Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
The Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) provide the basic framework for Data Privacy in Australia. Entities which are subject to the Privacy Act must comply with the APPs when collecting and handling personal information. Australian privacy laws do not distinguish between data processors (3rd party processors) and controllers (employers).
Note that there is an 'employee records exemption' in the Privacy Act. Certain employee records (including: terms and conditions of employment; training, disciplining and resignation; personal and emergency contact details; performance and conduct; taxation, banking and superannuation affairs; remuneration; leave; or, trade union membership) are exempt if the data is managed by the employer. The employee exemption would not apply to any information outside of these categories. If the employee records are disclosed to and collected by a third party, the exemption would also not apply to the processing of the information by the third party.
The Privacy (Tax File Number) Rule 2015 (TFN Rule), the Taxation Administration Act 1953, the Income Tax Assessment Act 1936 and the Income Tax Assessment Act 1997 governs the collection, storage, use, disclosure, security and disposal of an employee's tax file numbers. Note that the 'employee records exemption' does not apply to the TFN rule.
Australia joined the APEC Cross Border Privacy Rules System in November 2018.
There is also legislation in some States and Territories relating to health records including:
There is no employee records exemption in relation to health information. Employee health information should be handled in accordance with legal requirements outlined in each state Act and can only be disclosed to employees on a need-to-know basis. Company policies relating to health information should outline:
________________________________
The authority responsible for enforcement of the Privacy Act is:
Australian Information Commissioner and their Office of the Australian Information Commissioner (OAIC)
https://www.oaic.gov.au