The Fair Work Commission has cast some doubt over employers' privacy obligations when collecting personal information from their employees.
While it was previously understood that the "employee records exemption" to the Privacy Act 1988 (Cth) applied to the collection, as well as the use, of employees' personal information, a decision of the Commission suggests otherwise.
A further decision of the Office of the Australian Information Commissioner (OAIC) also highlights the narrow approach that may be taken when assessing the link between the employment relationship and the employee information the employer collects, required for the exemption to apply.
The employee records exemption
Private sector employers are exempted by section 7B(3) of the Privacy Act from many of the Australian Privacy Principles (APPs) when dealing with their employees' personal information.
To fall within the exemption, the personal information collected must direct relate to the employment relationship between the employer and employee and an employee record held by the organisation.
Collecting employee information not within the employee records exemption
In Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946, the Fair Work Commission found that the employee records exemption only applies once the employee information has been collected by the employer.
In this case, the employer introduced fingerprint scanners for employees to sign on and off a work site. An employee, Mr Lee, refused to use the scanners, citing concerns about the control of, and access to, his fingerprint. The Fair Work Commission held that the collection of personal information in the form of fingerprint scanning did not fall under the employee records exemption, as it related to the collection, and not the use, of the employee's personal information.
The Fair Work Commission found that an employee record is only "held" for the purposes of the employee records exemption once it has already been created, collected, and is in the employer's possession.
According to the Fair Work Commission, it follows that the act of collecting personal information from employees is not captured by the employee records exemption. That is, all personal information must be collected from employees in accordance with the Privacy Act and APPs. The corollary of this is that the exemption only applies to how an organisation handles personal information once collected.
Close connection to the employment relationship is needed for the employee records exemption
The sufficiency of the connection between the employee information collected and the employment relationship has also recently been tested.
In QF & Others and Spotless Group Limited (Privacy) [2019] AICmr 20, the employer gave employees' details to the Australian Workers Union and paid their membership fees, without their consent.
The OAIC found that disclosure of employees' information to a union by the employer had insufficient connection with the employment relationship to fall within the exemption. There needed to be an "absolute, exact or precise connection" to the employment relationship to be covered by the exemption. The employer was ordered to pay $60,000 compensation (including aggravated damages) to 14 employees and former employers.
Making sure when you can use the employee records exemption
These recent decisions both erode the scope of the employee records exemption and place greater burden on employers when collecting and handling their employees' personal information. Moreover, when viewing these two decisions together, it appears that they are a sign of a more general trend towards reining in exemptions to, and leniency towards, privacy obligations.
The impact of the OAIC decision is clear: it sends a clear message that the OAIC will not be lenient on the need for a sufficient connection to the employment relationship and employee records in order to attract the benefits of the employee records exemption.
The impact of the Fair Work Commission's decision is less clear. It has not yet been tested or endorsed by the OAIC or any superior court; the Commission's interpretation of the exemption is actually contrary to the OAIC guidelines. There would therefore appear to be viable arguments that the exemption should apply to the collection of personal information from employees, given the decision runs somewhat contrary to wording and apparent intent of the relevant statutory provisions.
Unless the Commission's decision is not followed by a superior court, or there is an amendment to the Privacy Act, however, it is the law, and employers may need to make substantial changes to many of the procedures and policies under which they collect information from their employees to ensure compliance with the APPs when collecting employees' information.
In particular, employers subject to the Privacy Act (ie. those with annual turnovers of $3 million or more) will be burdened with compliance with the general privacy obligations contained in the Privacy Act when collecting personal information from its employees. These obligations include the requirement to provide notice of collection of personal information, and, in some circumstances, to obtain consent to the collection of such information. This could be especially problematic where an employer reasonably directs an employee to undertake a medical assessment or drug and alcohol testing, but the employee refuses to consent to the collection.