Employee Data Privacy: What Australian Employers Must Do with Staff Personal Information

When you hire someone, you collect a significant amount of their personal information — tax file numbers, bank details, emergency contacts, medical information, home addresses. As an employer, you are a custodian of that information, and the Privacy Act 1988 (Cth) imposes obligations on how you collect, use, and protect it.

Many employers are surprised to learn that even if their business falls below the $3 million turnover threshold for general Privacy Act obligations, certain employee record obligations still apply.

The Employee Records Exemption and Its Limits

The Privacy Act includes an exemption for "acts and practices" of private sector employers directly related to a current or former employee relationship. This is often called the "employee records exemption."

What this means in practice: employers do not need to comply with the Australian Privacy Principles (APPs) in relation to handling employee records, if the handling is directly related to the employment relationship.

However, this exemption is narrower than many employers assume:

• It does not cover prospective employees (job applicants)
• It does not cover contractors or labour hire workers
• It does not apply to acts that are not directly related to the employment relationship
• Some states (notably Victoria and New South Wales) have health records legislation that imposes additional obligations on employee health information, independent of the federal Privacy Act

Information About Job Applicants

The employee records exemption does not apply to job applicants — they are not yet employees. This means you must comply with the APPs when collecting, using, and disclosing personal information about people applying for roles with your business.

Practical implications:

• You should have a collection notice in your job application process explaining why you collect their personal information
• You should not use application information for other purposes without consent
• You should securely store and eventually delete application records for unsuccessful candidates
• Reference checks must be conducted with appropriate care — collecting sensitive information about third parties from the applicant's references

What Employee Information Are You Allowed to Collect?

Even under the employment records exemption, there are limitations. Under the Fair Work Act 2009, you must maintain certain employment records — but you should not collect more personal information than is reasonably necessary for the employment relationship.

Information typically necessary to maintain for employees includes:

• Name, address, and contact details
• Date of birth (where relevant to entitlements)
• Tax file number (collected via TFN declaration)
• Bank account details for payroll
• Emergency contact details
• Work history and qualifications (relevant to the role)
• Superannuation fund details
• Payroll records, timesheets, and leave records

Information that is potentially excessive (and should only be collected if there is a clear work-related reason):

• Social media profiles (beyond those voluntarily provided by the applicant)
• Detailed personal financial information beyond what is needed for payroll
• Medical information beyond what is required for WHS or leave entitlement purposes

Employee Health Information

Employee health information is sensitive information under the Privacy Act, and its collection and handling is subject to higher standards — even where the general employee records exemption applies.

You may need an employee's health information for purposes including:

• Workers' compensation claims
• WHS risk management (e.g., knowing about a condition that affects safe work)
• Managing sick leave or incapacity
• Implementing reasonable workplace adjustments for employees with disabilities or health conditions

When collecting health information:

• Collect only what is necessary for the specific purpose
• Do not share medical information beyond those who need it for the employment relationship
• Store medical records separately from general employment records
• Comply with state health records legislation (particularly in Victoria and NSW)
• Obtain consent before requiring employees to undergo medical assessments, and ensure the results are used only for the stated purpose

Monitoring Employee Activity

Employer monitoring of employee activity — email, internet, phone, GPS, keylogging — is a significant and evolving area of privacy law.

Under the Privacy Act and surveillance legislation in each state, you generally can monitor employee communications and activities if you have given clear notice and the monitoring is lawful under the applicable state surveillance device legislation.

State surveillance device laws — such as the Workplace Surveillance Act 2005 (NSW) and the Surveillance Devices Act 1999 (Vic) — impose specific obligations, including:

• Providing written notice to employees before monitoring commences
• Not using covert surveillance devices without authorisation
• Specific rules for computer and network monitoring

Monitoring employees working from home raises additional issues — surveillance that is lawful in the workplace may not be lawful in a private home without consent.

Disclosing Employee Information to Third Parties

You can disclose employee information to third parties for purposes related to the employment relationship — for example, to payroll processors, superannuation funds, WorkCover, or industry training authorities. However:

• You should only disclose what is necessary
• You should ensure third-party service providers (cloud software, HR systems, payroll services) maintain appropriate data security
• You should review and update your contracts with service providers to include appropriate privacy protections

Disclosure of employee information to family members, prospective employers, or other parties should only occur with the employee's consent — or where required by law (e.g., court order, regulatory body).

Sensitive Information: Extra Caution Required

The following categories of information about employees are "sensitive information" under the Privacy Act and attract additional protections:

• Health information (including disability status)
• Racial or ethnic origin
• Political opinions
• Membership of trade unions
• Religious beliefs
• Sexual orientation or gender identity
• Criminal record

You must not collect sensitive information unless you have the employee's consent or there is a specific exception. And when you do hold sensitive information, you must take extra care to protect it from unauthorised disclosure.

Record-Keeping and Retention

Under the Fair Work Act, employment records must be kept for 7 years. However, the Privacy Act principle of data minimisation requires that you do not hold personal information for longer than necessary.

For employment records, a practical approach is:

• Maintain records for 7 years from the end of employment (to meet Fair Work Act requirements)
• Securely destroy records after 7 years unless there is a specific reason to retain them longer (e.g., outstanding workers' compensation claim)

Do not simply archive old employee files and forget them — each file you retain is a potential security risk and a potential data breach.

Data Security for Employee Records

A data breach affecting employee records can have serious consequences — financial, reputational, and legal. Your security obligations include:

• Secure storage of physical documents (locked cabinets, limited access)
• Secure storage of electronic records (access controls, encryption)
• Secure disposal of records when retention periods expire
• Password management and access control for HR and payroll systems
• Training staff who access employee records on privacy and security obligations

If a data breach occurs involving employee personal information, you may have notifiable data breach obligations (if you are subject to the Privacy Act) and/or obligations under the relevant state or territory health records legislation.

How Reguladar Helps

Employee data privacy is one of several overlapping obligations that Australian employers must manage — alongside employment law, WHS, and tax compliance. Reguladar surfaces these interconnected obligations in a single, personalised dashboard, ensuring you are not missing privacy requirements while focusing on other areas.

As privacy law reforms continue to evolve — particularly in the context of employee monitoring and health data — Reguladar flags changes that affect your business and what you need to do to stay compliant.

Understand your employee privacy obligations. Start your free compliance check at Reguladar and see your complete employer compliance profile today.