As an employer, appropriately managing your employees’ personal data is essential to mitigate legal risks, as well as to foster a trusting, respectful and safe work environment. In Queensland, employers are required to manage their employees’ personal and health information in line with the Australian Privacy Principles which underpin the Privacy Act 1988. The thirteen principles were developed to ensure best practice while handling personal or sensitive information, and to define what can and cannot be disclosed, requested and discussed.
In this article, learn the key information employers need to know and best practices for appropriately managing employees’ health and other personal data, while meeting workplace privacy obligations.
What employee data is considered personal information?
The Privacy Act defines personal information as any employee records that identify or can reasonably identify an individual. This broad category includes information such as names, addresses, contact details, photos, bank account information, tax file numbers, ID details and more. It also includes health information, which refers to any details about an individual’s physical or mental health, including medical conditions, disabilities, injuries, or even future health service needs.
It is important for employers to understand the difference between ‘use’ and ‘disclosure’ of this information:
Use refers to how personal information, especially in regard to an employee’s health, is managed within the organisation. For example, sharing an employee’s health data internally to manage sick leave entitlements.
Disclosure involves sharing personal information with external parties, thereby losing control over its further management. For instance, telling a team about the reason behind a team member’s sick leave or disclosing unnecessary medical details to management. Employers must be cautious about disclosing personal information only when it is absolutely necessary and ensuring they obtain employee consent before doing so.
When would an employer need to request an employee’s personal information?
There are several scenarios where an employer may need to collect personal information from their employees. For example, an employer may request a doctor’s certificate to verify an employee’s illness or injury if they’re taking sick leave or require other accommodations, but it’s crucial to understand the limitations on the information that can be requested.
In this scenario, a doctor’s certificate should contain only the details necessary for managing the employee’s leave or accommodations, and employers should avoid asking for additional or irrelevant medical information. For example, requesting the severity or specific details of the employee’s condition, unless it directly affects their ability to work or requires special accommodations, is not appropriate.
If additional medical information is needed beyond a doctor’s certificate, employers should consider the following:
- Requesting only relevant details: Only ask for information that directly relates to the employee’s capacity to work or any adjustments needed.
- Obtaining employee consent: Ensure the employee is fully aware of and agrees to the request for further medical details.
- Respecting employee privacy: Ensure the medical information is shared only with those within the organisation who need it to facilitate necessary accommodations or comply with health and safety requirements.
By taking this approach, employers protect the employee’s privacy while ensuring they can make informed decisions regarding their work and accommodations.
Seeking employee consent: A critical step
If you find yourself in a situation where there is a reasonable need to collect, use or disclose an employee’s personal or health information, notifying the employee and obtaining explicit consent beforehand is essential. Notifying employees about the collection of their personal information is a critical component of this process. Seeking and obtaining consent not only ensures you’re meeting privacy law requirements but also fosters trust and shows respect for employees’ privacy rights, helping mitigate potential legal risks in the future.
According to the Privacy Act Review report, the following objectives should be met to build, strengthen and maintain employee privacy protections:
Transparency: Employers must clearly explain how employee data will be used and how it will be protected.
Reasonable necessity: Information should only be collected, used, or disclosed when it is necessary for managing the employment relationship.
Data protection: Employers must ensure that personal data is securely stored and destroyed when no longer needed.
Breach notification: In the event of a data breach that could cause harm to an employee, employers are legally required to notify the Information Commissioner promptly.
Best practices for employers to manage employee information and data privacy
To align with the Australian Privacy Principles, employers should adopt the following best practices for handling personal and health information:
Limit data collection and disclosure: Collect, use, and disclose personal and health information only when it is necessary for managing the employment relationship.
Maintain transparency: Ensure employees are fully informed about how their information will be used and obtain their consent before sharing sensitive data, particularly medical information.
Implement data protection protocols: Implement robust measures to secure digital and physical data storage and regularly audit data protection practices to ensure they remain effective.
Undertake regular privacy policy reviews: Regularly review and update privacy policies to reflect any changes in legislation, industry standards, and organisational practices.
Report breaches as soon as possible: Promptly report any data breaches that could result in harm to employees to the Information Commissioner.
Managing employee personal and health information is a serious responsibility for employers in Queensland. Key considerations include understanding legal obligations and ethical guidelines, notifying employees about data collection practices, and ensuring compliance with privacy laws. By adhering to the Australian Privacy Principles and adopting best practices such as seeking consent, safeguarding data, maintaining transparent policies, and only requesting necessary information, employers can ensure they’re operating in line with privacy laws, build trust within their workforce, and minimise the risk of legal challenges.
How can Business Chamber Queensland help?
If you have questions or concerns about when it is appropriate to obtain or disclose employees’ personal information, Business Chamber Queensland’s Workplace Advisory team can help.
Business Chamber Queensland members with HR services as part of their membership can reach out at any time on 1300 731 988. For all other Queensland businesses, the team also offer cost-effective consulting services to help you navigate HR or workplace challenges, and to help you put the policies in place your workforce needs to thrive. Get in touch with us today to find out more.
