Data privacy
Australia
Australia has stringent data privacy obligations. As a general rule, personally identifiable data may only be processed if it is required for the performance of the employment contract and constitutes an employee record. Certain acts and practices are exempt from the application of Australia's data privacy laws, but there are strict criteria which must be met for an exemption to apply. Employee records are generally exempt, but this exemption will not apply to documents that come into existence prior to the employment relationship (eg, pre-employment or hire documentation) or to documents relating to any contractors engaged by the business. At the time it collects personal information, the employer is required to provide the individual with a statement setting out the company's obligations under Australia's data privacy laws and the individual's rights. Further restrictions apply for sensitive personal data.
Employee records – with the exception of tax file numbers – are not covered by the Australian notifiable data breach regime, which requires notification to the Office of the Australian Information Commissioner (OAIC) and to affected individuals of any data breach that could result in serious harm. However, the OAIC advises that it is good practice for employers to notify employees affected by a data breach so that they may take protective action.
The monitoring of individuals and their data is covered by various surveillance legislation in each state or territory. Essentially, surveillance of employees is prohibited in sensitive areas, such as washrooms and change rooms, unless the surveillance device is installed pursuant to a warrant or authorization. Surveillance is permitted in public areas if it conforms with relevant legislation. The monitoring of an employee's use of a work computer (ie, emails and internet browsing) is governed by specific laws in some states.