Australian privacy principles and application of the employee records exemption

The case of ALI and ALJ (Privacy) [2024] AICmr 131 sheds light on the scope of the employee records exemption under the existing Privacy Act 1988 (Cth) (Privacy Act) and reinforces employer’s privacy obligations to their employees. Gadens explains.

The case concerned an employer disseminating medical details to 101 head office employees about the health status of another employee who had suffered a medical episode at work.

After the employee complained to the Office of the Australian Information Commissioner, the employer was held to have breached Australian Privacy Principle (APP) 6.1 which governs the use or disclosure of personal information under the Privacy Act.

This came after the employer unsuccessfully relied on the employee records exemption within section 7B(3) of the Privacy Act which required the act or practice in question to be directly related to the employment relationship.

• In order to receive protection under the employee records exemption of the Privacy Act, the employer’s act or practice must directly relate to its employment relationship with the employee in question. An indirect, consequential or remote effect on the relationship is insufficient to enliven the exemption.

• The words ‘directly related’ in the exemption are interpreted narrowly to mean ‘absolutely or exactly having connection’.

• The fact that an employee’s personal information is already in the public domain does not relieve an employer of its privacy obligations in relation to the handling of that personal information.

• The circumstances of the individual matter are important when determining the employer’s primary purpose for collecting the information. In cases of ambiguity, the Commission will apply a narrow construction to afford protection to the employee.

• There is a distinction between the ‘use’ and ‘disclosure’ of an employee’s personal information. An employer will ‘use’ personal information by handling or managing the information within their own control, and will ‘disclose’ the personal information if it makes it accessible or visible to persons outside their organisation.

In these circumstances, the employer’s conduct would only have been permitted under the Privacy Act if consent had been obtained

If you found this article useful, you may read the full version here.