What steps can you take to protect your personal data and privacy as a business executive?

A number of State/Territory Governments have their own privacy laws which are aimed at public sector employees. For example, the Privacy & Personal Information Protection Act (1998) New South Wales or the Privacy & Data Protection Act 2014 (Victoria). It is beyond the scope of this article to comment on such legislation.

Privacy Act 1988 – Australian Privacy Principles

At the federal level, there is the Commonwealth Privacy Act 1988 (“The Act”) as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012. This amending legislation established 13 “Australian Privacy Principles” which attempt to deal with the collection, access and correction of personal data. Under the legislation, an Australian Information Commissioner was appointed with the power to conduct investigations and pursue civil penalty orders etc.

On the face of it, this sounds encouraging. You may think that this legislation should at least afford some protection for an executive who is required to hand over so much personal information to an employer.

Act applies to Commonwealth Govt and private sector employers (turnover above $3 million) – small business employers excluded

However, the legislation only creates privacy obligations on “Australian Privacy Principle Entities” (APPE). These are defined as covering either the Commonwealth Government employing its public sector employees or private sector employees employed by organisations with an annual turnover in excess of $3 million.

An organisation with an annual turnover of less than $3 million is defined as a “small business” (Section 6D of the Act) and automatically excluded from being an APPE, and therefore having privacy obligations.

Small business may opt in

If your employer falls within the definition of “small business”, then you are not covered by this legislation. The legislation does, however, contain a mechanism (section 6 EA) that allows a small business operator to “opt in” to the privacy system created by the legislation. This would require the employer to agree to having its details entered into a Register of Operators who have accepted such responsibilities. The reality is that most executives are unlikely to ask any prospective or existing employer to take that step.

Employers with turnover above $3 million let off the hook – access to documents denied if related to employment relationship

If your employer is a private sector organisation with a turnover above $3 million, then information directly related to the employment relationship is excluded from the Act. So, a private sector employer that falls into that category does not – under this exemption – have to observe any obligations of confidentiality or grant you access to your own records.

The exemption therefore covers both current and former employment relationships, although not future prospective relationships. Information collected on a candidate for a position who is unsuccessful and therefore not subsequently employed does not fall within the exemption. However, once an employment relationship is formed, then the pre-employment documents become exempt.

Broad definition of employee records

Section 6 of the legislation defines “employee record” as meaning health information as well as records of personal information relating to the employment of the employee. The definition contains “examples” of what that personal information could be.

In includes the engagement, training, disciplining, resignation, termination, performance, conduct or use of personal leave entitlements. This definition is not intended to be exhaustive.

Whether a document or information therefore remains private depends on whether it can be characterised as relating directly to the employment relationship or only has an indirect connection.

This means that, for an executive in the private sector, the very documents that you would expect to be protected by the legislation are, in fact, excluded from coverage. This is indeed a bizarre outcome. This is the right of privacy you have when you don’t have the right to privacy.

Unfettered access to your information?

There is therefore no “safety net” with respect to the protection of your confidential information if you are a private sector employee.

There is nothing to prevent a private sector employer – or former employer – sharing your health or personal information with anyone within the company or indeed with anyone outside the company. This would include recruitment consultants and other prospective employers.

Current Australian legislation does not recognise any universal right of privacy and there seems little basis for arguing a civil remedy such as a tort of invasion of privacy. The truth is that any “Tom, Dick or Harry” could have access to critical information that you do not wish others to know.

How do you best protect your personal data and privacy? – negotiate for an express term in your employment contract

Like so many other aspects of an executive’s relationship with the employer, this is an issue best dealt with by way of an express term in the contract of employment.

This can take the form of the deliberate incorporation into the contract of employment of the ILO Convention entitled Protection of Workers Personal Data. This Code of Practice deals with the collection, security, storage, use, communication and right of access to personal information belonging to an employee.

A variation on that approach is an express term which does not explicitly make reference to the ILO Convention, but which effectively adopts its key principles. Such an express term should be stated as being a “fundamental term” of the contract. Breach of a fundamental term may entitle an innocent party to sue for damages.

Any such express term would need careful drafting and should be kept deliberately short and unobtrusive.

It would also be prudent, when you hand over information that is particularly sensitive such as health information, to mark the document strictly private and confidential. The document should state that it is made available in accordance with the Contract of Employment which hopefully provides for the protection of your personal data.

You should not assume that your confidential information is necessarily going to be respected by those to whom it is entrusted. Most executive Contracts of Employment will have provisions relating to the company’s confidential information and make it very clear that this obligation survives long after the employment relationship has expired. It is entirely appropriate that the contract makes provision for a reciprocal obligation upon the employer to equally respect and guard your confidential information.

When it comes to privacy and protection of confidential information, most private sector employees are on their own. Make sure your contract of employment makes some attempt to address this issue.