How far does the employee records exemption in the Privacy Act reach?

Written By

kristy peacock smith module
Kristy Peacock-Smith

Partner
Australia

I am a partner in our International HR Services Group in Sydney where I advise our clients on the full spectrum of employment and industrial law issues.

thomas du Module
Thomas Du

Senior Associate
Australia

I am a Senior Associate in our International HR Services Group in Sydney, where I advise on the full spectrum of employment and industrial law issues and disputes.

It is well known that there is an exemption to the requirements of the Australian Privacy Act 1988 (Cth) (Act), which means that an employer does not need to comply with the provisions of the Act in dealing with ‘employee records’. 

What is (and importantly is not) an employee record was the subject of a recent determination of the Australian Privacy Commissioner, (‘ALI’ and ‘ALJ’ (Privacy) [2024] AlCmr 131 (20 June 2024)).

What happened?

An employee of the respondent business suffered a medical episode in the carpark at work (arising from a pre-existing condition) and was subsequently transported to a nearby hospital. This event was witnessed by a number of the employee’s colleagues.

The employee’s husband sent a text message to  the employee’s manager stating that his wife  was recovering well.

The manager then emailed 110 staff about the incident, and included all of the following information in the email:

  • the employee’s full name;
  • the full name of the husband;
  • that the employee had experienced a medical event at work the previous day;
  • the name of the hospital where she was treated; and
  • the status of her health.

The employee complained that the email interfered with her privacy in breach of the Privacy Act and sought economic and non-economic loss from the respondent.

The employer argued that the email update fell within the “employee records exemption” and that it was only discharging its obligation to ensure the welfare of its employees under the Work Health and Safety Act 2011 (NSW) (WHS Act), by disclosing the information

Decision

Perhaps not surprisingly, the Commissioner found that the employee records exemption did not apply to the manager’s email.

The Commissioner found the employer’s reason for sending the email was not “directly related” to the employment relationship between the employer and the employee. The words “directly related” means “an absolute, exact or precise connection” to the employment relationship between the employer and the individual, which was, (perhaps obviously), not satisfied in the present case.

Breach of APP 6

Since the employee records exemption did not apply, the Commissioner found that the respondent was required to comply with the requirements of the Privacy Act, including Australian Privacy Principle (APP) 6, when sending the email, which requires an entity to only use or disclose personal information for:

  • a “primary purpose” (the purpose for which it was collected); or
  • a “secondary purpose”, but only if the individual consents or reasonably expects the secondary use or disclosure.

The Commissioner held that the primary purpose for collecting information about the employee’s health, from her husband, was to ensure the employee’s welfare and enable the respondent to meet its work health and safety obligations to the employee. This was not the reason why that information was then disclosed to other staff.

It was held that the respondent used the personal information for a “secondary purpose”, i.e. to ensure the welfare of other employees, in accordance with its obligations under the WHS Act.

The Commissioner found this was a breach of APP 6, because the employee neither consented to this disclosure nor could reasonably have expected this secondary use.

Remedies

The employee was awarded $3,000 for non-economic loss and $125.10 for the expenses incurred in attending psychological appointments after the disclosure.

What the employer could and should have done

It was, in our view, entirely reasonable for the employer to update its employees in relation to the employee’s health and particularly in relation to an incident some of them may have witnessed.  However, there was absolutely no reason for it to communicate that amount of detail nor to the large number of employees that it did.

A more sensible email update to staff would have included:

  • a limited email distribution list;
  • ·no reference to the husband’s name;
  • ·no reference to the hospital the employee attended; and
  • a very brief update about the employee’s health status.

An email to the following effect would suffice in these circumstances:

We understand you may have witnessed an incident in the carpark on [day], involving your colleague, [name]. We are happy to report s/he is recovering well and hopes to return to work shortly. In the meantime, if the events have distressed you or you would like to discuss them or have any queries from customers in relation to her/his whereabouts, please direct those to [colleague name].”

Key takeaways

 If you wish to benefit from the employee records exemption, ensure that the handling of employee records has “an absolute, exact or precise connection” with the employment relationship between the employer and the individual.

Identify the primary and secondary purpose of collecting the employee’s personal information, in order to ensure that consent is obtained in the event you wish to disclose information for a secondary purpose, to that for which it was collected.

The authors also acknowledge Jonathan Wong for his contribution to this article.

Please contact us if you have any questions in relation to this article or would like to discuss these issues with one of our experts.

Latest insights

More Insights
Curiosity line blue background

A Deep Dive into China’s Network ID Proposal

Nov 06 2024

Read More
security camera

UK Data Reform: What’s Proposed

Nov 05 2024

Read More
featured image

KSA: Movement in Saudi Arabia’s cybersecurity regulatory regime

4 minutes Nov 04 2024

Read More