Update for employers: Australian Privacy Act Review Report

Australian employers are going to have to wait longer to fully understand how forthcoming changes to Australia’s privacy laws will impact them.

Although the recently released Privacy Act Review Report has flagged that some changes to the “Employee Records Exemption” will be made, the government proposes to consult further before finalising the extent of those changes.

Background

The Australian government’s review of the Privacy Act 1988 has continued to progress, with the Privacy Act Review Report being released by the Attorney-General’s Department on 16 February 2023.

Running 320 pages, the report contains a raft of proposals intended to strengthen Australia’s privacy framework. The proposals reflect calls for stronger protections in the wake of recent high profile cyber-attacks, more effective enforcement, more avenues for individuals to seek remedies, and other measures to bring Australia in line with international standards.

Of greatest relevance to employers is the report’s consideration of proposals to reform the employee records exemption (ER Exemption). While the report concluded that enhanced privacy protections should be provided to private sector employees, it did not reach a conclusion on the form that those enhanced protections should take. The Report instead recommends further consultation with employee and employer representatives on the issue.  

It therefore looks certain that reform is coming, but the extent of that reform and the way in which it will be implemented is still uncertain. 

Employment lawyers weigh in with tips and best practices for HR in light of new privacy laws.

What do employers need to know about the report?

The ER Exemption currently exempts employers from the operation of the Privacy Act for those acts or practices which are directly related to a current or former employment relationship with an individual, and the employee records it holds relating to that individual.

Three options for reforming the ER Exemption are being considered:

• removing the ER Exemption completely
• modifying the ER Exemption to better protect employee records, but retain the flexibility that employers need to administer the employment relationship
• retaining the ER Exemption in its current form and using workplace relations legislation to enhance employee privacy protections.

The Report observes that stakeholders are divided along employer/employee lines regarding whether and how to reform the ER Exemption. This should not be surprising – employers do not want to be subject to further regulation, whilst employees expect that personal information their employers hold about them should be subject to the same protections as their personal information held by other organisations.

The Report acknowledges that there are legitimate concerns on both sides. In the absence of any clear path for reform of the ER Exemption, the report proposes that further consultation should be undertaken with employer and employee representatives on how enhanced privacy protections should be extended to private sector employees, with the aim of:

• increasing transparency for employees about what their personal information is being collected and used for
• ensuring that employers have the flexibility to collect, use and disclose personal information that is reasonably necessary to administer the employment relationship (whilst considering the scope of individual rights and whether consent should be required for collection of sensitive personal information)
• ensuring employees’ personal information is protected from misuse, loss or unauthorised access and is destroyed when no longer required
• ensuring employees and the Office of the Australian Information Commissioner (OAIC) are notified of any data breach that is likely to result in serious harm.

That consultation should also consider the interaction between privacy and employment laws. This reflects a concern that shoehorning privacy laws into the Fair Work Act 2009 (FW Act) risks fragmenting the legal framework for privacy protections across multiple statutes and regulators. On the other hand, the report identifies possible benefits to strengthening privacy protections via the FW Act, including that it would cover more private sector employees than the Privacy Act and would facilitate access to a no costs jurisdiction, informal dispute resolution and protection from adverse action.

We expect that employers will be particularly interested in tracking further developments on the following issues:

Will a right of access be extended to employees? The report notes that submissions favouring retention of the ER Exemption expressed particular concern about extending the rights of access and corrections under APPs 12 and 13 to employees. It is possible that these rights will be carved out from any relaxation of the ER Exemption given the administrative burden and cost it would cause employers, as well as difficulties in managing disciplinary, performance and other employment issues. Experiences from the UK and Europe have shown how extending such rights to cover employee information would likely introduce a new flashpoint for disputes in the employment relationship, with such rights often being used as a tool to obtain information as a precursor to litigation or otherwise apply pressure on employers in contentious contexts.

What role will consent play? An issue to watch in the employment space is consent. Currently under the Privacy Act, consent is required in some circumstances (such as to collect sensitive personal information). The Privacy Act merely provides that consent may be express or implied. The report proposes amendments to the statutory definition of consent, so that it must be voluntary, informed, current, specific and unambiguous.

However, there is likely to be specific consultation around how consent works in the employment context and to what extent it can be given freely. Under the GDPR and in the UK, the approach taken is that consent must be freely provided and simple to withdraw, and that due to the power imbalance inherent in the employment relationship, consent is unlikely to be genuinely given, so a different lawful basis for processing an employee’s personal data is usually required. Adopting a similar approach in Australia would be a stark departure from recent case law considering the validity of consent in an employment context (see, for example, CFMMEU & Ors v. BHP Coal [2022] FWC 81).

It is possible that legislative changes will give employers specific exceptions from requiring consent. The report notes that submissions arguing for the removal or a narrowing of the ER Exemption mostly accepted that there is a need for a degree of flexibility to ensure employers can administer the employment relationship and that this may include, for example, exceptions so that all employers can process their employees’ personal information without consent under APPs 3 and 6. 

There are plenty of measures employers can take to improve security, according to a lawyer.

What’s next on the road to reform?

The report states that further consultation will be undertaken with employee and employer representatives on how the ER Exemption recommendations could be implemented in law, including the interaction of any such reforms with existing workplace relations laws.

Consideration will also be given to developing codes of practice regarding the collection, use and disclosure of personal and sensitive information, through “a tripartite process” (which presumably might involve employer/employee representatives and the OAIC or government).

The government’s recognition that reforms to the ER Exemption is an area in need of further consultation reflects the difficulties associated with striking the right balance between protecting the privacy of employees and imposing onerous compliance burdens on employers. The government invited feedback from the public on the proposals, with the deadline for submissions being 31 March 2023, with a view to formally responding to the report and then developing draft legislation this year. 

No timeline has been provided for the proposed consultation with employee and employer representatives regarding the ER Exemption.

Miles Bastick is a partner and Alexandra McPherson is a senior associate, both in the Employment, Pensions & Incentives team with Herbert Smith Freehills in Sydney. Ben Harris is an executive counsel with Herbert Smith Freehills in Sydney.

30,000 names and email addresses of past and present Telstra staff were posted on the dark web after a data breach related to a staff rewards program.