How far does the employee records exemption in the Privacy Act reach?

'Secondary purpose' for collecting information can trip up employers

How far does the employee records exemption in the Privacy Act reach?

It is well known that there is an exemption to the requirements of the Australian Privacy Act 1988 (Cth) (Act), which means that an employer does not need to comply with the provisions of the Act in dealing with “employee records.” 

What is (and importantly is not) an employee record was the subject of a recent determination of the Australian Privacy Commissioner, ALI and ALJ (Privacy) [2024] AlCmr 131 (20 June 2024).

An employee of the respondent business suffered a medical episode in the carpark at work (arising from a pre-existing condition) and was subsequently transported to a nearby hospital. This event was witnessed by a number of the employee’s colleagues.

The employee’s husband sent a text message to the employee’s manager stating that his wife was recovering well. The manager then emailed 110 staff about the incident, and included all of the following information in the email:

  • the employee’s full name
  • the full name of the husband
  • that the employee had experienced a medical event at work the previous day
  • the name of the hospital where she was treated
  • the status of her health.

The employee complained that the email interfered with her privacy in breach of the Privacy Act and sought economic and non-economic loss from the respondent.

Employee records exemption

The employer argued that the email update fell within the “employee records exemption” and that it was only discharging its obligation to ensure the welfare of its employees under the Work Health and Safety Act 2011 (NSW) (WHS Act), by disclosing the information.

Perhaps not surprisingly, the Commissioner found that the employee records exemption did not apply to the manager’s email.

The Commissioner found the employer’s reason for sending the email was not “directly related” to the employment relationship between the employer and the employee. The words “directly related” means “an absolute, exact or precise connection” to the employment relationship between the employer and the individual, which was (perhaps obviously) not satisfied in the present case.

Since the employee records exemption did not apply, the Commissioner found that the respondent was required to comply with the requirements of the Privacy Act, including Australian Privacy Principle (APP) 6, when sending the email, which requires an entity to only use or disclose personal information for:

  • a “primary purpose” (the purpose for which it was collected); or
  • a “secondary purpose,”, but only if the individual consents or reasonably expects the secondary use or disclosure.

The Commissioner held that the primary purpose for collecting information about the employee’s health from her husband, was to ensure the employee’s welfare and enable the respondent to meet its work health and safety obligations to the employee. This was not the reason why that information was then disclosed to other staff.

It was held that the respondent used the personal information for a “secondary purpose,” i.e. to ensure the welfare of other employees, in accordance with its obligations under the WHS Act.

Breach of privacy

The Commissioner found this was a breach of APP 6, because the employee neither consented to this disclosure nor could reasonably have expected this secondary use.

The employee was awarded $3,000 for non-economic loss and $125.10 for the expenses incurred in attending psychological appointments after the disclosure.

It was, in our view, entirely reasonable for the employer to update its employees in relation to the employee’s health and particularly in relation to an incident some of them may have witnessed. However, there was absolutely no reason for it to communicate that amount of detail nor to the large number of employees that it did.

A more sensible email update to staff would have included:

  • a limited email distribution list
  • no reference to the husband’s name
  • no reference to the hospital the employee attended
  • a very brief update about the employee’s health status.

An email to the following effect would suffice in these circumstances:

“We understand you may have witnessed an incident in the carpark on [day], involving your colleague, [name]. We are happy to report s/he is recovering well and hopes to return to work shortly. In the meantime, if the events have distressed you or you would like to discuss them or have any queries from customers in relation to her/his whereabouts, please direct those to [colleague name].”

Key takeaways

If you wish to benefit from the employee records exemption, ensure that the handling of employee records has “an absolute, exact or precise connection” with the employment relationship between the employer and the individual.

Identify the primary and secondary purpose of collecting the employee’s personal information, in order to ensure that consent is obtained in the event you wish to disclose information for a secondary purpose, to that for which it was collected.

Kristy Peacock-Smith is a partner in the International HR Services Group at Bird & Bird in Sydney. Hamish Fraser is the lead partner in the Australian IT and Communciation Groups at Bird & Bird in Sydney. Thomas Du is a senior associate in the International HR Services Group in Sydney. The authors also acknowledge Jonathan Wong for his contribution to this article.