The privacy trap: Privacy obligations owed to employees

When handling personal information about employees, private sector employers haven’t had to concern themselves too much with obligations imposed by the Privacy Act 1988 (Cth) (Privacy Act) because of the application of the ‘employee records exemption’.

However, as employers’ appetites (and abilities) to monitor employees in (and out of) the workplace increases, so too do the legal implications.

What is the employee records exemption?

The ‘employee records exemption’ exempts private sector employers from having to comply with the Privacy Act when handling an employee’s personal information for a purpose directly related to the employment relationship.

However, if a private sector employer handles personal information for a purpose that is not directly related to the employment relationship, the exemption will not apply and the Privacy Act will.

When does the Privacy Act apply, because the exemption won’t?

Employers can attract obligations under the Privacy Act in all sorts of ways (eg. providing employees with additional perks or benefits, such as gym memberships, health services or insurances, the provision of which requires or results in the handling of (non-work related) personal information).

Alternatively, and increasingly, employers are monitoring employees in ways that extend beyond the workplace. Whether through GPS tracking, computer monitoring, video surveillance, call recording, health checks or drug and alcohol testing, most employee monitoring has scope to capture employees’ personal activities.

For example, tracking an employer-provided vehicle (and therefore the employee using the vehicle) during an employee’s work hours is directly related to the employment relationship and exempt from the Privacy Act. However, tracking the whereabouts of the vehicle (and employee) in the employee’s personal time is likely to result in the collection of personal information not directly related to the employee’s employment. The Privacy Act, and its compliance obligations, will therefore apply.

Employee monitoring: it’s not just a matter of privacy!

But it’s not only privacy laws that employers need to consider. Depending on the type of monitoring, and the personal information collected as a result, employers must also comply with applicable workplace surveillance legislation, general surveillance legislation, and/or health records legislation. Each type of legislation will set up specific employer compliance obligations.

What should employers be doing?

Employers will be well placed to demonstrate legal compliance if they have implemented, and communicated to employees, policies on:

  • the reasons for, and methods of, collection of employee information; and
  • the processes in place to manage, control and protect the information collected.


Alison Baker

Alison has more than 20 years’ experience in a wide-ranging employment and privacy practice.

You might be also interested in...

Employment & Workplace Relations | 26 May 2016

Employers on notice: You will be held to account

On 2 May 2016 in an address to the Australian Industry Group PIR Conference, Fair Work Ombudsman (FWO) Natalie James noted that ‘this year, 94% of the matters we have filed in court seek to hold someone other than the employer to account.’

Employment & Workplace Relations | 30 May 2016

Drugs, lies and dismissal: employee ordered to pay indemnity costs

A truck driver who knowingly brought an unfair dismissal claim based on a fabricated drug test result has been ordered to pay his employer’s costs of over $18,000.