Book a demo

Navigating Employee Data Privacy: A Guide for HR Leaders

Anyone who has onboarded a new employee recently knows that the process requires a fair amount of paperwork, inclusive of several personal data disclosures. But recent attacks against large corporations make it more important than ever to consider your organisation’s Employee Data Privacy collection, storage and deletion practices.

Collecting information about your candidates and new hires isn’t just good practice, it’s legally required in Australia as per the Fair Work Act. Employers must collect accurate and complete records for all their employees including general records, pay records, hours of work, leave and superannuation contributions, and store them for seven years after the end of employment.

The Privacy Act 1988 sets out requirements for collecting, storing, using and disclosing personal information on employees. These are called the Australian Privacy Principles. The Privacy Act 1988 also sets out additional rules and higher standards for collecting and handling sensitive personal information.

These requirements apply to:

  •  businesses with an annual turnover of $3 million or more
  •  all private health service providers
  •  a limited range of small businesses
  •  all Australian Government agencies

Even if your organisation doesn’t fall under one of these categories, it’s still a good idea to aim to comply with the privacy principles as a matter of best practice.


Employee Records

As mentioned above, employers need to collect and store details about their employees in an employee record. These records may include:

  • The employee’s personal and emergency contact details
  • Information about terms and conditions of employment
  • Wage or salary information
  • Leave balances
  • Work hours
  • Dates of engagement, resignation or termination of employment
  • Information about training and performance
  • Banking or superannuation details
  • Union, professional or trade association membership information

Employee records regarding current or past employment relationships are not always subject to the Australian Privacy Principles. This exemption applies when an organisation’s actions or practices directly involve a current or past employment relationship between the employer and the individual.

Put basically, employers don’t have to follow the Privacy Act when dealing with employee records for matters directly tied to employment. However, not all information about an employee automatically falls under this exemption, so employers shouldn’t assume they’re always exempt.

The Australian Privacy Principles do apply to personal information about unsuccessful job candidates. This can include applicants’ resumes, contact details, references and academic transcripts.


Learn the Australian Privacy Principles

The Privacy Act 1988 lays down 13 principles that govern the handling of personal information. These principles cover various aspects, including the collection, use, and disclosure of personal information, as well as ensuring its accuracy, security, and integrity. 

We suggest reviewing the APP guidelines in their entirety, but here are some of the key requirements you should know when collecting personal data for hiring purposes:

Lawful and Fair Collection: When collecting employee data, ensure it’s done lawfully and fairly. This means obtaining information directly from the individual via a secure channel wherever possible, getting consent to collect and/or disclose the information, informing them of the purpose of collection, and only collecting information necessary for your organisation’s legitimate functions or activities. Organisations should carefully consider what is needed and not needed to engage an employee.

Sensitive Information Handling: Certain types of employee data, such as passport data, health records or information about religious beliefs, are considered sensitive. The APPs impose stricter requirements on handling such information, requiring explicit consent for collection and limiting its use and disclosure. 

Security Measures: Safeguarding employee data from unauthorised access, misuse, or loss is crucial. Implement robust security measures, including encryption, access controls, and regular audits, to mitigate risks and ensure compliance with the APPs. Collecting sensitive information such as passport details via email and storing them in an unsecure location (such as on your desktop) does not meet the requirements as outlined by the APP.

Data Accuracy and Quality: Maintaining accurate and up-to-date employee records is essential. Take steps to verify the accuracy of information at the time of collection and periodically review and update records as necessary to ensure they remain relevant and reliable.

Retention and Deletion: Determine appropriate retention periods for employee data based on legal requirements and operational needs. Once data is no longer needed, securely delete or de-identify it to prevent unauthorised access or misuse. Keeping sensitive data on employees who have exited the business may present a risk.

Transparency and Accountability: Be transparent about your organisation’s data handling practices and provide employees with access to their personal information upon request.  Have a clear and readily available privacy policy outlining how personal information is stored and managed. If you have the resources, designate a privacy officer responsible for overseeing compliance with the APPs and handling privacy-related inquiries or complaints.

Prioritising data privacy isn’t just a legal obligation; it’s a fundamental aspect of responsible HR management. By incorporating the principles outlined in the Privacy Act 1988 into your organisation’s data handling practices, you can uphold the rights of your employees while safeguarding sensitive information from potential breaches or misuse.

CheckWorkRights follows these principles when we collect, use and disclose personal information to other sources Australian Department of Home Affairs, and Australian Employers. Using CheckWorkRights to collect, process, store, automatically update, and safely destroy visa and passport data can help your organisation meet the legislative requirements for employee privacy, while saving your team valuable time. You’ll get peace of mind knowing CWR is handling your data security and accuracy for you. Book a demo today to leave manual data processes behind. 

Disclaimer: The information provided in this article is general only, and not to be taken as Migration Advice. Please be aware that visas and regulations are subject to frequent change. It is advisable to verify the latest information from the Department of Home Affairs (DHA) and or seek specific advice relating to your circumstances from a MARA Registered Migration Agent.