It is likely that changes will be made to the Employee Records Exemption. We explore what this could look like, plus additional proposals likely to impact employers.
Australian employers are going to have to wait longer to fully understand how forthcoming changes to Australia’s privacy laws will impact them. Although the recently released Privacy Act Review Report has flagged that some changes to the “Employee Records Exemption” will be made, the Government proposes to consult further before finalising the extent of those changes.
The Australian Government’s review of the Privacy Act 1988 (Cth) (Privacy Act) has continued to progress, with the Privacy Act Review Report (Report) being released by the Attorney-General’s Department on 16 February 2023.
Running to 320 pages, the Report contains a raft of proposals intended to strengthen Australia’s privacy framework. The proposals reflect calls for stronger protections in the wake of recent high profile cyber-attacks, more effective enforcement, more avenues for individuals to seek remedies, and other measures to bring Australia in line with international standards.
Of greatest relevance to employers is the Report’s consideration of proposals to reform the employee records exemption (ER Exemption). In October 2022, we published an article which discussed the various proposals for reforming the ER Exemption (that article can be found here).
While the Report concluded that enhanced privacy protections should be provided to private sector employees, it did not reach a conclusion on the form that those enhanced protections should take. The Report instead recommends further consultation with employee and employer representatives on the issue.
It therefore looks certain that reform is coming, but the extent of that reform and the way in which it will be implemented is still uncertain.
What do employers need to know about the Report?
The ER Exemption currently exempts employers from the operation of the Privacy Act for those acts or practices which are directly related to a current or former employment relationship with an individual, and the employee records it holds relating to that individual.
Three options for reforming the ER Exemption are being considered:
- removing the ER Exemption completely;
- modifying the ER Exemption to better protect employee records, but retain the flexibility that employers need to administer the employment relationship; and
- retaining the ER Exemption in its current form and using workplace relations legislation to enhance employee privacy protections.
The Report observes that stakeholders are divided along employer/employee lines regarding whether and how to reform the ER Exemption. This should not be surprising – employers do not want to be subject to further regulation, whilst employees expect that personal information their employers hold about them should be subject to the same protections as their personal information held by other organisations.
The Report acknowledges that there are legitimate concerns on both sides. In the absence of any clear path for reform of the ER Exemption, the Report proposes that further consultation should be undertaken with employer and employee representatives on how enhanced privacy protections should be extended to private sector employees, with the aim of:
- increasing transparency for employees about what their personal information is being collected and used for;
- ensuring that employers have the flexibility to collect, use and disclose personal information that is reasonably necessary to administer the employment relationship (whilst considering the scope of individual rights and whether consent should be required for collection of sensitive personal information);
- ensuring employees’ personal information is protected from misuse, loss or unauthorised access and is destroyed when no longer required; and
- ensuring employees and the Office of the Australian Information Commissioner (OAIC) are notified of any data breach that is likely to result in serious harm.
That consultation should also consider the interaction between privacy and employment laws. This reflects a concern that shoehorning privacy laws into the Fair Work Act 2009 (Cth) (FW Act) risks fragmenting the legal framework for privacy protections across multiple statutes and regulators. On the other hand, the Report identifies possible benefits to strengthening privacy protections via the FW Act, including that it would cover more private sector employees than the Privacy Act and would facilitate access to a no costs jurisdiction, informal dispute resolution and protection from adverse action.
We expect that employers will be particularly interested in tracking further developments on the following issues:
- Will a right of access be extended to employees?
The Report notes that submissions favouring retention of the ER Exemption expressed particular concern about extending the rights of access and corrections under APPs 12 and 13 to employees. It is possible that these rights will be carved out from any relaxation of the ER Exemption given the administrative burden and cost it would cause employers, as well as difficulties in managing disciplinary, performance and other employment issues. Experiences from the UK and Europe have shown how extending such rights to cover employee information would likely introduce a new flashpoint for disputes in the employment relationship, with such rights often being used as a tool to obtain information as a precursor to litigation or otherwise apply pressure on employers in contentious contexts.
- What role will consent play?
An issue to watch in the employment space is consent. Currently under the Privacy Act, consent is required in some circumstances (e.g. to collect sensitive personal information). The Privacy Act merely provides that consent may be express or implied. The Report proposes amendments to the statutory definition of consent, so that it must be voluntary, informed, current, specific and unambiguous.
However, there is likely to be specific consultation around how consent works in the employment context and to what extent it can be given freely. Under the GDPR and in the UK, the approach taken is that consent must be freely provided and simple to withdraw, and that due to the power imbalance inherent in the employment relationship, consent is unlikely to be genuinely given, so a different lawful basis for processing an employee’s personal data is usually required. Adopting a similar approach in Australia would be a stark departure from recent case law considering the validity of consent in an employment context (see, for example, CFMMEU & Ors v BHP Coal  FWC 81).
It is possible that legislative changes will give employers specific exceptions from requiring consent. The Report notes that submissions arguing for the removal or a narrowing of the ER Exemption mostly accepted that there is a need for a degree of flexibility to ensure employers can administer the employment relationship and that this may include, for example, exceptions so that all employers can process their employees’ personal information without consent under APPs 3 and 6.
The proposal relating to the ER Exemption is just one of 30 broad proposals (and many more sub-proposals) set out in the Report, many of which would fundamentally change how privacy is regulated in Australia. Some of these proposals may apply to employers if changes are made to the ER Exemption, and others will be relevant to employers regardless of any changes to the ER Exemption. Of particular interest to employers will be proposals for:
- the removal of the small business exemption (subject to an impact analysis and consultation with small business);
- the introduction of a direct right of action (i.e. employees could be empowered to bring claims against employers in relation to breaches of the Privacy Act);
- a statutory tort for serious invasions of privacy to allow individuals to seek compensation in court for breaches of privacy that fall outside the scope of the Privacy Act;
- the potential introduction of standardised templates for privacy policies and collection notices;
- a requirement that collection, use or disclosure be ‘fair and reasonable’ in the circumstances (subject to certain limited exceptions and judged according to an objective ‘reasonable person’ test). In particular, the OAIC submitted that requiring this of employers would provide additional checks and balances on their handling of employee personal information in a context where individuals have limited control over how their information is used;
- organisations to conduct a Privacy Impact Assessment before commencing any ‘high-risk activity’ (which may be defined as any function or activity that is likely to have a significant impact on the privacy of individuals);
- a requirement to designate a senior employee responsible for privacy (similar to the GDPR requirement to have a Data Protection Officer), which can be an additional responsibility allocated to an existing employee;
- the expansion of the current right of access to include a right to request an explanation of what the organisation is doing with the personal information (subject to an organisation being able to charge a nominal fee and retaining the exception for commercially sensitive decision-making processes);
- the introduction of a right to object to the collection, use or disclosure of personal information and an obligation on the organisation to provide a written response to an objection with reasons;
- the introduction of a right to have personal information erased (subject to exceptions);
- a review of all Commonwealth laws that require retention of personal information to ensure they are appropriate in light of privacy and cyber security risks of retention; and
- an obligation on organisations to establish minimum and maximum retention periods for the personal information they hold.
What’s next on the road to reform?
The Report states that further consultation will be undertaken with employee and employer representatives on how the ER Exemption recommendations could be implemented in law, including the interaction of any such reforms with existing workplace relations laws.
Consideration will also be given to developing codes of practice regarding the collection, use and disclosure of personal and sensitive information, through “a tripartite process” (which presumably might involve employer/employee representatives and the OAIC or Government).
The Government’s recognition that reforms to the ER Exemption is an area in need of further consultation reflects the difficulties associated with striking the right balance between protecting the privacy of employees and imposing onerous compliance burdens on employers. The Government has invited feedback from the public on the proposals, with the deadline for submissions being 31 March 2023, with a view to formally responding to the Report and then developing draft legislation this year.
No timeline has been provided for the proposed consultation with employee and employer representatives regarding the ER Exemption.
For more information on the Privacy Act Review Report, see our Privacy team’s detailed analysis here.