Protecting Employee Information: A Practical Guide for SMEs

Relevant For:

Small-medium business employers, HR professionals and business owners handling employee data.

Key Points:

  • Understand Obligations: Employers must secure employee data to comply with the Privacy Act 1988.
  • Australian Privacy Principles: Follow the 13 APPs for data management, quality, and security.
  • Applicability: Businesses with over $3M turnover or specific categories must comply with the APPs.
  • Protected Information: Personal and sensitive data have different protection levels.
  • Employee Records Exception: Applies to current/former employees, but not contractors or future hires.
  • Data Privacy Policy: APP entities need a public policy detailing data collection and use.
  • Practical Tips: Obtain consents, appoint a compliance officer, de-identify data, and review policies regularly.

Full Article:

Are you safeguarding your employees’ personal information?

Failing to do so could mean breaching the Privacy Act 1988 (the Act).

Understanding Your Obligations

Employers gather various types of employee data, such as contact details, financial records, and work performance. However, strict regulations mandate the security of this information, with severe penalties for non-compliance.

The Australian Privacy Principles (APPs)

Introduced in 2014, the APPs comprise 13 rules governing:

  • The management, collection, use, and disclosure of information.
  • Steps to ensure data quality and security.
  • Individuals’ rights to access and correct their information.

Is Your Business Subject to the Act?

If your annual turnover exceeds $3 million, you must comply with the APPs.

Businesses with a turnover below $3 million must also comply if they fit into specific categories, such as private health providers or those dealing in personal information.

Even if not directly applicable, it is prudent to adhere to the Act to future-proof your business.

Types of Protected Information

The Act covers ‘personal’ and ‘sensitive’ information:

  • Personal Information: Data identifying an individual, including name, contact details, and employment information.
  • Sensitive Information: Data on health, ethnicity, political opinions, and other sensitive areas requiring higher protection.

Employee Records Exception

Employers are exempt from the Act when using employee information directly related to a current or former employment relationship. For example, tracking an employer-provided car during work hours is exempt. However, tracking the car outside work hours involves collecting personal information not related to employment and is subject to the Act’s compliance obligations.

This exemption does not cover contractors or subcontractors handling employee information, such as recruitment or HR services, nor does it apply to potential future employees until they are hired.

Additionally, employee records may be subject to State or Territory laws, such as those governing telecommunications or workplace surveillance.

Creating a Data Privacy Policy

APP entities must have a publicly accessible data privacy policy. This policy should:

  • Detail the information collected and its use.
  • Allow anonymity where appropriate.
  • Collect data directly from individuals.
  • Obtain consent for sensitive information.
  • Ensure accuracy and security of data.
  • Enable individuals to access and correct their information.

Practical Tips for Compliance

  1. Obtain Employee Consents: Always seek consent before disclosing personal information to third parties.
  2. Appoint a Responsible Person: Designate someone to handle compliance and data breach notifications.
  3. De-identify Information: Implement procedures to anonymise data where feasible.
  4. Periodic Reviews: Regularly review and update your privacy policies and procedures.

Implementing these steps helps ensure compliance with the Act and fosters trust with your employees.