Australia: Just how private are employee records?
This article was first published in the April 2021 edition of the LexisNexis Privacy Law Bulletin
- Employers must exercise caution in seeking to use their status as an employer to force employees to divulge personal information.
- They should assume that they are bound by the privacy regime in collecting information they do not already have but that once they hold information, the employee records exemption in the privacy legislation applies.
- Two conflicting decisions on this issue by the Fair Work Commission need to be resolved by an appellate court that can provide employers with certainty as to the scope of the exemption.
Australia’s employment regulatory regime is complex and extensive. Employers grapple with employee privacy and data protection rights against the background of the “employee records exemption” in the Privacy Act 1988 (Cth) and the comprehensive workplace relations regime in the Fair Work Act 2009 (Cth).
The employee records exemption in the Privacy Act has generated interesting findings which present employers and privacy practitioners with what can only be described as a confused picture.
This has become even more important in the context of recent events relating to COVID-19.
The employee records exemption in the Privacy Act was intended to remove employee privacy protections from the privacy regime to the workplace relations regime. However, the decision in Lee v Superior Wood Pty Ltd t/as Superior Wood1 (Lee) demonstrated that not all protections were removed.
After Lee, employers knew that they could not force employees to divulge personal information and then rely on the employee records exemption. Last year, a different commission decided in Knight v One Key Resources (Mining) Pty Ltd t/as One Key Resources2 (Knight) that employers could do just that.
The question for employers now is whether the Privacy Act applies to information about employees.
The answer is not simple but given difficulties with the decision in Knight, Lee is to be preferred, at least until an appellate court decides the issue.
The employee records exemption
Section 7B of the Privacy Act provides, relevantly:
(3) An act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt for the purposes of paragraph 7(1)(ee) if the act or practice is directly related to:
(a) a current or former employment relationship between the employer and the individual; and
(b) an employee record held by the organisation and relating to the individual.
It is clear that the legislature intended that, generally, Australia’s comprehensive workplace relations legislation deal with record collection and privacy at the workplace: “Acts and practices in relation to ‘employee records’ are exempted as it is recognised that the handling of employee records is a matter better dealt with under workplace relations legislation.”3
Lee - employer “cannot” force employee to divulge personal information
The facts of Lee are straightforward. Mr Lee’s employer wished to introduce a biometric “clock on” system, pursuant to which employees’ fingerprints were stored so that a scanner could be used to record employee site attendance for payroll purposes.
Mr Lee objected to the recording of his biometric data.
At the first instance in the FairWork Commission, the Commissioner upheld Mr Lee’s submission that as the record had not in fact been obtained, the employee records exemption could not apply because s 7B(3)(b) requires that the employee record be “held” by the organisation before the exemption can apply.
Mr Lee’s employer did not hold the information and therefore could not, via a notice, force the collection of the information (and then hold it), and sack him when he refused to hand over the personal information.4
Mr Lee’s dismissal was upheld on other grounds and he appealed to the Full Bench of the Fair Work Commission. The Full Bench upheld Mr Lee’s appeal and affirmed the reasoning in respect of the employee records exemption:
The express requirement to obtain an individual’s consent would become meaningless if Principle 3 was only enlivened once information had been collected. Construed in context, Principle 3 applies both to the solicitation and collection of sensitive information. It necessarily operates at a time before collection, because an APP entity “must not” collect sensitive information “unless” the individual consents to that collection. Any collection that occurs without first having obtained consent to that collection would be contrary to Principle 3.
Mr Lee was directed to submit to the collection of his fingerprint data in circumstances where he did not consent to that collection. In our view, the direction was directly inconsistent with Principle 3. The Commissioner was correct to find that Mr Lee was entitled to refuse to provide his biometric data under the Policy.
. . .
While the legislature may not have precisely intended the outcome in Lee, the words of s 7B(3) are clear and Lee is undoubtedly correct.
Knight - employer “can” force employee to divulge personal information
In Knight, a factually indistinguishable case was dealt with quite differently.
Knight was required by his employer to provide information as to:
- all previous travel history outside Australia and
- any travel plans within the next 6 months with locations and dates
The employer said the request was due to COVID-19 risk. Mr Knight refused to provide the information and relied upon the decisions in Lee. He was sacked and brought proceedings in the Commission.
The Commissioner referred to Mr Knight’s submissions and held the following:
- The personal information it sought to compel Mr Knight to divulge was not sensitive health information attracting higher protection.
- An obligation under the relevant workplace safety legislation upon an employer to provide and maintain a safe workplace permitted the collection of the information.
- The Information Commissioner had issued a (qualified) statement that employers can collect information about employees and visitors in relation to COVID-19.
- Permitted general situation (presumably 1) allowed the collection of the personal information.
Mr Knight’s termination was ruled lawful.
Can employers square the circle and derive a rule from the decisions in Lee and Knight?
An employer holds information from an employee in two ways:
- in the form of information collected prior to commencement of employment or
- information collected during employment
As to the first category, no employer would make an offer of employment to a prospective employee if that prospective employee did not, for example, provide a tax file number to the employer to enable the employer to comply with relevant taxation obligations.
If the employee wishes to receive an offer of employment with the employer, then the employee will voluntarily hand over the relevant personal information (subject to anti-discrimination laws). The employee records exemption then clearly applies to that information as it is “held” by the employer.
The issue with which employers must grapple is personal information available (or becoming available) during the course of employment.
Was the information capable of being held?
A preliminary issue arises as to whether the cases can be reconciled on the basis that the information in Lee was not in existence, and therefore could not be “held” by the employer, whereas the information in Knight was
This distinction cannot be sustained, for the reason that Mr Lee’s fingerprint was in existence, as was the information as to Mr Knight’s travel history and travel intentions.
Neither were in their respective employer’s possession, so what was in issue was whether the employer could force them to proffer that information, in Mr Lee’s case in the form of providing an electronic copy of his fingerprint, and in Mr Knight’s case in providing relevant information in answer to a questionnaire.
That type of information is probably conceptually different to, for example, taking an employee’s temperature as a condition of entry to the workplace, as that information does not exist (except in the most abstract sense) before it is measured, and the collection itself by the employer brings it into being.
This is a difficult area, but it is likely that the privacy regime has no role to play here because the employer does not “hold” (or “manage” in the terms of Australian Privacy Principle (APP) 1) that sensitive information because it only temporarily and fleetingly appears in the mind of the screener who then decides to admit the employee or not.
This distinction probably explains the Information Commissioner’s circular to the effect that it was permissible to collect information about employees and visitors in relation to COVID-19, although if an employer sought to record or store that temperature information (other than incidentally for example by permitting access to the workplace, from which it could be inferred that the employee’s temperature was below a certain limit) then the privacy regime and importantly Lee would apply.
Holding personal information
During employment, Lee stands for the proposition that an employer may not force the divulging of personal information from an employee.
This does not prevent the employer from, for example, storing electronic traces caused by the employee during the course of their employment (for example the employee logs onto the computer system and conducts transactions
for their employer). It is clear that such information is “held” by the employer and the employee records exemption will apply (subject to any workplace surveillance legislation).
Knight appears to implicitly dismiss Lee without grappling with the distinction between managing of information already held by the employer (to which the exemption applies) as opposed to collecting information to hold.
Neither the information in Lee nor the information in Knight was held by the employer. In fact, the employer in each case was seeking to use its status as employer to force the employees to provide that information.
The decisions in Lee rest on a coherent and cogent reading of s 7B and it is submitted that they are to be preferred to the decisions in Knight.
Health information and permitted general situations
It is not clear that the finding in Knight that the information collected was not health information is correct.
The information related to whether the employee had been to countries where COVID-19 was prevalent and therefore would have had a direct influence on whether the employee could have been exposed to the virus and may have been positive. This is health information. Had Mr Knight disclosed that he had been in a high-risk country, his employer would no doubt have requested medical follow-up. This further demonstrates why the information must have been health-related and sensitive.
The Information Commissioner’s information statement referred to permitted general situation 1. The reasoning here is not obvious because a permitted general situation is a defence to the disclosure of information that an APP entity “holds” that would otherwise be prohibited under APP 6.
Following Lee, the permitted general situations can apply only to information “held” by the employer. As a matter of theory, if an employer already holds information, the employee records exemption obviously applies and therefore the permitted general situations are not relevant.
That by itself suggests that the Commissioner’s guidance (insofar as it related to employee information) rested on a false premise (and ignored or failed to clarify exactly what “collect” means under the clear findings in Lee) and cannot have been a defence to the collection via compulsion of information not held by the employer.
The October 2020 Privacy Act Review issued by the Commonwealth Attorney-General’s Department refers to Lee in the context of the genuineness of an employee’s consent but not to Knight.6
A general pandemic exclusion to the law?
The employer in Knight referred to occupational health duties as a reason why it should have been able to force Mr Knight to disclose personal information. That argument must fail on a number of grounds.
Firstly, the Privacy Act is a federal statute and controls as it covers the field, except where it expressly cedes the ground to workplace legislation (for example). Lee determined the border of that cession.
Secondly, there is no occupational health carve out to the principles (although permitted general situation 1 can sometimes apply as discussed above).
Finally, it vitiates the rule of law if an APP entity can merely invoke “the pandemic” as a reason to avoid the privacy regime, rendering the carefully balanced privacy regime hollow and essentially meaningless.
1. Lee v Superior Wood Pty Ltd t/as Superior Wood  FWC 4762.
2. Knight v One Key Resources (Mining) Pty Ltd t/as One Key Resources  FWC 3324.
3. Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth).
4. Above n 1, at –.
5. Lee v Superior Wood Pty Ltd  FWCFB 2946 at –, .
6. Attorney-General’s Department Privacy Act Review Issues Paper (October 2020) 31.
By Toby Blyth