What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
The Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) provide the basic framework for Data Privacy in Australia. Entities which are subject to the Privacy Act must comply with the APPs when collecting and handling personal information.
Note that there is an 'employee records exemption' in the Privacy Act. Employee records (including terms and conditions of employment, training, disciplining and resignation, personal and emergency contact details, performance and conduct, taxation, banking and superannuation affairs, remuneration, leave, or trade union membership) are exempt if the data is managed by the employer. However, if this information is disclosed to and collected by a third party, the exemption does not apply to the processing of the information by the third party.
The Privacy (Tax File Number) Rule 2015 (TFN Rule), the Taxation Administration Act 1953 and the Income Tax Assessment Act 1936 governs the collection, storage, use, disclosure, security and disposal of an employee's tax file numbers. Note that the 'employee records exemption' does not apply to the TFN rule.
There is also legislation in some States and Territories relating to health records including:
- Health Records Act 2001 (Victoria) and the Health Privacy Principles in the Act;
- Health Records and Information Privacy Act 2001 (New South Wales) and the Health Privacy Principles in that Act, and;
- Health Records (Privacy and Access) Act 1997 (Australian Capital Territory).
There is no employee records exemption in relation to health information.
Australian privacy laws do not distinguish between data processors (3rd party processors) and controllers (employers), which means that unless a specific exemption is outlined in the law, the applicable statute will apply to all entities handling personal information.
Australia has confirmed it will join the APEC Cross Border Privacy Rules System in the coming months.
The authority responsible for enforcement of the Privacy Act is:
Australian Information Commissioner and their Office of the Australian Information Commissioner (OAIC)
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.