In Short
- Employers must handle employees’ personal information responsibly, adhering to the Privacy Act 1988 (Cth) if applicable.
- Collect only necessary personal information and use it solely for legitimate employment purposes.
- Inform employees about data collection practices and implement measures to protect their personal information from misuse or unauthorised access.
Tips for Businesses
Regularly review your data handling practices to ensure compliance with privacy laws. Develop clear policies outlining how employee information is collected, used and protected. Providing training to staff on privacy obligations can help maintain trust and prevent potential breaches.
Ensuring employees’ privacy is a critical aspect of running a business. However, it is worth noting that certain businesses may not be bound by the obligations of the Privacy Act 1988 (Cth) (the ‘Act’). Only businesses that meet specific criteria are mandated to comply with the Act. Nevertheless, it is essential to understand the possible privacy obligations that your business may have, even if it is not required to comply with the Act. Such knowledge is necessary to ensure your business operates according to best practices. This article will outline a few principles that every business should know.
Are There Special Rules for APP Entities?
An APP (Australian Privacy Principles) entity can be a sole trader, partnership, trust, company or unincorporated association. As mentioned above, not all businesses need to comply with the Act; however, APP entities must comply. Usually, businesses with an upwards annual turnover of $3 million will be considered an APP Entity. However, some businesses that have an annual turnover of less than $3 million may still be an APP entity. Some of the exceptions include businesses that:
- provide health services and hold health information;
- businesses that disclose personal information about another individual for a benefit, service or advantage;
- provide a benefit, service or advantage to collect personal information from anyone without the consent of the individual; or
- contract services provided for the Commonwealth.
APP entities must have a clearly expressed and up-to-date privacy policy. These policies include details like:
- types of personal information that the business collects and holds;
- how the business holds this information;
- the purpose that they collect, hold, use and disclose this information;
- how an individual can access the personal information and correct such information;
- how an individual can complain about a breach of the APP;
- whether the business will disclose information overseas; and
- if they disclose the information overseas, which countries will this information go to.
What Happens With My Employee’s Information?
Employees should be able to ensure that their employer maintains their privacy, as the employer has access to extensive information about them. Even before a candidate is offered the job, employers typically have access to an employee’s:
- name;
- bank account;
- tax file number; and
- educational background.
The Act applies when the employer uses the collected information for a purpose unrelated to the employment relationship. To work according to best practices, you should inform employees about:
- when personal information is collected;
- the purpose of collecting the information;
- how employees can access the information; and
- whether you plan to share the information with other entities.

As an employer, it is essential to understand what employment laws have changed and their implications for your business — particularly the changes to the Fair Work Act 2009 through the new Closing the Loopholes legislation.
Can I Disclose Employee’s Information?
In certain situations, it may be necessary to disclose an employee’s information to a third party. Third parties that may have access to the employer’s records and the reasons for doing so include:
- Fair Work Inspector: Determining whether an employer meets their obligations;
- Government Agency: Enacting their duties, such as the Australian Tax Office collecting tax information; and
- Employee Associations: Investigating an employer’s obligations.
Key Takeaways
If you are an APP entity, you have additional privacy requirements, such as complying with the Privacy Act and having a privacy policy. However, most businesses must maintain their employee’s privacy; if they need to disclose, they must inform the employee.
If you need help maintaining your privacy obligations while collecting employees’ information, our experienced employment lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
The Privacy Act covers an APP entity. They can be sole traders, companies, unincorporated associations, partnerships and trusts. An APP entity typically has an annual turnover of $3 million or more. There are other exceptions for when a company is in this category that does not have an annual turnover of $3 million.
If you need to disclose your employees’ information, you must inform them. Tell your employees when you collect personal information, the purpose of collecting it, how they can access it, and whether you will share this information with separate entities like the Fair Work Ombudsman.
We appreciate your feedback – your submission has been successfully received.