Last review date: 31 December 2024

☒  Yes

Under the Privacy Act, an act done, or practice engaged in, by an organization that is or was an employer of an individual, is exempt from the requirements of the APPs if the act or practice is directly related to: (a) a current or former employment relationship between the employer and the individual; and (b) an employee record held by the organization and relating to the individual (the "employee records exemption").

An employee record is a record of personal information relating to the employment of the employee (examples given in the Privacy Act include health information about the employee and personal information about emergency contacts, salary/wages, employee tax, banking and superannuation affairs, leave and union/association membership).

Where the employee records exemption applies, the requirements of the APPs (including requirements relating to sensitive information specifically) will not apply.

Be aware that the employee records exemption will not apply to an APP entity's processing of personal information of job applicants, temporary workers or independent contractors who are not employees, or employees of other entities, or that is not directly related to an employment relationship (e.g., the contents of non-work related communications). Additionally, while it is not a direct or binding interpretation of the Privacy Act, a decision of the Fair Work Commission took the view that the employee records exemption did not apply to the collection of employee sensitive information, as that information was not yet "held" by the employer, and therefore in that particular instance the employee's consent would be required to collect that information. The OAIC has not disputed this interpretation of the employee records exemption. If the interpretation is correct, the implication is that APP collection notice requirements need to be followed by an employer for its employees.

Where the employee records exemption does not apply, the standard requirements of the APPs apply.

In addition, some States and Territories have workplace surveillance laws that will need to be complied with when surveilling workers.

Looking forward, the review of the Privacy Act considered whether reforms are needed in relation to employee personal information. The OAIC proposed removing the exemption in its submissions to the review, and the review report recommends modifying the exemption – subject to further consultation – so that enhanced privacy protections are extended to private sector employees, while retaining sufficient flexibility for employers to process information to administer individuals' employment. The government response to the report agreed in-principle with that proposal.

Last review date: 31 December 2024

☒         Yes, but this consent is typically more difficult to establish in an employment context (specify details below)

The Privacy Act does not specify that employee consents are invalid or apply specific requirements for obtaining these kinds of consents. However:

• It can be difficult in the employment context to confirm that consent is voluntary (and therefore valid)
• Employment and workplace surveillance laws will need to be complied with when seeking consent

The review of the Privacy Act noted that there are concerns about employees' ability to freely consent to employers' collection of their personal information. As noted in the previous response, the review report recommends – and the government agrees in-principle (subject to further consultation) – to revamp the employee records exemption, but it is not clear what specific changes would be made to the process of obtaining employee consent.

Last review date: 31 December 2024

☒         Yes

If yes, please provide a link.

On 21 October 2024, the OAIC issued guidance on how Australian privacy law applies to artificial intelligence and set out the regulator’s expectations. Specifically, the OAIC released:

• Guidance on privacy and the use of commercially available AI products
• Guidance on privacy and developing and training generative AI models

 The guidance on privacy and the use of commercially available AI products includes examples and guidance on the use of AI in an employment context.

Additionally, the OAIC has issued various publications which give a sense of its viewpoint on these subjects generally (not specifically in the employment context):

• Can personal information be used to develop or train GenAI?
• Digital platform regulators release working papers on algorithms and AI (joint publication with other regulators)
• Digital platform regulators make joint submission on AI (joint submission with other regulators)
• OAIC submission to the Department of Industry, Science and Resources – Safe and responsible AI in Australia discussion paper
• Privacy Act Review Discussion Paper
• Privacy Act Review Issues Paper submission
• Artificial Intelligence: Governance and Leadership white paper — Submission to the Australian Human Rights Commission
• Guide to data analytics and the Australian Privacy Principles

For completeness, the eSafety Commissioner has issued a Position Statement on Generative AI, which evaluates the existing landscape of generative AI, the technology's life cycle and examples of positive and negative uses of it that will inform the eSafety Commissioner's regulatory approach to the technology. Among the key risks for businesses identified in the statement, the Commissioner flagged privacy concerns, noting that generative AI models may leverage personal and sensitive information, raising the risk of data breaches and potential harm to individuals.