completely;
- modifying the ER Exemption to better protect employee records, but retain the flexibility that employers need to administer the employment relationship; and
- retaining the ER Exemption in its current form and using workplace relations legislation to enhance employee privacy protections.
Although it is not clear what shape the ER Exemption reform will take (or when any reform may ultimately be achieved), it is clear from the Discussion Paper that some reform is likely, and that employers should expect to be subject to further regulation in relation to how they manage their employees’ personal information.
Current scope of the ER Exemption
The ER Exemption is unique to Australia. It currently exempts employers from the operation of the Privacy Act for those acts or practices which are directly related to a current or former employment relationship with an individual, and the employee records it holds relating to that individual. In practice, what this means is that employers are not subject to the various requirements of the Privacy Act in respect of their employees’ personal information – including those relating to keeping personal information secure, and obligations to allow access to, and correction of, personal information.
There are a couple of limitations on the ER Exemption, one being that it only applies in respect of current and former employees, and therefore not in respect of job applicants or independent contractors. The more significant limitation is that the ER Exemption may only apply to personal information “held” by employers, based on the decision of the Fair Work Commission in Lee v Superior Wood. The consequence of this is that the Privacy Act requirements apply to the collection of employees’ personal information, but cease to apply once the personal information is collected and becomes an “employee record”. As we have previously written, this decision appears to be a novel interpretation of the ER Exemption, and addressing the impact of it is one of the specific issues identified in the Discussion Paper and a key concern articulated in several of the submissions to the review.
The ER Exemption is not well understood by employers, and often assumed to apply in circumstances where it does not apply. There is concern that the ER Exemption, as currently drafted and interpreted, does not adequately protect the personal information of employees, which is why options for reform are being considered.
Options for reforming the ER Exemption
Whilst removing the ER Exemption might be the simplest approach, there are concerns that doing so would make it difficult to administer the employment relationship. For example, it would give employees a right under Australian Privacy Principle (APP) 12 to access personal information that their employer holds about them, such as information about grievances, performance, or disciplinary processes. There is a real prospect that employees (or their representatives) would use such a right as effectively a “preliminary discovery” process or as a tactic to gain leverage in negotiations. A similar right exists under the European General Data Protection Regulation, and one of the common criticisms of it is that it imposes a significant cost and administrative burden on employers, particularly given the one-month deadline they have for providing the data. Employers in Europe are effectively faced with a choice between, on one hand, trawling through years of data across various internal electronic and hard copy systems to identify and provide data to the employee (after excluding personal data of other employees), and on the other hand, facing potentially significant fines for not complying with the request. In addition to the significant time and cost for employers, such a right may also lead to a reluctance on the part of employees to participate openly in investigations, or on the part of managers to be fulsome and honest in performance appraisals.
In that context, the attraction of a modified ER Exemption is obvious – it would seek to balance the need for greater protection of employees’ personal information (e.g. by subjecting employers to requirements such as the APP 11 requirement to keep information secure, or the APP 8 requirement to notify employees if their information is to be transferred overseas), with the need for employers to administer employment relationships effectively (e.g. by excluding the APP 3 collection requirements and APP 6 use or disclosure requirements). However, as the Discussion Paper acknowledges, any modification of the ER Exemption will need to be carefully thought through. The risk with this “halfway house” approach is that employers will be burdened with significant additional responsibilities whilst employees only gain limited additional protections.
Enhancing employee privacy protections through workplace relations legislation does not, on its face, appear to be the most efficient approach to reform. It would result in employers being subject to one set of privacy laws in relation to their employees’ personal information, and a different set of privacy laws in relation to non-employees’ personal information. Subject to any small business exemption, it could also mean that those currently subject to the Privacy Act’s small business exemption would not have that protection in respect of their employees’ personal information. Finally, as the Discussion Paper points out, the Office of the Australian Information Commissioner (OAIC) does not have jurisdiction over the Fair Work Act 2009 (Cth).
What is the review going to recommend?
Out of the submissions to the review that took a view on the ER Exemption, nearly half supported removing the ER Exemption, around 30% supported amending the ER Exemption, and around 25% supported retaining the ER Exemption in its current form.
What is clear from the submissions is that there are a broad range of positions on this issue, with employee and employer groups divided on whether more or less regulation is required.
It seems unlikely that the ER Exemption will remain in its current form – it is outdated, not consistent with other jurisdictions, and achieving greater protection for employees through workplace relations legislation would be fraught with difficulty.
It appears more likely that the ER Exemption will therefore be removed or amended. Given that there does not seem to be consensus amongst the submissions to the review as to what modifications might be necessary to achieve the balance required to protect employees but not overburden employers, meaningful amendment may prove a step too far.
A more achievable and realistic outcome may be the removal of the ER Exemption, but with some exclusions or exceptions to the application of certain APPs (e.g. APP 12 regarding access to personal information). This may achieve some balance between the interests of advocates for removal, such as the Australian Council of Trade Unions (ACTU) and the OAIC, and the interests of employers.
Other areas of potential reform
Some of the other proposals in the Discussion Paper that employers should be aware of are:
- creation of a direct right of action to allow individuals to bring claims against entities who interfere with their privacy in the Federal Court or Federal Circuit and Family Court (after an OAIC conciliation process) seeking any orders the Court considers appropriate, including damages (Proposal 25.1); and
- a requirement to obtain consent of a parent or guardian before collecting personal information of a child under the age of 16 (Proposal 13.1).
The business community has expressed particular concern about the introduction of any form of direct right of action or statutory tort, instead preferring regulatory oversight and enforcement action to be administered by the OAIC.
In addition, there have been calls to increase the maximum penalties that apply for breaches of the Privacy Act from the current $2.1 million to more meaningful amounts.
Whilst not related to the Privacy Act review, the ACTU has announced that it will start looking to address shortfalls in regulation and safeguards regarding employers’ use and protection of employee data by seeking to incorporate new rights that are implemented and enforceable through collective bargaining. The principles that the ACTU has put forward are:
- employers should be required to protect the data of their employees;
- workers should have a right to access data collected about them, including the right to have that data rectified, blocked or erased;
- workers and their unions must be consulted and agreement reached before the introduction of new systems which enable surveillance or monitoring of workers;
- data collected should be minimised to only what is absolutely necessary;
- policies and processes for data collection should be transparent and available to workers and their unions; and
- biometric and GPS or location data should only be collected where there is no other viable option.
Some of these principles correspond broadly with the APPs (and would therefore apply in the event that the ER Exemption was removed). However, implementing them through collective bargaining, instead of a national law, would become very challenging administratively for employers. In particular, it could result in employers being subject to different obligations in respect of the personal data of different cohorts of employees.
The recent cyber attacks/data breaches and reaction from the media and Government is a timely reminder of the reputational and financial risks associated with compromises to the security of personal information.
It is highly likely that reforms will be implemented during this term of government (despite history suggesting that privacy law reform is slow to be achieved). In the short term, it is unlikely that those reforms will go as far as foreign regimes like the EU’s General Data Protection Regulation, but businesses should nonetheless prepare for radical changes in the way Australian law regulates this space, including the possibility of new legal rights exercisable by employees.
While we await the final recommendations of the review, now is a sensible time for employers to think about the existing mechanisms they have in place for collecting, storing and processing personal information of employees so that the impact of any changes can be readily assessed once those changes are announced.
 Lee v Superior Wood Pty Ltd  FWC 2946.