What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
The Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) provide the basic framework for Data Privacy in Australia. Entities which are subject to the Privacy Act must comply with the APPs when collecting and handling personal information. Australian privacy laws do not distinguish between data processors (3rd party processors) and controllers (employers).
Note that there is an 'employee records exemption' in the Privacy Act. Certain employee records (including: terms and conditions of employment; training, disciplining and resignation; personal and emergency contact details; performance and conduct; taxation, banking and superannuation affairs; remuneration; leave; or, trade union membership) are exempt if the data is managed by the employer. The employee exemption would not apply to any information outside of these categories. If the employee records are disclosed to and collected by a third party, the exemption would also not apply to the processing of the information by the third party.
The Privacy (Tax File Number) Rule 2015 (TFN Rule), the Taxation Administration Act 1953, the Income Tax Assessment Act 1936 and the Income Tax Assessment Act 1997 governs the collection, storage, use, disclosure, security and disposal of an employee's tax file numbers. Note that the 'employee records exemption' does not apply to the TFN rule.
Australia joined the APEC Cross Border Privacy Rules System in November 2018.
There is also legislation in some States and Territories relating to health records including:
- Health Records Act 2001 (Victoria) and the Health Privacy Principles in the Act;
- Health Records and Information Privacy Act 2002 (New South Wales) and the Health Privacy Principles in that Act; and,
- Health Records (Privacy and Access) Act 1997 (Australian Capital Territory).
There is no employee records exemption in relation to health information. Employee health information should be handled in accordance with legal requirements outlined in each state Act and can only be disclosed to employees on a need-to-know basis. Company policies relating to health information should outline:
- how this information will be handled;
- how employees can review their information;
- how employees can request amendments to their health information; and,
- how to make complaints relating to the employer’s handling of any health information.
The authority responsible for enforcement of the Privacy Act is:
Australian Information Commissioner and their Office of the Australian Information Commissioner (OAIC)