As an employer, you will likely need to collect certain personal details from your employees. If you do, you should be aware of the laws that apply to this information. These laws include the Privacy Act 1988 and the European Union’s General Data Protection Regulation (‘GDPR’). These laws both apply to Australian businesses, but they have significantly different approaches to how you must treat employee records. This article discusses how you may use your employees’ personal information under these laws.
What Is Employee Personal Information?
Employee personal information, or personal data, is any information that identifies an employee. Many pieces of information in your employees’ records will be personal.
As well as this clearly personal information, a lot of other data in an employee record will be personal information if it can be used with other data to identify the employee.
How Can I Use Employee Personal Information Under the Privacy Act?
Most Australian privacy laws are set out in the Privacy Act. These laws do not apply to every business in Australia. Instead, there are tests which determine whether the laws apply.
The Exemption for Employee Records
If the Privacy Act applies to your business, it will regulate how you may collect, hold, use and disclose personal information from any individuals you deal with. Conveniently, however, the Privacy Act includes an exemption for employee records. This exemption means you may collect personal information from employees for the purpose of keeping employee records and managing their employment. However, you must be careful not to use your employees’ personal information for a purpose not directly related to their employment. Doing so may breach Australian privacy laws.
Continue reading this article below the formHow Can I Use Employee Personal Information Under GDPR?
The GDPR regulates how you may use your employees’ personal information far more strictly. Unlike the Privacy Act, the GDPR applies to your employees’ personal data in the same way that it applies to the personal data of any other person.
These laws will only apply to Australian businesses in certain circumstances. They may apply to your business if you:
- have a physical presence in the European Union (‘the EU’);
- target individuals in the EU to receive your goods and services; or
- monitor the behaviour of EU residents.
If the GDPR applies to your business, you should ensure you have a clear understanding of your obligations under the law.
Under the GDPR, you must have a legal basis to process any personal data you handle.
You can also use consent from an employee as a legal basis for collecting a piece of personal data. You may need to do so if the personal data is not clearly linked to a legal obligation (e.g. health information about an employee).
If you rely on consent, you must ensure that the employee:
- knows what they are consenting to; and
- agrees to the collection of their personal data.
The employee’s consent must be a genuine choice. You may wish to use a consent form to obtain consent in these situations.
Key Takeaways
When you collect personal information from employees, you should consider which privacy laws apply to you. These laws will affect how you process personal data. The requirements under different laws can vary greatly. For example, the Privacy Act contains an exemption for employee records and the GDPR does not. If you have any questions, contact LegalVision’s online lawyers on 1300 544 755 or fill out the form on this page.
We appreciate your feedback – your submission has been successfully received.
