Australian Privacy Principles and Employee Data

The Australian Privacy Principles don't just apply to customer data. They apply to your employees' personal information too. And most Australian SMEs handle employee data with far less care than they give their customers.

Think about what you hold on your staff right now. Tax file numbers. Bank details. Medical certificates. Performance reviews. Background check results. That's sensitive personal information under the Privacy Act, and the APPs set clear rules about how you collect, store, use, and eventually destroy it.

The Employee Records Exemption Doesn't Cover What You Think

There is an exemption in the Privacy Act for "employee records." But it's narrower than most business owners assume.

The exemption only applies to records that relate directly to a current or former employment relationship, and only when the information is used for purposes directly related to that relationship. The moment you use employee data for something else, the exemption falls away.

Here's where it gets real. If you share an employee's contact details with a third-party benefits provider, that's a disclosure outside the employment relationship. If your payroll runs through an overseas platform, APP 8's cross-border rules apply. If you collect health information during a workers' comp claim and store it in a general HR folder accessible to managers who don't need it, you've got an APP 11 problem.

The exemption also doesn't apply to job applicants. Every resume, cover letter, and reference check you collect during hiring is covered by the full suite of APPs. No exemption. If you're keeping rejected applicants' data in a shared drive indefinitely, that's a compliance gap right now.

Your HR Tech Stack Is an Australian Privacy Principles Blind Spot

You've probably thought about where your customer data lives. Most SMEs haven't asked the same question about employee data.

Your payroll system. Your HRIS. Your recruitment platform. Your performance review tool. Employee benefits portal. Background check provider. Many of these are SaaS products hosted outside Australia.

APP 8 requires you to take reasonable steps to ensure any overseas recipient handles personal information consistently with the APPs. That applies to your HR vendors just as much as your CRM.

If your payroll provider stores data in the US, you need a Data Processing Agreement that covers APP-equivalent protections. Same for your recruitment platform, your employee engagement surveys, and whatever tool you use for performance reviews.

Build a register. List every tool that touches employee data, where it's hosted, and whether you have a DPA in place. You probably did this for customer-facing tools already. Do it for your HR stack too.

You're Probably Collecting More Employee Data Than You Need

APP 3 says you can only collect personal information that's reasonably necessary. This applies to employees, not just customers.

Look at your onboarding forms. Do you collect a staff member's emergency contact's date of birth? Their personal email when you already have their work one? Nationality when you only need work rights verification?

Every piece of data you collect is data you have to protect and report if breached. The less you hold, the smaller the blast radius when something goes wrong.

Review your onboarding paperwork the same way you'd review a website form. For each field, ask: do we actually need this to manage the employment relationship? If not, stop collecting it.

When an Employee Leaves, Their Data Doesn't Disappear

Most SMEs have no process for what happens to employee data after someone leaves. The files sit in a shared drive, the email account gets disabled but not deleted, and the payroll records stay in the system indefinitely.

The Privacy Act doesn't set a single retention period. But APP 11 says you must take reasonable steps to destroy or de-identify personal information when you no longer need it for any purpose. Some records have mandatory retention periods under tax or workplace law. Pay records must be kept for seven years. But performance reviews from 2019? Interview notes for a role you filled two years ago? There's no reason to keep those.

Set a retention schedule. Know which records you must keep and for how long, then destroy everything else. Review it annually. This is one of the first things the OAIC looks at during an investigation, and it's one of the easiest to get right.

Fix Your Employee Data Before It Fixes You

Customer data breaches get the headlines. But employee data breaches happen just as often, and they hit closer to home. An accidental email with payroll details. A shared folder with medical certificates left open. A former employee's records sitting unprotected in a decommissioned system.

The penalties are the same whether the breached data belongs to customers or staff. Up to $50 million for a body corporate, and since December 2024, individuals can sue directly for serious privacy invasions. Your employees are individuals too.

Audit your HR tools for APP 8 compliance. Strip your onboarding forms back to what you actually need. Set a retention schedule and follow it. These aren't big projects. They're the kind of thing you can sort in a week if you know where to look.