Privacy at work: Employer do’s and don’ts
‘Privacy at work’ was the subject of our last article, where we provided a crash course on the topic of an employer’s obligations regarding privacy under the Australian Privacy Principles (“APPs”).
This week, we further consider the topic of privacy at work from a more practical perspective, and answer some of the questions that we are frequently asked by our clients about the Privacy Act 1988 (Cth) (“Privacy Act”). If you haven’t already read our last client alert, we highly recommend you catch up on it before reading on.
Q: Does my business need to comply with the APPs?
A: If your business has an annual turnover of $3,000,000 or more – yes, your business is classified as an “APP entity” that is subject to the provisions of the Privacy Act.
If your business has an annual turnover of less than $3,000,000 – your business is classified as a “small business operator” and does not have to comply with the APPs, unless your business:
- provides a health service or otherwise holds health information (other than in an employee record). This includes medical and allied health service providers, but also gyms, private schools, and other entities;
- discloses or collects personal information about another individual for a benefit, service or advantage. For instance, a business that sells customer lists to a marketing company;
- is related to a larger body corporate that has an annual turnover of $3,000,000 or more;
- is a Commonwealth contracted service provider – that is, an entity that has been contracted to provide services to, or on behalf of, the Australian Government and its various agencies;
- carries on a credit reporting business; or
- is a registered employee association.
If any of the above characteristics is true of your business, you must comply with the APPs, irrespective of your business’ annual turnover to ensure you meet your obligations regarding privacy at work.
Q: Do I need a Privacy Policy?
A: APP 1 states that all APP entities must implement and maintain a clearly expressed policy about how the entity collects, uses and discloses personal information.
Q: What information needs to be included in my business’ privacy policy?
A: Such a policy must contain, at a minimum:
- the kinds of personal information that the entity collects and holds;
- how the entity collects and holds personal information;
- how an individual whose personal information is held by the entity may access, and seek the correction of, such information;
- how an individual may complain about a potential breach of the APPs, and how the entity will deal with such a complaint;
- whether the entity is likely to disclose personal information to overseas recipients; and
- if so – the countries in which such recipients are likely to be located, if it is practicable to specify these countries.
Further, to meet their obligations regarding privacy at work, all APP entities must produce a copy of their privacy policy upon request by an individual.
Q: One of my workers has tested positive to COVID-19. Can I disclose this information to the rest of my workforce?
A: It is uncontroversial that businesses have a number of work health and safety (“WHS”) obligations that arise when one of its employees or other workplace participants tests positive for COVID. These include:
- directing the worker to return home directly, if they have not already done so;
- cleaning and disinfecting areas used by the person who has tested positive to COVID;
- assessing how much contact other workers had with this person while they may have been infectious, and directing people to go home and undertake a COVID test if necessary; and
- advising other workplace participants of the situation.
What is less clear, is whether a business is in breach of its workplace privacy obligations if its communications to the broader workforce identify the person who has tested positive, considering that this information is ‘sensitive’ information about the individual’s health.
The primary position under the Privacy Act is that disclosure of sensitive information may only occur with the individual’s consent unless an exemption applies. As such, the simplest way to deal with this issue is to seek the individual’s consent for any necessary disclosure that the individual has COVID. In the vast majority of cases, we do not consider that this request is likely to be problematic.
But what happens if the individual does not consent to this information being disclosed? This becomes more complicated for businesses, and it may be appropriate to undertake a ‘tiered’ approach to disclosure, whereby only high-risk individuals (i.e., someone who sat immediately next to the COVID-positive worker for an extended period of time) are advised of the identity of the individual, whilst the rest of the workforce is simply advised that a COVID-positive individual attended the workplace.
The general rule that sensitive information can only be disclosed with the individual’s consent does not apply in circumstances that the purpose of the disclosure is the same as the purpose for which the information was collected. In other words, if a business circulates information to its workforce that clearly advises why this information is collected, and how the business will use the information once collected – to advise the workforce of the COVID-positive case in the workforce – it is unlikely that the business will be in breach of its workplace privacy obligations by subsequently relying on that policy to inform other workers about the COVID-positive case.
Q: My business discloses personal information to overseas recipients. How do the APPs apply in these circumstances?
A: In addition to being bound by the obligations that generally regulate the way APP entities collect and deal with personal information, APP 8 imposes further obligations where cross-border disclosure of personal information occurs. Generally speaking:
- APP entities must take reasonable steps to ensure that the overseas recipient will not act in such a manner that would breach the APPs before they disclose the information to that recipient; and
- APP entities will be held liable and accountable for any act or practice by the overseas recipient that would breach the APPs, as though the APP entity themselves had committed the breach.
These principles and requirements do not apply if:
- the individual has provided consent to the cross-border disclosure; and/or
- the entity believes the overseas recipient is bound by privacy laws which are substantially similar to the APP, such as the United Kingdom or members of the European Union; and/or
- the entity is required to make the disclosure by law.
It is important to note that, while the sharing of personal information between related bodies corporate generally does not enliven the APPs to apply, APP 8 still applies where an organisation sends personal information to a related body corporate outside of Australia. Businesses that are related to overseas entities and send personal information about its workforce or customers to such entities must be mindful of this APP – for instance, where a business stores personal information about contractors (or employees, in circumstances where the employee records exemption does not apply) in servers that are operated by its related overseas entity.
For this reason, it is vital that the employment contract or contractor agreement specifically deals with this issue and states that the individual by accepting the contract agrees to the disclosure.
Q: Does the Privacy Act ever apply to overseas entities?
A: As above, APP 8 imposes additional obligations on APP entities that disclose information to overseas recipients – but are there circumstances in which the APPs can apply to these overseas entities?
The answer is yes.
The threshold for this to occur is that the overseas entity has an ‘Australian link’, which is satisfied if one of the following criteria are met:
- the entity was formed in Australia; and/or
- the entity has its central management and control in Australia; and/or
- the entity otherwise carries on a business and collects or holds personal information in Australia.
A number of indicators may be used to determine whether an entity is “carrying on a business” within Australia. This may include whether the entity has an agent or agents within Australia; a website offering goods or services to Australia; actions purchase orders within Australia; or collects personal information from a person who is physically in Australia.
The scope of the ‘Australian link’ test was recently considered by the Full Federal Court in Facebook Inc v Australian Information Commissioner [2022] FCAFC 9.
In this case, Facebook were appealing an interlocutory decision by the Federal Court that the OAIC had a prima facie case that Facebook had an ‘Australian link’ within the meaning of s 5B(3) of the Privacy Act, in the context of allegations that Facebook has breached the APPs in the course of their collection of personal information of Australian users.
Facebook argued that it was not carrying on a business in Australia, as the company has no physical assets, customers or revenues in Australia. This argument was rejected by the Full Court, which held that Facebook did not need a physical presence in order to carry on a business in Australia. As to whether Facebook had collected personal information by installing cookies on the devices of Australian users, the Full Court found it relatively easy to infer that such cookies, which were used in the process of targeted advertising, were being used for the purpose of collection of personal information.
The decision provides clarity that the APPs can even apply to overseas entities that do not have a physical presence in Australia, provided such entities carry on a business in Australia – a practice which is becoming increasingly common in the digital world.
Final thoughts on privacy at work
As with all matters, it is our strong recommendation that employers take a proactive approach to ensuring they meet their obligations regarding privacy at work, rather than engaging in retrospective ‘damage control’ after it all goes wrong.
We recommend that employers regularly and thoroughly review their privacy procedures, and ask themselves the following questions:
- Do the APPs apply to the business?
- Does the business have an up-to-date privacy policy, which is available to individuals upon request?
- What personal information is the business collecting, using, disclosing, or otherwise maintaining?
- Does the business collect or deal with any sensitive information?
- If the information relates to an employee – does the information directly relate to the employee’s employment with the business?
- Does the business deal with personal information of contractors, agents, interns, prospective employees, or volunteers?
- How does the business ensure the personal information it stores is secure and accurate?
- Does the business engage in any cross-border disclosure of the personal information it holds?
As a reminder, we are hosting a breakfast seminar on Wednesday, 8 June 2022 for our clients in Sydney, at which we will further discuss employers’ privacy obligations. If you would like further information regarding this seminar, or otherwise wish to discuss any aspect of this client alert or require specialist advice or assistance in relation to this article, please do not hesitate to contact the writers.
This article is not intended to constitute, and should not be treated as, legal advice.