As an employer, you will likely need to collect certain personal details from your employees. If you do, you should be aware of the laws that apply to this information. These laws include the Privacy Act 1988 and the European Union’s General Data Protection Regulation (‘GDPR’). These laws both apply to Australian businesses, but they have significantly different approaches to how you must treat employee records. This article discusses how you may use your employees’ personal information under these laws.

What Is Employee Personal Information?

Employee personal information, or personal data, is any information that identifies an employee. Many pieces of information in your employees’ records will be personal. 

For example, commonly collected pieces of personal information include an employee’s: 

  • postal address; and 
  • date of birth. 

As well as this clearly personal information, a lot of other data in an employee record will be personal information if it can be used with other data to identify the employee. 

For example, a person’s salary is not personal information in a set of anonymous analytical data. If the salary is recorded under an employee’s name in their file, however, it will be personal information.

An employee’s salary could also be personal information if it is in a list of salaries that makes it easy to attribute to a particular employee. For example, this could be the case if one salary is significantly higher than the others in a list. 

How Can I Use Employee Personal Information Under the Privacy Act?

Most Australian privacy laws are set out in the Privacy Act. These laws do not apply to every business in Australia. Instead, there are tests which determine whether the laws apply.

For example, whether the laws apply depends on whether your business has an annual turnover of $3 million or more.

The Exemption for Employee Records

If the Privacy Act applies to your business, it will regulate how you may collect, hold, use and disclose personal information from any individuals you deal with. Conveniently, however, the Privacy Act includes an exemption for employee records. This exemption means you may collect personal information from employees for the purpose of keeping employee records and managing their employment. However, you must be careful not to use your employees’ personal information for a purpose not directly related to their employment. Doing so may breach Australian privacy laws. 

For example, selling employees’ contact details as part of a marketing database would be considered a breach of the law. 

How Can I Use Employee Personal Information Under GDPR?

The GDPR regulates how you may use your employees’ personal information far more strictly. Unlike the Privacy Act, the GDPR applies to your employees’ personal data in the same way that it applies to the personal data of any other person.

These laws will only apply to Australian businesses in certain circumstances. They may apply to your business if you:

  • have a physical presence in the European Union (‘the EU’); 
  • target individuals in the EU to receive your goods and services; or 
  • monitor the behaviour of EU residents. 

If the GDPR applies to your business, you should ensure you have a clear understanding of your obligations under the law

Under the GDPR, you must have a legal basis to process any personal data you handle.

For example, you may be required by law to collect certain information (e.g. superannuation account information). 

You can also use consent from an employee as a legal basis for collecting a piece of personal data. You may need to do so if the personal data is not clearly linked to a legal obligation (e.g. health information about an employee). 

If you rely on consent, you must ensure that the employee: 

  • knows what they are consenting to; and 
  • agrees to the collection of their personal data. 

The employee’s consent must be a genuine choice. You may wish to use a consent form to obtain consent in these situations. 

Key Takeaways

When you collect personal information from employees, you should consider which privacy laws apply to you. These laws will affect how you process personal data. The requirements under different laws can vary greatly. For example, the Privacy Act contains an exemption for employee records and the GDPR does not.  If you have any questions, contact LegalVision’s online lawyers on 1300 544 755 or fill out the form on this page.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.
Jacqueline Gibson

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at info@legalvision.com.au

View Privacy Policy