By Charles Power

As an employer, you are obligated to handle personal information according to federal and State or Territory legislation to:

• protect your employees’ entitlements to privacy; and
• prevent privacy law breaches occurring in your workplace.

Personal information is information from which you can reasonably ascertain an individual’s identity.

The Privacy Act 1988 (Cth) (the Act) sets out 13 APPs, which guide organisations in dealing with personal information.

The principles cover the following areas:

1. The open and transparent management of personal information.
2. Anonymity and pseudonymity.
3. The collection of solicited personal information.
4. Dealing with unsolicited personal information.
5. Notification of the collection of personal information.
6. Use or disclosure of personal information.
7. Direct marketing.
8. Cross-border disclosure of personal information.
9. Adoption, use or disclosure of government-related identifiers.
10. Quality of personal information.
11. Security of personal information.
12. Access to personal information.
13. Correction of personal information.

For more information, see the Australian Privacy Principles fact sheet.

When do the APPs apply?

Generally, the privacy laws only apply to private sector organisations with an annual turnover of more than $3 million, and Commonwealth public sector agencies.

The APPs only regulate personal information collected for inclusion in a record or generally available publication. They do not apply to information ‘carried in a person’s head’.

Although privacy laws will not usually apply to personal information relating to past or present employees, they will apply when you are dealing with personal information relating to the following ‘non-employees’:

• Prospective employees and job applicants;
• Independent contractors, including sole traders and consultants;
• Persons working in your workplace who are employed by a third-party employer, e.g. employees seconded or on-hired to your workplace by a labor-hire agency or a related entity; and
• Volunteers.

What happens if you breach the privacy laws?

The Privacy Commissioner has the power to investigate possible interferences with privacy, either on its own initiative or following a complaint by the individual concerned.

When an individual makes a complaint, the Commissioner will generally attempt to resolve the complaint by conciliation between the parties.

The Commissioner also has a range of enforcement powers and other remedies available, including:

• Applying to the courts for an injunction to restrain a person from engaging in conduct that would constitute a breach of the Act; and
• In relation to serious and repeated interference with privacy, seeking a civil penalty of up to $1.7 million (or $300,000 for individuals).

Are you liable for breaches by your employees?

Privacy breaches committed by your employees while performing their employment duties are taken to be an act done or practice engaged in by your organisation.

You may be liable for an employee breach if:

• The breach was in engaged in within the scope of the employee’s authority given to them by your business; and
• You did not take reasonable precautions or exercise due diligence to avoid the breach.