authors
Privacy in the spotlight
Briefing
15 April 2025
11 MIN READ
1 AUTHOR
It has been an interesting 12 months in the world of privacy law, with some interesting decisions and a tranche of legislative reforms.
There is no doubt that workplace privacy in particular is a growing concern in this digital age, and so it stands to reason that we can expect to see a continued focus in this space. Given this, it is important that all employers to whom the Privacy Act 1988 (Cth) (Privacy Act) applies keep abreast of developments, and review and update their systems, practices and policies for privacy compliance.
Interesting decisions
Over the last 12 months, determinations of the Australian Information Commissioner (Commissioner) have shed some useful light on considerations for privacy compliance.
For example, in ‘ATE’ and ‘ATF’ (Privacy)1, the Commissioner gave us some insights about the circumstances in which an employer may not be held vicariously liable for privacy interferences by its employees. In that case, an executive at a telecommunications company disclosed to a journalist personal information about an incarcerated customer (including the customer’s full name and details relating to correspondence from the customer seeking reinstatement of a mobile number). The journalist subsequently published an article using that information.
The employer argued that it was not vicariously liable for the executive’s conduct because the executive’s actions in disclosing information to the journalist were not done in the performance of his employment duties – essentially, the employer suggested he had gone rogue.
The Commissioner found in favour of the employer. In reaching this position, the Commissioner:
- considered the ordinary duties of the executive and was satisfied that they did not involve him engaging with the media;
- formed the view that the executive had no authority to contact the media, and his conduct in doing so contravened policy of which the executive was aware, or ought to have been aware;
- concluded that the executive’s actions in contacting the media had no discernible commercial purpose;
- was conscious that the executive concealed his conduct from his employer for months, so appreciated his actions were wrong; and
- was mindful that the employer would have terminated the executive for gross misconduct, had he not resigned, which suggested that the executive’s actions were not in the performance of his duties.
Another Commissioner determination, ‘ALI’ and ‘ALJ’ (Privacy)2, has provided a timely reminder about the limits of the employee record exemption. In that case, an employer was found to have contravened the Privacy Act when it sent an email to all staff working in head office providing an update on the health of an employee. The employee in question had had a medical episode in the car park at the office earlier that day, which was witnessed by about seven employees, some of whom administered CPR to the employee. After the incident, the employee’s husband sent a text to her manager with an update. The manager conveyed the content of the husband’s message to the Managing Director who in turn sent the email to about 110 staff. Among other things, the email referenced the employee by name, mentioned that she had experienced a medical episode in the car park, and conveyed the substance of the husband’s update.
The employer argued that the email fell within the employee record exemption contained in the Privacy Act, such that it could not have constituted an interference with the employee’s privacy. The employee record exemption applies to an act done, or practice engaged in by a current or former employer, if the act or practice is directly related to a current or former employment relationship between the employer and the individual, and an employee record held by the employer and relating to the individual.
The Commissioner found, however, that the employee record exemption did not apply because the employer’s act of sending the email did not relate directly to its employment relationship with the employee. Rather, the Commissioner considered that the email related directly to the employment relationship between the employer and the recipients of that email, because the employer sent the email to allay concerns of the recipients who were aware of the medical episode and to address its work health and safety duties to them.
Having found that the employee record exemption did not apply, the Commissioner resolved that the sending of the email constituted a contravention of the Australian Privacy Principles (APPs), including because:
- the personal information that the employer gathered from the husband’s text was collected for inclusion in a record, including because a staff member requested that the husband provide the update and the purpose of requesting the information was to ensure the employee’s welfare and for work health and safety purposes (including incident reporting) (Primary Purpose);
- when the employer disseminated that personal information in the email to staff, it did so for a secondary purpose (and not for the Primary Purpose), namely to address its duties to the recipient employees, and it did so without the employee’s consent; and
- the employee did not reasonably expect, and a reasonable person would not reasonably expect, that the employer would use the employee’s personal information in the manner in which it did, including identifying her by name.
It is apparent from the determination that the Commissioner was conscious that the employer appeared to have sent the email in good faith, was genuinely concerned about the employee’s welfare and was seeking to navigate its competing duties to the employee and the remainder of its staff. While there was an appreciation that it may have been unreasonable for the employer not to have provided some kind of update, the Commissioner noted that the employer could have conveyed only relevant information to a limited number of staff, either with the employee’s consent or otherwise in a de-identified manner.
Legislative reform
In an effort to keep pace with the evolving digital landscape, the Privacy Act and Other Legislation Amendment Bill 2024 (Cth) (Bill) was passed on 29 November 2024. It implements the first tranche of reforms to (among other laws) the Privacy Act as outlined by the Commonwealth Government in response to the Privacy Act Review Report published by the Attorney General’s Department in 2023.
Notably, among other things:
- It introduces, from 10 June 2025 (or such earlier date as is proclaimed), a statutory tort for serious invasions of privacy, and in so doing gives individuals a way to seek redress in Court against individuals or organisations (including entities to whom the Privacy Act does not apply) for certain privacy breaches. A range of remedies can be ordered, including damages. While there are some exceptions and defences, the following elements need to be proven to establish this tort:
- there has been an invasion of the individual’s privacy (either a misuse of information or intrusion in the individual’s seclusion);
- the individual had a reasonable expectation of privacy in the circumstances;
- there was fault on the part of the defendant (being either an intentional or reckless invasion of privacy, and not just negligence);
- the invasion of privacy was serious (and loss and damage, while not an element that must be proven, may be relevant to showing the seriousness); and
- the public interest in protecting the individual’s privacy outweighs any countervailing public interest (such as freedom of expression (including artistic expression) or freedom of the media);
- It requires that privacy policies be updated from 10 December 2026 to include specific information where an organisation uses a computer program to make a decision that could reasonably be expected to significantly affect the rights or interests of an individual where personal information of that individual is used by the computer program when making the decision;
- It creates a criminal offence of doxxing – which involves releasing personal data using a carriage service in a manner that would be regarded as menacing or harassing;
- It clarifies that, when taking reasonable steps to secure information, organisations must also take technical and organisational measures to protect that information from misuse, interference, loss and unauthorised access, modification or disclosure;
- It requires the Commissioner to develop a Children’s Online Privacy Code (in respect of on-line services to be accessed by individuals who are under 18, including social media platforms) by 10 December 2026, a draft of which will be made available for public consultation before being finalised;
- It seeks to better facilitate cross-border data transfers, by allowing for the making of regulations prescribing countries with laws or binding schemes that protect personal information in a similar way to the APPs, such that organisations bound by the Act will be able to disclose personal information to recipients in those countries without needing to firstly ensure that they will manage that information in a manner consistent with the APPs;
- It introduces broader investigation and enforcement powers for the Commissioner, including the ability to issue compliance notices compelling organisations to address privacy breaches before any enforcement action is taken; and
- It introduces a multi-tier civil penalty system for privacy breaches, including a civil penalty for a “serious interference with privacy”, for an “interference with privacy” and for more administrative-type breaches (such as having no or a deficient privacy policy). There is potential for hefty penalties in the millions for the first two of these.
Next steps?
Employers should act now to ensure that its privacy policies and practices align with these legislative reforms, and to make changes where they don’t. They should also consider whether there are measures they can take to improve or change practices to avoid the pitfalls outlined the Commissioner’s determinations referred to above, such as clarifying employee duties and responsibilities relating to the use of personal information, and providing training in the same, plus introducing checks and balances into practices and systems to minimise any inadvertent privacy breaches.
Finally, we note that a second tranche of reforms to the Privacy Act is expected, and these are likely to have more implications for employers, including because they are anticipated to enhance protections for employee information and include further protections relating to data protection. So, it is vital that employers keep privacy reforms on their radar, so as to be able to remain compliant.
Footnotes
- [2025] AICmr 10
- [2024] AICmr 131
Main Bulletin
HFW Workplace Relations Update 2025 – The Year Ahead
RELATED INSIGHTS
Briefing
Legal liability for AI-driven decisions – when AI gets it wrong, who can you turn to?
Given the rapidly increasing integration of artificial intelligence models (AI) into traditional industries and businesses globally, in this article w
Read more
Bulletin
HFW Workplace Relations Update 2025 – The Year Ahead
This year's update from the national Workplace Relations Team of HFW Australia provides a collection of insightful, forward-looking thought pieces…
Read more
Briefing
Have you under-estimated the risk of multi-employer enterprise bargaining
One of the key changes made to the Fair Work Act 2009 (FW Act) by the Fair Work Legislation Amendment…
Read more