Skip to content.

Home

Allens Arthur Robinson

The right to privacy isn't absolute - the Government aims to balance it against competing rights, interests and concerns, so there are a number of exemptions.

Small business operator

Compliance can be expensive for small businesses, so small business operators are excluded from the definition of organisation and not bound by the new privacy regime. 

But this isn't a blanket exemption - some small businesses will have to comply, for example if they:

Also, some small businesses may wish to comply with the Act in order to gain consumer confidence and trust, so there's an opt-in mechanism.

Delayed commencement for small business

Small business operators that are subject to the Private Sector Act were given an additional 12 months to comply with the new laws. Since 21 December 2002 those small businesses which are regulated by the Act have had to comply.  This delay did not extend to small businesses which provide a health service and hold any health information.

Small business operators acting under a Commonwealth contract

A small business operator that's also a contracted service provider for a Commonwealth contract will have to comply with the Act where its activities relate to the contract. But if the same small business operator would otherwise be exempt, it won't have to comply in relation to all its other activities. 

For example, a small business operator that provides a health service and has a contract with a Federal Government agency must comply in relation to all aspects of its business. But a small business in the construction industry with a government contract only has to comply in relation to the activities related to the government contract (unless it has related companies or trades in information). 

Return to top

Employee records

Private sector employers can collect, use and store employee records without having to comply with the National Privacy Principles (NPPs), provided what they are doing is directly related to a current or former employment relationship.

  • So employees don't have a right to access evaluative records such as performance reviews and confidential references. 
  • But they do have some rights - for example to access information on wages and termination - under other regimes covering employee records. 
  • Organisations are obliged to comply with the NPPs when dealing with contractors, sub-contractors or prospective employees. 

However this doesn't mean that employers can do what they like with employee records.

Limits

An employer must deal with employee records in a way which is directly related to the employment relationship. So, for example,

  • in the context of a concluded sale agreement, the disclosure of employee records to prospective employers is allowed. But the prospective employer must comply with the NPPs when dealing with the records; 
  • an employer must not take commercial advantage of the personal data it holds about its employees; 
  • an employer may provide personal information on its current and former employees to a superannuation fund to secure superannuation benefits for its employees.
Health information

Employers often hold extensive information about their employees' health. Health information is sensitive information that's usually given special protection by the private sector privacy regime. But as it's in an employee record, the employer may use this information, subject to the limits set out above and to any relevant State or Territory health records legislation. For example, there is specific legislation in Victoria (the Health Records Act 2001) and the ACT (the ACT Health Records (Access and Privacy) Act 1997) regulating the collection, use, storage and transfer of "health information". Neither of these Acts has exemptions for personal health information held in an employee record.

The Privacy Commissioner has criticised the inconsistency between the employee records exemption and the treatment of sensitive information generally, and of health information specifically, in NPP 10.

For more, see our health section.

E-mail at work

It's likely that the use and disclosure of an employee's private email is subject to the private sector privacy regime. By contrast, records of work emails and web use logs probably count as "employee records", so an employer may be able to deal with them without having to comply with the privacy regime.

However, privacy within the workplace is an issue which is currently under review by most state and territory governments. The issues raised by surveillance of workers, including email and Internet monitoring, are being considered having regard to the limits of privacy and workplace legislation. In addition, there has been some uncertainty about whether email monitoring is an activity regulated by the Commonwealth Telecommunications Interception Act 1979 or current surveillance devices legislation which applies in some states and territories.

Generally, monitoring of email is not prohibited where a worker is aware that monitoring is taking place. However, where personal information is being collected in the course of monitoring emails, then the NPPs are likely to apply. If health information is collected, then that may also trigger other requirements under health records legislation in some states and territories.

The approach recommended by the Federal Privacy Commissioner's Office is outlined in Guidelines (which are not legally binding but which reflect the Federal Privacy Commissioner's views on the interpretation and application of the NPPs) dealing with workplace email, web browsing and privacy. It is recommended that if staff email and computer use is monitored, a computer use policy must be publicised and understood by staff. The Guidelines indicate that, ideally, the screen users see at log on should link to this policy which should:

  • outline which activities are permitted and forbidden;
  • say what information is logged and who has access to logs and staff emails;
  • refer to the organisation's computer security policy and state that the improper use of email may pose a threat to system security and privacy, and may lead to disciplinary action;
  • outline how the organisation plans to monitor or audit compliance; and
  • be reviewed and re-issued on a regular basis.

Consistent with that recommended approach, the NSW Workplace Surveillance Act 2005, which came into force in October 2005, deals specifically (among other things) with monitoring or recording of an employee's use of email and access to the Internet. Under that Act an employer's ability to monitor or block emails or access to the Internet is limited unless the employer is acting in accordance with an email and Internet policy that has been notified in advance to the employee.

Other regulation of employee records

At the time that the private sector privacy amendments were introduced, the Government decided that the regulation of employee records through the new privacy system would interfere unacceptably with existing laws on workplace relations, workers' compensation and occupational health and safety. It also decided that employers' obligations could best be dealt with as part of workplace agreements.

The Workplace Relations Act doesn't give personal information the same level of protection as the NPPs. So employees concerned about their personal information will need to seek protection through a workplace agreement. Evidence put to the various committees reviewing the private sector privacy regime before its implementation did not reveal equivalent privacy protections under state and territory laws.

Regulations 131K and 131L of the Commonwealth Workplace Relations Regulations 1996 permit employees to access, copy and correct their employee records. These regulations apply only to records containing information on time, wages, leave, remuneration, superannuation and termination, and do not prevent an employer from disclosing employee information.

Review

In late November 2000, before the private sector amendments to the Act were passed, the then Attorney-General and Minister for Employment, Workplace Relations and Small Business announced a review of existing laws to consider the extent of privacy protection for employee records and whether there was a need for further measures. The review was effectively given a three year time frame and was anticipated to be completed in time for the Federal Privacy Commissioner's more general review of the privacy legislation, which was to have been undertaken two years after the legislation commenced operation.

It was in February 2004 that the Attorney General's Department and the Department of Employment and Workplace Relations released jointly a discussion paper, 'Employee Records Privacy: A discussion paper on information privacy and employee records', calling for submissions on whether additional measures are required to ensure privacy protection of employee records.

The discussion paper outlines the current level of privacy protection for employee records and then identifies three broad options in relation to possible enhancements of privacy protection:

  • maintain the status quo (despite the lack of consistency in privacy protection of employee records under State and Territory legislation);
  • adopt non-legislative measures (including the development of further guidelines and use of privacy codes); or
  • introduce legislative measures (in particular, amendments to either the Privacy Act or the Workplace Relations Act.

Submissions were made in April 2004 by a number of key stakeholder organisations including the Australian Chamber of Commerce and Industry, the Australian Privacy Foundation, the Office of the Federal Privacy Commissioner and the State Privacy Commissioners for each of NSW and Victoria.

The Discussion Paper does not set out the timeframe for the review process and it is not clear when the outcomes of the review will be reported to the Attorney-General and the Minister for Employment and Workplace Relations or published more widely.

It was anticipated initially that the outcomes of the review of the employee records exemption would be available to assist in the more general review of the private sector provisions. However in terms of reference for the Federal Privacy Commissioner's report into the operation of the private sector provisions of the Act excluded a review of the employee records exemption, given the separate review in process.

The Federal Privacy Commissioner's report was published in May 2005. The report notes that despite the terms of reference excluding a review of the employee records exemption, a number of submissions did comment on the issue.

Return to top

Media organisations in the course of journalism

The Government recognises the important role of the media in keeping the Australian public informed. 

The Privacy Act doesn't apply to personal information collected, used and disclosed by a media organisation in the course of journalism, provided that the media organisation is publicly committed to observing published, written standards dealing with privacy.

For more, see our media section.

Return to top

Government contracts

An organisation that's a contracted service provider for a State government or agency is exempt from complying with the NPPs while meeting an obligation under the contract.

The State privacy laws that apply to the State department or agency instead apply to the organisation. But the organisation must still comply with the NPPs during other activities.

If the activities of a contracted service provider for a Commonwealth agency are authorised by their contract, there's no breach of the NPPs, even if the activity is inconsistent with an NPP. For more, see our Government work section.

Return to top

Political parties and representatives

Political representatives are exempt where they are participating in the political process. This includes allowing personal details to be used for coordinating referenda and elections at local, state and federal levels.

Registered political parties are excluded from the definition of organisation and not bound by the private sector privacy regime. A more limited exemption applies to members of parliament, local government councillors, some government contractors and volunteers working for political parties. 

Return to top

Data transfers between related bodies corporate

This exception is designed to allow a relatively free flow of information between related bodies corporate. Bodies corporate are related if one is a holding company, a subsidiary or a subsidiary of a holding company of the other. The question of whether bodies corporate are related to each other is determined by section 50 of the Corporations Law.

Related bodies corporate may exchange personal information without breaching the Act. But each must comply with the relevant approved privacy code or the NPPs in using or holding personal information.

It's assumed that both bodies have the same primary purpose for collecting the information. Information can only be used for other purposes if the individual consents, if that use would be reasonably anticipated by the individual, or if one of the other exemptions in NPP 2 applies. 

But the exemption doesn't extend to related bodies corporate sharing sensitive information. If information is being shared with a related body corporate outside Australia, NPP 9 must be complied with.

Return to top

Requirements of foreign law

An act or practice outside Australia or the external Territories isn't an interference with the privacy of an individual if required by the law of a foreign country.

Return to top

Personal affairs & non business capacity

Individuals may collect or use personal information in connection with their personal, family or household affairs, or other than in the course of a business.