What will new privacy laws mean for HR?

2 employment lawyers weigh in with tips, best practices for human resources

BY Louis White 17 Mar 2023

The Commonwealth Government has undertaken a review of the Privacy Act and suggested forthcoming changes, which will have implications for Australian employers.

There has been debate about what information should be protected and what should be made public, and the proposed changes incorporate greater flexibility and create greater protections for personal information before it is used in ways which have high privacy risks.

Amongst the proposals are the following:

Recognise the public interest to society of protecting individuals’ privacy
Clarify what information should be protected under the Privacy Act
Ensure de-identified information is protected from misuse
Require risks associated with holding and using information relating to individuals to be considered and protections applied accordingly
Regulate ‘targeting’ of individuals based on information which relates to them but that may not uniquely identify them
Enable privacy codes to be made by the Information Commissioner in certain circumstances
Ensure risks to privacy resulting from the small business, employee records, political and journalism exemptions are addressed in a proportionate and practical way.

What is the impact for employers?

“Currently, the Privacy Act 1988 (Cth) provides an exemption for organisations that are employers from complying with the Privacy Act and the Australian Privacy Principles with respect to employee records, when used in the context of the employment relationship,” John Pegg, senior associate, Holman Webb Lawyers, said.

“The reason for the exemption is that it was argued that ancillary workplace legislation would be sufficient to regulate the handling of employee records.”

Pegg points out that The Privacy Act Review Report 2022 instigated by the Attorney-General’s Department proposes enhancing the privacy protections for private sector employees by:

providing enhanced transparency to employees regarding their personal and sensitive information (as those terms are defined in the Privacy Act) is being collected and used for
ensuring that employers have flexibility to collect, use and disclose employees’ personal information that is reasonably necessary to administer the employment relationship (noting that the scope of individual rights and the issue of whether consent should be required to collect employees’ sensitive information will be considered in this proposal)
ensuring that employees’ personal information is protected from misuse, loss or unauthorised access and is destroyed when it is no longer required; and
notifying employees and the Office of the Australian Information Commissioner (OAIC) of any data breach involving the employees’ personal information which is likely to result in serious harm.

“Unsurprisingly, employers argue the exemption should remain - or should otherwise be strengthened - while employees believe that reform is required,” Pegg said. “The report leans towards reforming this issue but has left it open to further consultations on how changes should be implemented.

“These changes should be followed closely, as it is likely to change following further consultation with these groups.”

What does HR need to be aware of?

Any changes to privacy will affect the human resources department, as they are the custodians of employee data.

“Removal or restriction of the employer exemption to the Privacy Act will see an evolution of the role of human resources, to one that takes some responsibility for data governance and risk mitigation,” Gemma Dowling-Sinclair, HR advisor, Holman Webb Lawyers, said.

“The changes will require immediate action from human resource teams on two fronts – a comprehensive point-in-time review of employee data, and a redesign of existing systems to address compliance issues and downstream business impacts.

“Human resource teams will need to undertake a holistic review of employee data currently being held by the organisation and make plans to adequately manage that data.”

Previously an employment lawyer provided advice on how to handle privacy law and data breaches.

Questions that need to be asked by HR

Dowling-Sinclair also believes that human resource teams will need to map the use and purpose of this data to understand the flow-on effects of changes to data collection and storage procedures:

What data do we hold?
What data do we hold that is non-compliant with the new legislation?
What have we used this data for? Could copies exist elsewhere in our network?
Why did we begin collecting this data in the first place?
What reporting mechanisms will change or no longer be possible once we achieve compliance?
What downstream effects will this have on our employee management and support initiatives?

“Human resource teams must collaborate with data governance stakeholders on a program of work to achieve compliance with the new legislation and take charge of communications to keep employees informed of the changes to how their personal data is stored and managed,” she said.

“As the resident ‘people’ people, human resource teams must assume responsibility for educating managers and supervisors on the changes to legislation to mitigate the risk of unintentional breaches.”

As well as maintaining compliance in data collection and storage, human resource teams must measure the downstream impacts of changes to employee data collection and retention, including reporting, diversity and inclusion, workforce planning, and a myriad of other business practices, Dowling-Sinclair said.

“Where negative business impacts are apparent, human resource teams needs a seat at the table to help the business address and adjust to its new responsibilities.”