pdf (156.98 KB)

Office of the Federal Privacy Commissioner
April 2004

1. Executive Summary

The privacy of personal information contained in employee records is extremely important to individual employees and to the Australian community. Individuals must be able to understand, manage and retain their privacy in the simplest and most effective way possible, whether that is the privacy of their employee information or their personal information more generally; and whether this is in regard to their sensitive information, or their other personal information.

The major role that work plays in people’s lives underpins the importance of ensuring effective privacy protection in the workplace. Work is not simply an economic necessity, but often serves to fulfil a basic human need to contribute to the community. The best workplace relationships are built on communication, trust and responsibility, and like other human relationships are complex and shifting. Both employers and employees introduce personal information into these relationships, trusting that this data will be used wisely, carefully and for only proper purposes. If this trust is breached, the employee needs a means of redress. In addition, the rapid growth of information and communication technologies combined with growing concerns about fraud, cybercrime and terrorism mean that the issue is not static. The risks to both employees and employers are growing correspondingly. One consequence is that these rapid advances in information and other technologies have resulted in employees coming under ever greater scrutiny. Consequently, if there is a lack of effective privacy regulation, or an increase in poor privacy outcomes, in private sector workplaces as a result of the employee records exemption, then this is of significant concern.

The right to privacy is not absolute, however, and requires the balancing of employee privacy with a number of other factors, such as the need for business to fulfil its commercial functions and related responsibilities, and the workplace relations record-keeping obligations placed on employers. Indeed, section 29 of the Privacy Act requires the Commissioner to have:

… due regard for the protection of important human rights and social interests that compete with privacy, including the general desirability of a free flow of information and the recognition of the right of government and business to achieve their objectives in an efficient way.

I have borne these considerations in mind during the administration of the private sector privacy scheme. Now, after more than two years of operation, the Office has the opportunity to observe upon the impact of this exemption. The Office is now in a position to make an assessment of Australia’s experience so far in working with the exemption. It is notable, for instance, that even though it seems to be fairly widely known by business and the broader community that the Office has no jurisdiction in this area, we continue to receive enquiries on many workplace privacy issues at a significant rate.

Given our experience to date, and taking into consideration the proposed options in the Discussion Paper, I support the removal of the exemption from the Privacy Act. This would bring employee records under the jurisdiction of the Act, and more specifically the National Privacy Principles. It would provide greater consistency of coverage across public and private sector workplaces, and bring federal privacy legislation in line with other privacy law that protects private sector employee records (for example, the Victorian Health Records Act 2002). This step would bring greater clarity, particularly for employers, in relation to their information handling obligations and the extent of protection for personal information in employee records. It would also deliver, in most cases, the certainty and ease of a central, accessible system for the non adversarial resolution of complaints brought by employees. In the international context, ensuring greater privacy protection for employee records would help to address concerns from some of Australia’s trading partners about the level of protection accorded to employee records data transferred into Australia.

Just as importantly, the removal of the exemption is the simplest way of implementing Recommendations 34-1 and 34-2 of the ALRC/AHEC Report No 96, Essentially Yours. The alternatives, such as a re-inclusion of genetic information (and health information other than genetic information) for coverage by the Act, in respect of matters that would otherwise fall within the exemption, would result in extreme administrative complexity for all parties – employers, employees, privacy code adjudicators and this Office.

2. Introduction

I welcome the opportunity to make a submission to the review of the employee records exemption in the Privacy Act 1988 (the Act), which is being conducted by the Attorney General’s Department and the Department of Employment and Workplace Relations. The Discussion Paper (DP) released by Ministers in February 2004 contains an overview of the scope of the Privacy Act and the employee records exemption and I do not intend to revisit these matters in this submission.[1]

The submission is structured as follows: Part 1 (preceding) provides an Executive Summary; Part 2 covers the history of the review of the exemption; Part 3 deals with my submissions to the House of Representatives and Senate Parliamentary Inquiries during the passage of the Bill; Part 4 covers the Office’s operational experience since 2001 in relation to the exemption; Part 5 discusses the proposed options in the Discussion Paper, and Part 6 sets out my views on the recommended option, and contains concluding remarks.

On 29 November 2000, in light of the exemption for employee records in the private sector, the then Attorney-General, the Hon. Daryl Williams AM QC MP, and the then Minister for Employment, Workplace Relations and Small Business, the Hon. Peter Reith, announced that the Government would review existing Commonwealth, State and Territory laws to consider the extent of privacy protection for employee records and whether there was a need for further measures.[2] The relevant news release also stated that:

The review will commence after the Privacy Amendment (Private Sector) Bill 2000 – which is due to be debated by the Senate this week – is enacted but before it comes into effect 12 months later. Employee records held by employers are exempt from the coverage of the legislation.

…

The Government will await the outcome of the review before considering what, if any, action should be taken in relation to privacy and employee records. The review will be completed in time to assist the Privacy Commissioner when he conducts the more general review of the legislation two years after it commences operation.

The principal aim of the review, as reflected in the DP, is to examine the existing level of privacy protection for employee records and to consider whether the existing arrangements need adjustment to ensure adequate protection. The DP states that there will be a report to the Attorney‑General and the Minister for Employment and Workplace Relations as a result of these consultations.

The timeframe for the current review is un-stated, leaving unclear how the outcomes of the process will connect with the more comprehensive review of the private sector privacy provisions in the Act. This review was to be conducted by the Privacy Commissioner ‘after two years of operation’ (of the private sector provisions) as foreshadowed by the Attorney-General at the time of passage of the amending legislation in 2000. Originally, as noted above, the Government envisaged that the review of the employee records exemption would be completed in time to assist the Privacy Commissioner, when conducting that more general review.

3. Privacy Commissioner’s submissions to Parliamentary Inquiries

Before discussing the options identified in the Discussion Paper, I refer to my submissions to the House of Representatives’ Standing Committee on Legal and Constitutional Affairs Inquiry into the Provisions of the Privacy Amendment (Private Sector) Bill 2000, and subsequently to the Senate Legal and Constitutional Legislation Committee’s Inquiry into the bill.

The former submission was made in May 2000 (see extract at Attachment 1).[3] This submission urged caution in implementing the employee records exemption as our experience showed that the privacy of employee records was an important issue already. This was evidenced by the significant rate of complaints made to the Office relating to interferences with employee privacy in Commonwealth public sector workplaces (at that time, 16% of complaints).

The submission noted that privacy protection under existing workplace relations legislation appeared to be indirect. It noted concerns about fairness and consistency in utilising negotiated arrangements to deal with privacy matters, because of the imbalance in power between the parties. It indicated also that there may be gaps in protection for personal information due to differences in the range of matters covered by awards or employment contracts, which may lead to inappropriate collection, use and disclosure of employee personal information by employers. In particular, the submission noted that the exemption would be inconsistent given the additional protection afforded to sensitive information in other parts of the bill, while such information would be largely unprotected in an employee record. The submission stated that if retained, the exemption should be very accurately targeted.

The submission identified the following options for narrowing the employee records exemption:

• limit the exemption to the collection and use of personal information, but not exempt disclosures, except in very limited circumstances;
• provide that the Commissioner can issue guidelines on what is acceptable for inclusion in an ‘employee record’ and on what is an ‘act or practice that is directly related to a current or former employment relationship’;
• add a new paragraph 7B(3)(c) that limits the exemptions to ‘duties and obligations arising out of the employment relationship’; or
• attach a ‘note’ in the bill to the exemption in respect of employee records to give some practical examples of what constitutes such a record.

In June 2000, the House of Representatives Legal and Constitutional Affairs Committee reported on the bill. It made a number of recommendations to modify the exemption for employee records.

On 16 August, the bill was referred to the Senate Legal and Constitutional Legislation Committee to examine the exemptions. The Office made a submission to the Senate Inquiry supporting the House Committee’s recommendations (see Attachment 2). On 10 October, the Senate Committee’s report essentially supported the amended bill, but with dissenting reports from the Opposition and the Democrats including in relation to this exemption. When debated in the Senate in November, the Opposition and the Democrats sought further amendments to the bill.

On 5 December 2000, the bill returned to the House where the Government opposed these Senate amendments to narrow the employee records exemption. Upon passage of the bill, the Government announced its intention to review existing Commonwealth, State and Territory laws in respect of the privacy protection of employee records.

In light of our experience over the past two years (as discussed in section 4), my current view is that the options outlined above, while perhaps useful nearly four years ago, are now limited in scope, applicability and likely effectiveness; and in some cases were superseded when the legislation was enacted. For example, section 7B(3) already limits the exemption to acts or practices that are directly related to the current or former employment relationship and the employment record; and the definition of ‘employee record’ in section 6(1) of the Act already lists some practical examples of personal information relating to the employment of an employee. With the passage of time, and given the Office’s experience, it is necessary to look more broadly if there is a need to re-consider the effectiveness of the privacy protection of private sector employee records in Australia.

4. Our experience of the employee records exemption

The need for guidance

To assist the private sector in implementing the provisions of the new legislation, the Office developed Information Sheet 12 – 2001 Coverage of and Exemptions from the Private Sector Provisions, which discussed (in part) the employee records exemption.[4] Between December 2001 and the end of February 2004, this Information Sheet has generated 33,595 hits and downloads from the website; indicating a notable level of interest and need for explanatory information by the community. We have also distributed approximately 8,500 hard copies of the Information Sheet.

By comparison, Information Sheets 4 (Access and Correction) and 7 (Unlawful Activity and Law Enforcement)[5] have generated only 16,767 and 16,538 hits and downloads respectively. These are Information Sheets about other areas of the National Privacy Principles (NPPs) that we expected would result in significant interest. Comparatively, these statistics indicate a higher level of interest in employee records privacy issues than is the case for the small business exemption, which is another significant exemption in the Act.

In March 2000, the Office issued Guidelines on Workplace E-mail, Web Browsing and Privacy for Commonwealth (and ACT) agencies. Although these guidelines were intended for use in the public sector, in response to a demand for guidance, we are encouraging private sector organisations to use these guidelines for privacy best practice.[6] As this is an area of activity that is exempt from regulation, and our resources require the taking of careful decisions about the guidance material we can develop, we have not been in a position to offer guidance to the private sector on the monitoring of employee email and web browsing. It is notable, however, that employer surveillance and monitoring has been a constant topic of media interest in recent times (see Media below).

Enquiries

During the period between 21 December 2001 and 8 April 2004 the Office received:

• 4,664 written enquiries – 202 (4.3%) related to the employee records exemption; and
• 50,731 telephone enquiries – 2328 (4.6%) related to the employee records exemption.
• Whereas figures for enquiries relating to the small business exemption for the same period were:
• 40 written enquiries (0.9%); and
• 1367 telephone enquiries (2.7%).

Comparatively, the level of interest in, and the need for advice and information on, the employee records exemption is significantly higher than that for another complex and much discussed exemption (for small business). Although these figures may appear low, they could represent the ‘tip of the iceberg’. For instance, the numbers of enquiries may have been higher without the advice in the Information Sheet about the exemption and the Office’s inability to investigate complaints in this area. The very existence of the exemption will have deterred some enquirers, knowing nothing could be done.

In addition to the examples of the types of enquiries (and complaints) listed in the DP, other issues that have been raised with us include:

• the fairness and lawfulness of an employer collecting personal information of employees in the form of:
  • drug testing – a caller, working in a chemical factory, was required to have an annual blood test to ascertain the level of chemicals in their blood. The caller was concerned about the use of this information to conduct other drug testing without their consent;
  • compulsory wearing of name badges;
  • finger printing and the scanning of hands for ID purposes; and
  • requiring excessive details about an employee’s illness when claiming sick leave;
• the denial of access to personnel and performance review records;
• disclosure of an employee record by a former employer to a prospective employer without consent;
• security of employee information submitted by employees for the purpose of obtaining ‘top secret’ security clearance;
• disclosure of an employee’s information, including sensitive information, to other employees; and
• disclosure of an employee’s information in a brochure advertising the employer’s services.

Complaints

During the period (December 2001 to April 2004), the Office received 2612 complaints, of which 48 (1.8%) related to employee records. These were ‘declined’, as they were not able to be investigated because of the exemption. By comparison, the Office declined to investigate 70 complaints (2.7% of all complaints) during the same period on the basis of the small business exemption. The Office declined 7 complaints (0.27%) due to the journalism exemption.

Complaints numbers are small, with less relating to employee records matters than to small business. These relatively low numbers of complaints should not be interpreted as a lack of public concern. Rather, it is likely that people are discouraged from making complaints on the basis of advice they have received about the effect of the exemption on their situation. In some situations, individuals may have taken their complaints to other organisations such as unions, employee advocacy groups or state-based regulatory agencies.

Complaints and enquiries illustrate the seriousness and breadth of the employee privacy issues the Office has encountered, but often has been unable to act upon. Much of the significance of these employee records enquiries and complaints lies in the range of information that employers can have access to in relation to their employees. While much of that information is required and used for valid reasons, there is the risk of improper exploitation of material within the employment context, or simply mistaken misuse. In either case, this leaves employees needing an accessible and effective mechanism for redress, and this does not exist currently.

Furthermore, sensitive information is so intensely personal that it often goes to a person’s sense of identity. Sensitive information (as defined in s.6 of the Act) should be protected within the current regulatory framework in all circumstances. It is difficult to argue that a privacy infringement of an individual’s sensitive information is always proportional to the benefit gained by an organisation from that infringement. For example, the Office received a complaint that a manager in an organisation disclosed personal information about an employee’s HIV/AIDS status to co-workers. The individual was intensely embarrassed and ashamed to face their co-workers. In the given circumstances, the complaint was declined because it was considered to have fallen within the exemption. Such an infringement of an employee’s privacy is unlikely to demonstrate an appropriate balance between the interests of the parties.

The exemption also means that one of the most important privacy principles is not available for employees. The access provisions (at NPP 6), which underpin the transparency of the handling of personal information generally, are not available to employees. If they were, they could enable an employee to access his/her personal records, and seek to rectify any errors, with the corollary advantages of emphasising openness and trust in the employment relationship.

The limited ability of employees to question the necessity of some employers’ workplace data collection initiatives (e.g. in regard to drug testing, IT monitoring and surveillance), is also a continuing theme of calls to our Hotline. Calls indicate anecdotally that some types of monitoring procedures in the workplace do not appear to be proportional to the risk that they are intended to mitigate. From employees’ responses and reactions, if the measures are proportional, then that assessment hasn’t been adequately conveyed to employees, who may be misunderstanding the situation, but who also feel powerless to object or question. Enquiries also indicate that some of these practices are encroaching on the relationship of trust between employers and employees. Such trust is necessary for productive and healthy working relationships.

Media

As a snapshot, during January and February of this year, there were some 11 articles (in major newspapers) devoted to workplace privacy issues. The central issues, particularly in relation to workplace surveillance, were that:

• the area of employee privacy rights is confusing;
• the issue demands attention (and is receiving media attention) because this confusion is harming people and creating conflict. The articles contain examples of people who have lost their jobs, seemingly because of the lack of clear regulation and guidelines in this area;
• the issue is gaining momentum, and the consequences of doing nothing are increasing, because there is a growth of monitoring technology (biometric, IT, video surveillance, and the use of radio-frequency identification tags) that allows employers to collect more invasive and personal information about employees;
• employee use of company IT products (and the retention of records of use) poses a potential risk to employers that don’t have privacy policies in place; and
• developments are occurring on a number of fronts, with state governments contemplating the introduction of new workplace surveillance legislation; and labour organisations raising awareness of employee privacy issues (through strategies such as, “Who is watching you at work?”).

5. Options for enhancing privacy protection of employee records (per the Discussion Paper)

Some principles for reform of privacy law

The Law Reform Commission of Victoria (LRCV) in its Workplace Privacy Issues Paper[7] (2002), considered that the purpose of workplace privacy reform should be to protect individual autonomy and dignity and to take account of the impact (on society at large) of practices affecting privacy. The LRCV identified some broad principles, which it believed needed to be considered in proposing reforms to meet the objectives it outlined. This is a useful framework that can assist in the analysis of the policy options in this area. Recourse to such a framework would have been beneficial in the construction of the DP. In the circumstances, however, I consider it important to reference and utilise the LRCV principles in assessing the utility of the various policy options proposed in the DP.

The LRCV paper identified the principles as:

• Balancing interests: provide an appropriate balance between the interests of employers, employees and third parties who may be affected;
• Minimum standards: provide a minimum standard of privacy protection to all employees;
• Proportionality: reflect the requirement that any privacy infringement must be proportional to any benefits gained from the infringement;
• Transparency: ensure that measures affecting privacy are transparent to workers;
• Flexibility: be sufficiently flexible to take account of the diversity of workplaces and of different types of employment relationships; and
• Certainty: provide certainty to employers and employees about their rights and obligations.

In addition to the LRCV’s principles, and with the benefit of our experience in administering the Commonwealth privacy scheme, the following considerations are also important in assessing the utility of the various options:

• Alternative dispute resolution: provide for the resolution of privacy complaints using alternative dispute resolution or a similar process at low cost and in a non-adversarial setting;
• Uniformity of application: achieve the objective of uniformity of application without significant gaps across Australian workplaces and jurisdictions, to ensure the protection of personal information contained in employee records; and
• Single privacy framework: provide effective privacy protection through access to a single (or centrally accessible point) for privacy regulation, to assist with certainty and consistency for business, and an easily understood complaints mechanism for individuals.

These principles have assisted our consideration and analysis of the options proposed.

Options considered sub-optimal: not supported

Status Quo, non-legislative measures, coverage in certified agreements and Australian Workplace Agreements (AWA’s)

In considering the proposed options for reform, this submission will not re-state the existing privacy protection framework outlined in the DP (chapters 2 and 3). Nor is it the intention of the submission to address in any detail the status quo and non-legislative options proposed in the DP (education, OFPC guidelines, privacy policies and approved codes) for the following reasons and based on the Office’s experience over the past two years. In my view, and through the experience of the Office, these options are unlikely to be effective.

None of these options would provide a guaranteed minimum standard of privacy protection for all employees, or even for a substantial section of the workforce. In relation to the ‘status quo’ there is no consistency in the current position, whereby employee records in the federal (and ACT) government sectors are covered by the Act, while such records in the private sector receive no protection. Though, I note those jurisdictions that have introduced legislation to effect coverage of employee records (e.g. see DP, p.25: sections 3.52-3.53, on the Victorian Health Records Act). Such regulation at state level demonstrates a useful advance in privacy protection for employers and employees in the Australian context.

If the status quo is maintained with regard to the current exemption, only limited acts or practices of employers in relation to employee records will be covered by the NPPs, with most acts and practices (directly related to the employment relationship and the employee record) remaining exempt. Given the complexity of the exemption, which appears to have proved confusing in the workplace and difficult to apply, it has not been easy (or often possible) for the Office to provide certainty to employers or employees about their rights and obligations. The operation of the current exemption does not find the appropriate balance in interests between the parties, and does not offer a single framework through which individual employees can easily seek redress.

It is instructive to refer to one example, which illustrates the practical difficulty in applying the exemption to just one type of employee record. It is apparent from our experience that emails generated by employees in the course of their work are likely to be subject to the exemption. Yet personal emails received by the employee, on the same system in the workplace, may attract the protection of the NPPs. In my opinion, it is this type of inconsistency and lack of clarity which fails to provide certainty and as a consequence can make it difficult for employers to offer transparency to employees about their respective rights and obligations.

There has been a slow take-up rate for privacy codes since the private sector provisions in the Act took effect more than two years ago. Nine code applications have been received, with three codes approved, four withdrawn and two currently under consideration. The reasons why businesses have not sought more codes will be explored in the broader review of the Act, but may reflect the cost to business with limited return (especially when there is a sound privacy scheme already in place through the NPPs), and the discovery that drafting ‘new principles’ can be time consuming, especially given the need to ensure overall the same obligations as the NPPs without being able to trade obligations or levels of privacy protection. If this tentative take-up rate continues, it is likely it will take a number of years before codes have a broader impact on the privacy landscape in Australia. For these reasons, privacy codes are unlikely to provide an effective option, nor one that offers employers sufficient flexibility.

In relation to the proposed option to amend the Workplace Relations Act, directing parties to consider (or to require) provisions to be included in certified agreements or Australian Workplace Agreements does not address the lack of equality in bargaining power between the parties and a lack of universality in coverage.

Furthermore, the absence of a low-cost alternate dispute resolution process to deal with privacy complaints would need to be considered, including whether the adversarial mechanism offered through the Australian Industrial Relations Commission provides the best policy outcome in this instance. If adopted, this approach to the remedy of matters would differ markedly from the current alternate dispute resolution-oriented complaints scheme under the Privacy Act – though it may bring with it some long-awaited jurisprudence.

With States and Territories having their own workplace relations legislation, the implementation of this option is unlikely to result in the application of universal rules. This would require agreement across all jurisdictions to reflect similar provisions in their respective workplace relations laws to avoid a ‘patchwork’ outcome. Furthermore, some jurisdictions are already moving to protect employee records in health privacy laws (e.g. Victoria), placing them ahead of the Commonwealth approach in this area. To place further emphasis on privacy protection in workplace relations legislation in each jurisdiction, when it is also emerging in privacy law, will increase the risk of a complicated and administratively burdensome ‘patchwork’ of protection.

Lastly, if the inclusion of privacy issues at work is left to negotiation between an employee and an employer, it is unlikely that all employees would be able to negotiate consistent and fair arrangements for the protection of their personal information, because of the inequality in bargaining power. There is also a legitimate question about whether privacy is a negotiable right, especially given its prominence in international law instruments and agreements to which Australia is a signatory. Negotiability of an individual’s basic privacy protections in the employment context is problematic, and not an approach that I support. It risks not finding an appropriate balance of interests between the parties, and not ensuring a recognised, minimum set of privacy protections for all employees. Further, if protections are put in place by this mechanism, they are less than transparent due to the dependence upon individual negotiations. In turn, this may offer challenges in operation and compliance for employers as they negotiate and have to manage multiple types of ‘privacy agreement’.

Costs to business

While my view is that these options should be set aside, it is important to recognise that if retained the status quo or adoption of non‑legislative options does not mean an absence of compliance costs.[8] Privacy issues in the workplace have to be faced, and employers need solid policy and procedures to guide them. In fact, there may be continued, or added, cost to business if non-legislative measures continue to cause uncertainty in workplaces with ever complex data management environments.

Moreover, where new costs are identified as a result of implementing other options, two important factors should be borne in mind. First, the small business exemption (in section 6D of the Act) provides that most businesses with an annual turnover of $3 million or less are exempt from complying with the NPPs – they would not bear additional compliance costs. Second, those businesses that are currently subject to the NPPs in respect of their customers already bear compliance obligations, not only in respect of customers, but also in relation to acts and practices concerning employee records that are not directly related to the employment relationship. For example, the exemption does not cover an employer that uses or discloses employee records for commercial purposes.[9]

Amendments to the Privacy Act (not including the removal of the exemption)

The DP identifies four options to amend the Act: including, narrowing the exemption; retaining some of the NPPs for employee records; and enacting specific employee records privacy principles. The option to remove the exemption is considered separately below.

Should the employee records exemption be retained in some form, narrowing it by including a new definition for some forms of employee records or by adopting only some of the NPPs, this would appear only to compound current difficulties. It would appear likely to add to the complexity of interpretation and coverage of the exemption; fail to deliver certainty; probably not ensure a minimum standard of protection for all employees (depending upon its construction); continue not to strike the right balance between the interests of the parties; and not to achieve uniformity of application.

Adding new employee records principles to the Act, or to the Workplace Relations Act (or in new legislation entirely) would add further complexity for employers and employees. This approach also runs the significant risk of overall regulatory complexity and ‘drift’, where activities at the margins of two pieces of substantially similar legislation (e.g. the NPPs and new ‘employment privacy principles’) risk being caught by both regimes (and both regulators); requiring employers to invest time and money in working through the compliance implications. Such an approach would fail the test of certainty for the parties as the regimes interact. It would not provide a uniform and single, easily accessible privacy framework, with jurisdictional and constitutional issues requiring resolution before the operation of an adversarial court-based scheme for dealing with complaints.

Secondary Option: supported only if the recommended option (below) is not accepted

Exclusive coverage for employee records privacy in Commonwealth Workplace Relations legislation

This option envisages amendments to the Commonwealth Workplace Relations Act, so that one piece of legislation governs employer record keeping obligations and privacy protections for those records. This would be an advance from the current position and may extend privacy protection to a wider cross-section of Australian workplaces, including small businesses with an annual turnover of $3 million or less (currently exempt from complying with the NPPs).[10]

However, it appears this would lead to the adoption of another set of privacy principles aside from the NPPs, but presumably with substantially similar aims. As mentioned above, such separate privacy schemes could involve significant costs to business by increasing the complexity of privacy compliance regimes. Also, the absence of a low-cost alternative dispute resolution process to deal with privacy complaints would need careful consideration.

As mentioned above, with some the States and Territories retaining their own industrial relations systems, the implementation of this option may raise constitutional issues and is unlikely to provide (at least in the near future) universality in application. If taken, such an approach would lead to a regulatory landscape that involves a complex matrix containing the (federal) Privacy Act (which regulates small portions of employment privacy, such as the personal information of applicants for employment); state and territory privacy law (such as the Victorian Health Records Act) covering employee records; and federal, state and territory workplace relations laws, which would cover some (and possibly differing types of) employers in potentially differing ways. This would cause significant risk of a ‘patchwork’ outcome, which would require a national, cross-jurisdictional process to achieve uniformity that in turn would be costly and time‑consuming. This can be avoided, or significantly ameliorated, if the privacy protection solution is found through federal privacy law. This latter approach has the added advantage that many private sector organisations are already familiar with the NPPs through the course of their business dealings.

The cost and potential inconvenience to business (and employees) arising from the application of different laws for the handling of personal information generally, and information in employee records (particularly where an organisation holds both sorts of information), will need to be carefully considered. Otherwise, we risk failing to achieve the transparent, concrete and uniform legislative framework needed to deliver a sensible and workable privacy regime.

The greater the number of pieces of legislation involved in privacy protection, the greater the likelihood of ‘legislative drift’ that can undermine the coherence and robustness of that protection. In my experience, where there is more than one legislative mechanism involved, it becomes increasingly difficult for employers, and individuals, to realise the protections purported to be offered.

I consider that enhancing protection of employee records through principles or provisions in workplace relations legislation is a secondary option.

Recommended Option

Remove the employee records exemption from the Privacy Act

I support the option of amending the Privacy Act to remove the exemption.

In other countries with privacy legislation, such as the United Kingdom[11] and New Zealand[12], employee records in both the public and private sectors are protected (subject to some exceptions). As stated in the Discussion Paper (p. 5, paragraph 11), ensuring a higher level of privacy protection for employee records in Australia would “assist in addressing concerns raised by [our] trading partners that employee records data being transferred to Australia [is] given appropriate protection.” This is a significant factor reflecting the need for serious consideration of the deletion of the exemption given the increasingly global context of trade, and its associated trans-border data flows (especially for global corporations managing privacy in the international human resources environment).

In the domestic context, ensuring privacy protection through the Privacy Act (via the NPPs) would assist with national consistency for larger employers that operate across all Australian jurisdictions. Provision of greater consistency, clarity and certainty in this domain via the removal of the exemption can assist Australian business as it also deals with these emerging trends.

Deleting the exemption would assist business to achieve clearer and better accountability for personal information-handling when exploring and implementing new workplace security and authentication initiatives. Moreover, with employee records management as a part of overall records management accountabilities, a more certain regulatory framework will assist organisations to set their risk management strategies more appropriately. Also, the interests of businesses are likely to be better served because effective privacy protection promotes transparency and openness, which in turn promotes employee trust.

From the employee’s perspective Australian governments are increasingly recognising the need for, and legislating to ensure, privacy protection of public sector employee records. There is no reason why private sector employees should not enjoy the same rights. Deleting the exemption would ensure that private sector employees enjoy substantially the same rights to privacy protection as their public sector counterparts.

Deleting the exemption provides a way to find an appropriate balance between the interests of the parties (employer and employee). It is likely to provide certainty about employer and employee rights and obligations. As uncertainty about coverage adds to employer compliance costs, this approach may ameliorate that effect.

The protection of genetic information in the employment context was the subject of consideration by the ALRC/AHEC Inquiry into the Protection of Human Genetic Information in Australia, culminating in the report Essentially Yours (Report 96, March 2003). The Inquiry took the view (at paragraph 34.41) that genetic information of employees, held by private sector employers, should be strongly protected, as it is in other contexts.

Presently, while much genetic information is considered as a form of “health information” protected under the Act, and is afforded a higher level of protection because it is a sub-set of “sensitive information”; if genetic information forms part of an employee record, it is (for the most part) exempt from such protection. The simplest means of implementing the ALRC/AHEC Recommendations (34-1 and 34-2) is to remove the exemption. This is preferable to making other amendments to the Act that seek to enable an arrangement to ensure that while employee records remain predominantly exempt, genetic information (and health information other than genetic information) collected into such a record would receive limited coverage. This approach would cause great administrative complexity for all parties.

Similarly, as noted in the Office’s submission to the Inquiry, other forms of what can be highly sensitive information such as personal information about trade union membership, criminal records, religious beliefs, racial or ethnic origin, sexual preferences or practices or membership of a professional association (when such data forms part of an employee record) does not have the protection which it is afforded in other contexts.[13]

Certainty of coverage under the Act for all types of employee records, including in relation to recruitment practices, may assist in reducing dispute resolution costs for employers as aggrieved employees would have access to a conciliation-based complaints process through the Office of the Federal Privacy Commissioner at no direct cost to the parties (with industrial relations litigation perhaps reduced as a result). The effective implementation of this option would, however, add significantly to the compliance workload of the Office, requiring additional resources to ensure an efficient, effective and timely complaints resolution process.

Although this approach would not provide for protection of private sector employee records in all Australian workplaces (because of the small business exemption), of all the available options, I am of the opinion that this comes closest to achieving desired outcomes such as certainty, proportionality, flexibility, balanced interests of the parties and uniformity of application within a single, federal privacy framework.

6. Conclusion

There are important advantages in trying to find practical, easily understood and regulatory coherent solutions. In this instance, a workable solution that simplifies current law is possible within the structure of the Privacy Act through the removal of the employee records exemption, so that the NPPs apply to organisations’ handling of employee records.

This approach, while retaining some downsides (such as the failure to protect employee records for employees of small business) has the following advantages over the other options:

• it offers an appropriate balance between the interests of the parties, just as it offers such a balance between organisations and their consumers;
• it provides a minimum set of standards for privacy protection of employee records, consistent with protection of an employee’s rights as a private citizen;
• it provides certainty about rights and obligations for employers and employees;
• it eliminates regulatory difficulties in interpreting the exemption; and
• it facilitates the conciliation of complaints by providing access to a single point of privacy regulation through an easily understood complaints mechanism.

In my view this approach offers the most workable solution to protect the privacy of employees’ personal information in the private sector.

 

ATTACHMENT 1

Extract from the Federal Privacy Commissioner’s Submission to the to the House of Representatives Standing Committee on Legal and Constitutional Affairs Inquiry into the Provisions of the Privacy Amendment (Private Sector) Bill 2000 made during May 2000

Employee records exemption

1. Caution needed in implementing employee records exemption

While I acknowledge that the proposed exemption for employee records is government policy, I would urge great caution in its implementation. It is important to note that alleged interferences with individuals’ privacy in the workplace make up a significant number of privacy complaints in the federal public sector (about 16% of all Information Privacy Principle (IPP) complaints received by my office). Employment related privacy issues also make up a significant proportion of all general privacy inquiries processed by my Privacy Hotline telephone service.

The Explanatory Memorandum for the Bill says that employee records have been exempted because they can be better dealt with under the Workplace Relations legislation. Workplace Relations Regulations make some provision for employee access to their records (see Regulations 131L, 131M). These are made under section 353A of the Workplace Relations Act 1996, which allows the Government to make regulations about making and keeping employee records and the inspection of these records.

However, in the absence of any other regulations on these matters and given the limited scope of this power to make regulations it is unclear how the Workplace Relations Act will address issues in relation to the collection, use, disclosure and correction, of employees’ personal information.

2. Protection under workplace legislation appears to be indirect

Given the absence of further regulations, protection of employee personal information under workplace legislation appears to be only indirect. I understand that, for example, privacy issues could be included in workplace agreements. Workplace Relations legislation would also provide protection for a limited range of misuses of personal information such as wrongful dismissal or discrimination or collection of inaccurate personal information where this led to inappropriate action by the employer.

3. May be concerns about fairness and consistency in negotiated arrangements

Even where potential exists to have privacy issues dealt with under workplace relations arrangements, it is still not clear that all employees will be in a position to negotiate consistent and fair arrangements for the protection of their personal information.

If inclusion of privacy issues in a work place arrangement is the main way in which employee records can be given some privacy protection, then some serious inequities could also develop. For example, individuals who are self employed are in a more advantageous position to ensure the protection of their health, tax, bank and superannuation records compared with employees who may not be able to negotiate the same protection for such information held as employee records.

4. Possible gaps in protection for personal information

The proposed employee records exemption potentially allows an employer to collect, use and disclose this type of information where it is not specifically prevented from doing so by an award or employment contract.

5. Inconsistency with treatment of sensitive information in other parts of the Bill

The proposed exemption, as set out in the Bill is also not consistent with the proposed treatment of sensitive information, including health information, proposed elsewhere in the Bill. This follows from the definition of ‘employee’ record as including, for example, trade union membership, membership of professional or trade associations and aspects of employee health information. These are also elements of the definition of sensitive information.

Sensitive information, and more particularly, health information are given more specific levels of protection in the Bill. I strongly support this approach. I do not support proposals that might then weaken that protection for the many Australians who are employees.

6. If retained, exemption should be very accurately targeted

If Parliament wishes to retain an employee record exemption, then I strongly urge the Parliament to target it very accurately to meet policy objectives with absolutely minimal adverse impact on the privacy of employees.

The employee record exemption as currently drafted does not meet this test. An ‘employee record’ is simply defined in the Bill as any ‘record of personal information about the employment of the employee’ held by the employer. The exemption in the Bill exempts the employee record when it is used in relation to the ‘employment relationship’ but does not define this relationship.

This makes the exemption is very difficult to apply. For example, from the recent public debate, it is reasonable to conclude that it is generally accepted that employer monitoring of e-mail and Internet use in the workplace should be covered by the new legislation. However, because of the way the exemption is currently drafted it appears that the Bill may not provide general legislative backing to the Privacy Commissioner’s Guidelines on Workplace E‑mail, Web Browsing and Privacy issued on 30 March 2000, for private sector employees.

7. Possible options for narrowing exemption

There appear to be some mechanisms by which the exemption could be narrowed while still meeting the policy objective. These include:

• limit the exemption to the collection and use of personal information, but not exempt disclosures, except in very limited circumstances;
• provide that the Commissioner can issue guidelines on what is acceptable for inclusion in an ‘employee record’ and on what is an ‘act or practice that is directly related to a current or former employment relationship’;
• add a new paragraph 7B(3)(c) that limits the exemptions to ‘duties and obligations arising out of the employment relationship’; or
• attach a ‘note’ in the Bill to the Exemption in respect of employee records that gives some practical examples. A particular example that has come to my attention that should not be covered by the exemption is the case of a financial services company providing discounted home loans for its employees. In such a case, the personal information that was collected or used in order to process the loan is not personal information that is directly related to the employment relationship. Nor should the use of, say, salary information in the employee record for such a transaction be an exempt act.
  
  

I should add that the employee record exemption may have the unintended consequence of winding back provisions in human rights legislation, for example, sex discrimination and disability discrimination legislation, in that the exemption could permit the collection and use of material that may currently be prohibited by that other legislation.

(The complete submission is available on-line at http://www.privacy.gov.au/publications/hor.doc)

 

ATTACHMENT 2

Extract from the Federal Privacy Commissioner’s Submission to the Senate Legal and Constitutional Legislation Committee Inquiry into the Provisions of the Privacy Amendment (Private Sector) Bill 2000 made in September 2000

Protection of employee record information

The Committee has made a number of recommendations (recommendations 5 - 8 below) which in combination mean that the kinds of employee records exempt from the operation of the Bill under clause 7B(3) is narrowed to ‘exempt employee records’ which are records of personal information relating to the employment of the employee and consisting of:

(a) the engagement, training, disciplining or resignation of the employee;

(b) the termination of the employment of the employee;

(c) the employee’s performance or conduct.

Recommendation 3 in combination with recommendation 5 means that the remainder of the kinds of records currently exempted by the Bill for all businesses would no longer be exempt for any business, large or small. The information proposed to be protected by the Committee’s recommendation would include:

(a) the terms and conditions of employment of the employee;

(b) the employee’s personal and emergency contact details;

(c) the employee’s hours of employment;

(d) the employee’s salary or wages;

(e) the employee’s membership of a professional trade association;

(f) the employee’s trade union membership;

(g) the employee’s recreation, long service, sick, personal, maternity, paternity or other leave;

(h) the employee’s taxation, banking or superannuation affairs.

The recommendations make a distinction between health, family or financial information on the one hand which should not be included in the exemption and should be subject to the NPPs and information relating to disciplinary matters, performance related information or career progression on the other, which employers should be able to disclose to future employers.

The Committee’s recommendation is one way of addressing issues raised in my HOR submission. In particular, the submission pointed out that it was unclear how the Workplace Relations Act 1996 would protect personal information held in employee records and that there appeared to be inconsistency in the protection of sensitive information held in employee records when compared with the special protection generally offered to such information in the Bill.

If the Government’s objective in exempting employee records is not to leave it unprotected but rather to ensure that only one piece of legislation applies to protect this information there is a need for a detailed analysis of the adequacy of the law that currently applies to protect the personal information in employee records. This might include the Commonwealth Workplace Relations Act, other federal law, as well as some State law such as worker compensation law.

Such a review would have to be undertaken by an agency fully familiar with federal and State workplace relations law. In order to allow time for such a review to be undertaken thoroughly, making the current form of the employee exemption subject to a sunset clause of one year might be appropriate.

Once the sunset period expires, the employee records exemption would only apply to those records that the analysis had established as providing protection that is, overall, at least the equivalent of the NPPs. [Complete submission – see http://www.privacy.gov.au/publications/subbill.doc]

Recommendations from the House of Representatives Report (June 2000)

Recommendation 5

The Committee recommends that the current definition of ‘employee record’ (which will be given the protection of the NPPs) in section 6(1) read: ‘employee record’, in relation to an employee, means a record of personal information relating to the employment of the employee other than an exempt employee record. Examples of personal information relating to the employment of the employee are health information about the employee and personal information about all or any of the following:

(a) the terms and conditions of employment of the employee;

(b) the employee’s personal and emergency contact details;

(c) the employee’s hours of employment;

(d) the employee’s salary or wages;

(e) the employee’s membership of a professional or trade association;

(f) the employee’s trade union membership;

(g) the employee’s recreation, long service, sick, personal, maternity, paternity or other leave;

(h) the employee’s taxation, banking or superannuation affairs.

Recommendation 6

The Committee recommends that a new definition of ‘exempt employee record’ be inserted in clause 6(1) reading as follows: ‘exempt employee record’ in relation to an employee, means a record of personal information relating to the employment of the employee and consisting of the following:

(a) the engagement, training, disciplining or resignation of the employee;

(b) the termination of the employment of the employee;

(c) the employee’s performance or conduct.

Recommendation 7

The Committee recommends that clause 7B(3) be amended as follows: ‘An act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt for the purposes of paragraph 7(1)(ee) if the act or practice is directly related to:

(a) a current or former employment relationship between the employer and the individual; and

(b) an exempt employee record held by the organisation and relating to the individual;

Recommendation 8

The Committee recommends that the operation of this exemption be monitored and specifically reassessed in the next review of this legislation.