Follow us

Employers face potentially radical changes to the way Australian law regulates their ability to collect, use and disclose employees’ personal information.

The Australian Government’s review of the Privacy Act 1988 (Cth) (Privacy Act) is expected to deliver sweeping reforms before the end of the year. 

For employers, the most significant potential reform relates to the employee records exemption (the Exemption), and while specific reforms remain unclear, employers should expect to be subject to further regulation in relation to how they manage their employees’ personal information.

In this article, we explore what they need to know.


The Exemption, which is unique to Australia, exempts employers from the operation of the Privacy Act for practices directly related to a current or former employment relationship with an individual, and the employee records it holds relating to that individual.

This means that employers are not subject to the various requirements of the Privacy Act in respect of their employees’ personal information – including those relating to keeping personal information secure, and obligations to allow access to, and correction of, personal information.

There are limitations on the Exemption, one being that it only applies in respect of current and former employees, and not job applicants or independent contractors.

Another is that it may only apply to personal information “held” by employers, based on the decision of the Fair Work Commission in Lee v Superior Wood1.  Consequently, the Privacy Act requirements apply to the collection of employees’ personal information but cease to apply once the personal information becomes an “employee record”.

The Exemption is not well understood by employers and there is concern that it does not adequately protect the personal information of employees, which is why reforms are being considered.


Three options are being considered:

  1. removing the Exemption;
  2. modifying the Exemption to better protect employee records, but retain the flexibility that employers need to administer the employment relationship; and
  3. retaining the Exemption in its current form and using workplace relations legislation to enhance employee privacy protections.


Removing the Exemption

This might be the simplest approach, however, there are concerns that doing so would make it difficult to administer the employment relationship. For example, it would give employees a right under Australian Privacy Principle (APP) 12 to access personal information that their employer holds about them, such as information about grievances, performance, or disciplinary processes.

There is a real prospect that employees (or their representatives) would use such a right as effectively a “preliminary discovery” process or as a tactic to gain leverage in negotiations.

A similar right exists under the European General Data Protection Regulation, and one of the common criticisms of it is that it imposes a significant cost and administrative burden on employers, particularly given the one-month deadline they have for providing the data.

Employers in Europe are effectively faced with a choice between, on one hand, trawling through years of data across various internal electronic and hard copy systems to identify and provide data to the employee, and on the other hand, facing potentially significant fines for not complying with the request.

In addition to the significant time and cost for employers, such a right may also lead to a reluctance on the part of employees to participate openly in investigations, or on the part of managers to be fulsome and honest in performance appraisals.

Modifying the Exemption

A modified Exemption would seek to balance the need for greater protection of employees’ personal information with the need for employers to administer employment relationships effectively (e.g. by excluding the APP 3 collection requirements and APP 6 use or disclosure requirements).

However, any modification of the Exemption will need to be carefully thought through. The risk with this “halfway house” approach is that employers will be burdened with significant additional responsibilities whilst employees only gain limited additional protections.

Retaining the Exemption and using workplace relations legislation to enhance employee privacy protections

This does not, on its face, appear to be the most efficient approach to reform. It would result in employers being subject to one set of privacy laws in relation to their employees’ personal information, and a different set of privacy laws in relation to non-employees’ personal information.

Subject to any small business exemption, it could also mean that those currently subject to the Privacy Act’s small business exemption would not have that protection in respect of their employees’ personal information.


It seems unlikely that the Exemption will remain in its current form – it is outdated, not consistent with other jurisdictions, and achieving greater protection for employees through workplace relations legislation would be fraught with difficulty. Even if it did remain, the Australian Council of Trade Unions has announced that it intends to seek to incorporate new employee data rights and protections through collective bargaining, which would be difficult for affected employers to manage.

It appears more likely that the Exemption will be removed or amended. Given that there does not seem to be consensus amongst the submissions to the review as to what modifications might be necessary to achieve the balance required to protect employees but not overburden employers, meaningful amendment may prove a step too far.

A more achievable and realistic outcome may be the removal of the Exemption, but with some exclusions or exceptions to the application of certain APPs. This may achieve some balance between the interests of advocates for removal, such as the Australian Council of Trade Unions and the Office of the Australian Information Commissioner, and the interests of employers.


While we await the final recommendations of the review, employers should consider the mechanisms they have in place for collecting, storing and processing personal information of employees so that the impact of any changes can be readily assessed once those changes are announced.

[1] Lee v Superior Wood Pty Ltd [2019] FWC 2946.

Key contacts

Miles Bastick photo

Miles Bastick

Partner, Sydney

Miles Bastick
Alexandra McPherson photo

Alexandra McPherson

Senior Associate, Sydney

Alexandra McPherson
Wendy Fauvel photo

Wendy Fauvel

Partner, Brisbane

Wendy Fauvel
Anna Creegan photo

Anna Creegan

Partner, Perth

Anna Creegan