Employees and data privacy: a case from Australia
Data Privacy Office Europe
Training and consulting on data privacy according to GDPR and national regulations (UAE PDPL, CCPA, HIPAA, etc.)
Employees are also data subjects under most privacy laws. They are subject to the requirements of local privacy laws. However, the Australian legislation has its own particularities. Let's take a closer look at them.
Australian law has a concept called the employee records exemption. This means that the processing of employee data is not covered by the Privacy Act. However, as with any rule, there are exceptions. The Act applies in the following circumstances:
?? The data processing takes place outside the context of a direct employment relationship.
?? The processing relates to job applicants, freelancers and other 'self-employed persons'.
Where the difference between employee and candidate is obvious, the context of a direct employment relationship may be questionable.
?? Consider a recent case study to illustrate this.
An incident occurred in the workplace: a female employee experienced health problems and was hospitalised. The management contacted the employee's husband to get an update on her condition. The manager then sent an email to the company's employees, informing them that their colleague was fine. The email included the name of the hospital, the name of the husband and details of the employee's condition. In short, what was intended to be for the best turned out to be business as usual.
When the employee returned to work, she filed an internal complaint against management. As the complaint was not dealt with properly, the employee was forced to file a complaint with the supervisory authority.
领英推荐
?? Does the employee records exemption apply in this case study?
One of the employer's arguments is to rely on the employee records exemption. They say that everything happened within the employment relationship, so the law does not apply.
The supervisory authority found that the sending of the letter to the employees was not directly related to the employment relationship between the employee and the employer. Therefore, the exemption does not apply in this case.
You can read more about why the OAIC found this incident to be in breach of the Act here ???? https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/AICmr/2024/131.html.
As a result, the employee was awarded more than $3,000 in compensation for emotional distress and the cost of psychological counselling.
Thus, not all processing of employee information falls within the employee records exemption. This exemption should be interpreted narrowly and each processing operation should be considered on its own merits.
??? If a company has questions about interpreting the requirements, it is a good idea to seek clarification from local counsel or directly from the regulator.
Professional Consultant @ Self-Employed | Certified Cybercrime Intervention Officer| Certified Privacy Assessor & ISO27001 Lead Auditor| Program Manager & Management Consultant| Change Management
3 个月Interesting debate on the provisions and the interpretation if an exception may be applicable. Informative article. ??