The section of the Report dealing with the employee records exemption highlighted significant debate and difference of opinion. Employers expressed a strong desire to retain or even strengthen the exemption; employee representatives consider reform is needed.
In that context the Report does not conclude how the changes should take effect, but proposals 7.1(a)-7.1(d) recommend stronger protection of private sector employee information, to:
- enhance transparency over what employee information is collected and why
- ensure employers have adequate flexibility to deal with employees’ information to administer the employment relationship (and addressing whether consent should be required to collect sensitive information)
- ensure adequate security and destruction measures around employee personal information, and
- notify employees and the OAIC of data breaches involving employee personal information.
What does this mean for my organisation?
Private sector employers who don’t yet have a good grasp of the breadth of information they collect and hold about their employees will need to stocktake their collection activities and sharpen their focus on why they collect such information; prepare appropriate collection notices and employee privacy policies (if not used already); and ensure employee information is appropriately covered in their security measures and considered in their data breach response plans.
Where to next?
Further consultation has been recommended on how the proposed protections should be implemented in legislation, and whether codes of practice to clarify obligations should be created.
However change is clearly coming and private sector employers should be looking at their current practices and policies to ensure they are appropriately safeguarding employee personal information, and to prepare for enhanced scrutiny on those processes so that they can proceed with minimum disruption to their business when the reform finally lands.