Employee Data Privacy A Regional Overview

Transcription

1 Employee Data Privacy A Regional Overview

2 Introduction All employers collect, handle and use employee personal data. Most jurisdictions have laws regulating such collection, handling and use of employee personal data. With increasing globalization and mobility of employees and the relative ease with which data can be transferred between legal entities and across borders complying with all requirement relating to personal data has become an increasingly difficult exercise. This publication attempts to ease such burden. This publication covers 16 different jurisdictions in Asia. For each of the jurisdictions covered we asked the following questions: A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? C. For how long must an employer retain an employee s personal data? What is best practice? D. What are the legal restrictions on transferring employees personal data outside your country? E. What are the legal restrictions on transferring employees personal data to a third party? F. What are the consequences of breaching privacy laws in your jurisdiction? G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data?

3 We have set out the answers to each of these questions in two different formats. Section 1 contains an Executive Summary of each jurisdiction responses. This is intended to be a short - at a glance - overview of the position. Section 2 contains the more substantive answers to the questions. We do hope that you find this publication useful. It has been made possible with the input from lawyers in leading law firms in each jurisdictions. Should you wish to contact the lawyers in any of the jurisdictions, their contact details are set out at the last Section of this publication. Phillipa Muir Partner Simpson Grierson

4 Asia Asia Section 1 Executive Summary 1 Section 2 The Expanded Answer to the Questions by Jurisdiction Australia 33 Hong Kong 47 India 55 Indonesia 59 Japan 63 Mainland China 67 Malaysia 69 New Zealand 73 Pakistan 81 Philippines 83 Singapore 91 South Korea 97 Sri Lanka 99 Taiwan 101 Thailand 111 Vietnam 117

5 Executive Summary AUSTRALIA A. Is there a law regulating employee personal data? A range of State and federal legislation regulates the handling of personal data. The principal piece of legislation for incorporated entities can be applied to employee data; however, it is substantially limited in such respect. B. Do I need to have a privacy statement or agreement? There is no legal requirement for such a statement or agreement; however, it is prudent to have a privacy code, policy or procedure in place. C. How long must I retain employee data? What is best practice? Various state and federal legislations require certain employee records (which could include personal data) to be retained for specified periods. Specific legislation requires that certain employee records be kept for at least 7 years D. Can I transfer employee data overseas? Yes, subject to certain requirements. E. Can I transfer employee data to a third party? Yes, subject to certain requirements. F. What are the consequences of breach? A determination may be made by the Privacy Commissioner, including a declaration that a reasonable act should be performed to redress any loss or damage suffered by a complainant, or that a complainant is entitled to a specified amount of compensation for any loss or damage suffered (including injury to feelings or humiliation). Determinations may be enforced by proceedings commenced in the Federal Court or Federal Magistrates Court. The Court may make such orders as it thinks fit. 1

6 AUSTRALIA G. What are the main pitfalls? Pitfalls include: Assuming privacy regulation is the same across all jurisdictions. Failure to ensure that any records held containing the personal information of employees are only dealt with in a manner that directly relates to the employment relationship; that is, any employee records should only be collected, used and disclosed for the purpose of the employment relationship. Collection of unnecessary personal information and consequent exposure to legal risk. Failure to develop, implement and enforce comprehensive policies and procedures around the handling of personal information. Contributed by Corrs Chambers Westgarth 2 Employee Data Privacy in Asia

7 Executive Summary HONG KONG A. Is there a law regulating employee personal data? Yes. The Personal Data (Privacy) Ordinance. B. Do I need to have a privacy statement or agreement? No particular form of document is needed. Certain information required to be provided by legislation is typically provided in a Personal Information Collection Statement (PICS). C. How long must I retain employee data? What is best practice? The Employment Ordinance requires certain employee data be retained for at least 12 months. Best practice suggestion: 2 years for recruitment data and 7 years for employment data unless employer has a legitimate reason for retaining data longer (e.g. litigation). D. Can I transfer employee data overseas? Yes, subject to certain requirements. E. Can I transfer employee data to a third party? Yes, subject to certain requirements. F. What are the consequences of breach? Investigation by Commissioner. Commissioner may issue Enforcement notice. Criminal liability if failure to comply with an enforcement notice; on conviction, a fine at level 5 (currently HK$50,000), imprisonment for 2 years and, if continuing offence, a daily penalty of HK$10,000. Civil liability: data subject may claim compensation 3

8 HONG KONG G. What are the main pitfalls? Employers should issue PICS and ensure purpose of use of data specified in PICS covers employer s requirements. Employees can access and obtain their personal data by downloading a Data Access Request (DAR). An employer must provide all personal data of the employee in response to a DAR unless exception applies e.g. employees using DAR to fish for claims against employer. Contributed by Mayer Brown JSM 4 Employee Data Privacy in Asia

9 Executive Summary INDIA A. Is there a law regulating employee personal data? There is no specific law on the subject. However, action may be initiated for claim under the Information Technology Act, 2000, tort or for breach of fundamental right of life and liberty (including right to privacy) as guaranteed by the Constitution of India. B. Do I need to have a privacy statement or agreement? There is no legal requirement. However, it is advisable to have a privacy statement/agreement. C. How long must I retain employee data? What is best practice? Employees personal data may be retained for 3 years, and financial data for 8 years. D. Can I transfer employee data overseas? There is no law restricting transfer of employees personal data. However, the courts may impose reasonable restrictions if it considers the information to be of a sensitive nature. E. Can I transfer employee data to a third party? There is no law restricting transfer of employees personal data. However, the courts may impose reasonable restrictions if it considers the information to be of a sensitive nature. F. What are the consequences of breach? There is no specific law pertaining to transfer of employees personal data. However, action may be initiated by employee under tort or for breach of right to privacy or, in certain cases, under The Information Technology Act,

10 INDIA G. What are the main pitfalls? Though there is no specific law relating to data protection in India, there is some protection available under the Constitution of India Article 21 Right to Life and Liberty. The courts in India have interpreted Right to Privacy as part of the broad spectrum of Right to Life. Further, the Information Technology Act, 2000 extends protection to data in electronic form which is sensitive in nature (as may be notified by the Central Government). Further, the courts may impose restrictions on transfer of data in case it considers the data to be sensitive enough to cause irreparable harm to the employee if the data were so transferred. Therefore, it is advisable to seek the consent of the employee prior to any intended transfer of his/her personal data. Contributed by Trilegal 6 Employee Data Privacy in Asia

11 Executive Summary INDONESIA A. Is there a law regulating employee personal data? There is no specific law regulating employee personal data. Human Rights law provides right to privacy. B. Do I need to have a privacy statement or agreement? Yes, it is recommended to include statement in Company Regulation (work rules) clarifying employer s right to use personal data, albeit there is no legal requirement to do so. C. How long must I retain employee data? What is best practice? At discretion of Board of Directors. Best Practice: at least two (2) years after termination of employment. D. Can I transfer employee data overseas? There is no specific restriction but it is prudent to include such right in personal statement in Company Regulation. E. Can I transfer employee data to a third party? There is no specific restriction but it is prudent to include such right in personal statement in Company Regulation. F. What are the consequences of breach? In theory, causes of action may include civil tort, civil or criminal defamation, or criminal unpleasant act. G. What are the main pitfalls? Personal data should be handled responsibly to avoid employee suffering embarrassment or other damages. Contributed by Soewito Suhardiman Eddymurthy Kardono 7

12 8 Employee Data Privacy in Asia

13 Executive Summary JAPAN A. Is there a law regulating employee personal data? Yes. There is the Personal Information Protection Act ( PIPA ) and various governmental guidelines. B. Do I need to have a privacy statement or agreement? Generally no. However, it is advisable to establish a privacy policy as this is the most convenient way to satisfy an employer s obligation upon receiving personal data, i.e. inform the employee of (or publicly announce) the purpose for use of such personal data. C. How long must I retain employee data? What is best practice? Certain important documents must be retained for 3 years. D. Can I transfer employee data overseas? Yes, so long as the transfer occurs within the same legal entity, no restrictions exist in transferring personal data overseas. However, transfer to a third party (including an overseas parent or related company) requires the prior consent of the employee. E. Can I transfer employee data to a third party? The prior consent of the employee is needed to transfer the employee s personal data to a third party. 9

14 JAPAN F. What are the consequences of breach? The government may issue a recommendation and/or order to rectify the breach. Failure to comply with the order may lead to imprisonment of up to 6 months or a fine of up to JPY 300,000. If a breach of the PIPA causes any damage, a person responsible for such breach may be liable for the damages as a result thereof. G. What are the main pitfalls? Special regulations exist for health-related information and other sensitive information. When conducting background check separately, it is advisable to obtain the job applicant s consent for the acquisition of personal data from a third-party service provider. Contributed by Anderson Mori & Tomotsune 10 Employee Data Privacy in Asia

15 Executive Summary MAINLAND CHINA A. Is there a law regulating employee personal data? Yes. Employment Services and Management Regulations. B. Do I need to have a privacy statement or agreement? There is no legal requirement. However, ideally an employer should have a written agreement with its employee regulating the collection, use and handling of personal data. C. How long must I retain employee data? What is best practice? The law is unclear. We suggest 2 years as best practice D. Can I transfer employee data overseas? Yes, but if the transfer involves publicizing the employee s personal data, then written consent from the employee is required. E. Can I transfer employee data to a third party? Yes, but if the transfer involves publicizing the employee s personal data, then written consent from the employee is required. F. What are the consequences of breach? The consequences are unclear as there are no clear provisions setting out the consequences of breach. G. What are the main pitfalls? An employer is obliged to keep confidential the employee s personal data, and has to obtain the employee s written consent if it will publicize any such personal data. Contributed by JSM Shanghai Representative Office 11

16 12 Employee Data Privacy in Asia

17 Executive Summary MALAYSIA A. Is there a law regulating employee personal data? The Employment Act The Personal Data Protection Bill 2009 has been passed but not yet gazetted to commence. B. Do I need to have a privacy statement or agreement? No. C. How long must I retain employee data? What is best practice? 6 Years. D. Can I transfer employee data overseas? Yes. E. Can I transfer employee data to a third party? Yes. F. What are the consequences of breach? None. G. What are the main pitfalls? Ensuring up-to-date information on personnel. Be aware of the gazetting of the Personal Data Protection Bill 2009 to commence. Contributed by Shearn Delamore 13

18 14 Employee Data Privacy in Asia

19 Executive Summary NEW ZEALAND A. Is there a law regulating employee personal data? Yes, the Privacy Act B. Do I need to have a privacy statement or agreement? This is not required by the Privacy Act but is recommended as a matter of best practice. C. How long must I retain employee data? What is best practice? The Privacy Act does not require information to be held for any fixed period. The emphasis in the Act is on not holding information for longer than is necessary. However, there are various other statutes governing the minimum periods for which certain information must be held (for example, tax records must be held for 7 years, and wage records must be held for 6 years). D. Can I transfer employee data overseas? The Privacy Act does not contain specific restrictions on the transfer of personal information overseas. Individuals must be made aware of all intended recipients of their personal information at the time it is collected. If such notice is not provided, then the consent of employees must generally be obtained before transferring information to any other jurisdiction. E. Can I transfer employee data to a third party? The Privacy Act does not contain specific restrictions on the transfer of personal information to third parties. Individuals must be made aware of all intended recipients of their personal information at the time it is collected. If such notice is not provided, then the consent of employees must generally be obtained before transferring information to any other entity/third party. 15

20 New Zealand F. What are the consequences of breach? (1) Investigation by Privacy Commissioner (who can issue non-binding recommendations). (2) Human Rights Review Tribunal (potential remedies include damages up to NZ$200,000, although damage awards greater than NZ$10,000 are rare). (3) Administrative Penalties (may be liable on summary conviction for a fine not exceeding NZ$2,000). G. What are the main pitfalls? Common pitfalls include: The failure to properly notify an individual about the collection of personal information (in accordance with IPP 3). The use of personal information for a purpose other than that for which it was obtained (prohibited by IPP 10). Improper disclosure of personal information (prohibited by IPP 11). Contributed by Simpson Grierson 16

21 Executive Summary PAKISTAN A. Is there a law regulating employee personal data? Presently there is no statutory law, regulation or code which deals with collection, use and/or handling of an employee s personal data in Pakistan. However, normally all employers require personal data of their employees for security and crossreference reasons. Moreover, the employee s name, Computer National Identification Card and address is also used for filing of annual returns. The general principles of Law of Torts will apply but they do not require any strict compliance and lack of malice on the part of employer in collecting, storing and disclosing personal data of an employee will be sufficient defence against any potential action against the employer. Such an action, though a possibility, is seldom used. B. Do I need to have a privacy statement or agreement? There is no legal requirement to have a document to deal with the employee s personal data. C. How long must I retain employee data? What is best practice? There is no legal requirement for withholding of employee s personal data. The employers generally hold the employee s data for couple of years as a cross-reference and for their own personal record. D. Can I transfer employee data overseas? There are no legal restrictions on transferring employee s personal data outside Pakistan. 17

22 PAKISTAN E. Can I transfer employee data to a third party? As stated earlier, presently there is no statutory law which controls and regulates the collection and use of handling employee s personal data in Pakistan; therefore, there are no legal restrictions on transferring employee s personal data to a third party. However there is one exception and that is if employee and employer have entered into a confidentiality agreement, then both the parties would be governed by the terms of the confidentiality agreement. F. What are the consequences of breach? There are no privacy laws in Pakistan, therefore the occasion of their breach cannot arise; however, if privacy agreements are breached, then suit (civil action) for damages can be filed under the Law of Contracts. G. What are the main pitfalls? Presently, absence of laws regarding employee s personal data is the main drawback in Pakistan. However, if the personal data disclosed to a third party proves to be incorrect, the suit for damages under the Law of Torts can be filed demanding damages. This is a case of rare occurrence but still a possibility. Note: The above information is in reference to jurisdiction in Pakistan. Contributed by Meer & Hasan 18 Employee Data Privacy in Asia

23 Executive Summary PHILIPPINES A. Is there a law regulating employee personal data? Yes. However, these are general laws that regulate the use of personal data (including employee data) for the protection of the individual s constitutionally protected right to privacy and not a specific law that regulates the collection, use and/or handling of employee personal data per se. B. Do I need to have a privacy statement or agreement? None of the data privacy protection laws specifically require that a written privacy statement or agreement be in place before an employer may use employee personal data. The transfer of employee personal data to a third party is, however, subject to restrictions. (See Response to Question E.) C. How long must I retain employee data? What is best practice? There is no fixed period within which an employer is required to retain employee personal data. D. Can I transfer employee data overseas? Yes, as long as there is consent or a legitimate purpose for the transfer. E. Can I transfer employee data to a third party? Yes, as long as there is consent or a legitimate purpose for the transfer and as long as there is a written contract between the data processor (third party) and data controller (employer). F. What are the consequences of breach? The party divulging the information may be liable for the payment of damages. With respect to certain information, the party divulging such information may also open himself to a possible criminal liability. 19

24 PHILIPPINES G. What are the main pitfalls? There is no specific law that deals with the management of an employee s personal data. Contributed by SyCip Salazar Hernandez & Gatmaitan 20 Employee Data Privacy in Asia

25 Executive Summary SINGAPORE A. Is there a law regulating employee personal data? There is no single overarching legislation on employee data privacy in Singapore. However, the Computer Misuse Act ( CMA ) prohibits the unauthorised access to data and/or unauthorised interception of computer communications. The Model Data Protection Code for the private sector, which is not mandatory, has 10 principles that organisations should follow when collecting, processing and storing personal data. B. Do I need to have a privacy statement or agreement? An agreement with the person whose information is being collected is required for compliance with the CMA. No agreement is required for collection of employee data under other statutes. However, having one in place is nevertheless recommended. C. How long must I retain employee data? What is best practice? The time period for which employee data shall be retained depends on the individual statutes and generally varies from five to seven years. Where the retention period is not provided, the best practice is to retain the information for 7 years. D. Can I transfer employee data overseas? There are no restrictions on transferring employee data overseas. However, please note that the Banking Act restricts the transfer of customer information to third parties and such disclosure is permitted only under the specific circumstances prescribed therein. 21

26 SINGAPORE E. Can I transfer employee data to a third party? There are no restrictions on transferring employee data to third parties. However, please note that the Banking Act restricts the transfer of customer information to third parties and such disclosure is permitted only under the specific circumstances prescribed therein. F. What are the consequences of breach? Violation of the CMA provisions can lead to a maximum fine of S$5,000 or imprisonment for no more than 2 years or both for the first offence and a maximum fine of S$10,000 or imprisonment for no more than 3 years or both for subsequent offences. G. What are the main pitfalls? There is no single overarching legislation, although several legislations regulate this area. Contributed by Rajah & Tann 22 Employee Data Privacy in Asia

27 Executive Summary SOUTH KOREA A. Is there a law regulating employee personal data? No. B. Do I need to have a privacy statement or agreement? Advisable. C. How long must I retain employee data? What is best practice? 3 years. D. Can I transfer employee data overseas? Advisable to obtain employee consent. E. Can I transfer employee data to a third party? Advisable to obtain employee consent. F. What are the consequences of breach? Depending on the characterization of the breach, consequences may include civil and/or criminal liability. G. What are the main pitfalls? Depending on the circumstances, the Protection of Credit Information Act containing criminal punishment may apply. Contributed by Kim & Chang 23

28 24 Employee Data Privacy in Asia

29 Executive Summary SRI LANKA A. Is there a law regulating employee personal data? No. B. Do I need to have a privacy statement or agreement? No. C. How long must I retain employee data? What is best practice? Depends on the category of employee. D. Can I transfer employee data overseas? Yes. E. Can I transfer employee data to a third party? Yes. F. What are the consequences of breach? Not applicable. G. What are the main pitfalls? No statutory provision. Contributed by John Wilson Partners 25

30 26 Employee Data Privacy in Asia

31 Executive Summary TAIWAN A. Is there a law regulating employee personal data? Yes, the CPDPA, which will be substituted by the PDPA passed on April 27, 2010 with the effective date to be published by the Executive Yuan, the Republic of China. B. Do I need to have a privacy statement or agreement? CPDPA No, but the CPDPA requires an employer to prepare a book with certain information listed for employee s inspection or review. PDPA No, but the PDPA requires that: 1) a private sector employer makes the collected personal data of an employee available to such employee for inspection and review or provides a duplicate of such personal data upon such employee s request subject to certain exceptions, such as national security concerns, etc.; and 2) a notification with certain information shall be presented to the employee when the employee s personal data is collected, used, or handled. C. How long must I retain employee data? What is best practice? CPDPA Under the CPDPA, an employer shall comply with the length of retention approved by the competent authority. PDPA Under the PDPA, in general, an employer may retain an employee s personal data where a specific purpose exists or prior to the expiration of the retention period. D. Can I transfer employee data overseas? CPDPA Yes, if international transfer of personal data is registered with and approved by the competent authority under the CPDPA. 27

32 TAIWAN CPDPA & PDPA Under both the CPDPA and PDPA, in certain circumstances, the central competent authority may nevertheless restrict lawful international transfers. E. Can I transfer employee data to a third party? CPDPA Yes, under the CPDPA, subject to certain exceptions, the transfer shall be limited to the scope of the specific purposes. PDPA Under the PDPA, in general, sensitive data may not be transferred, while non-sensitive data shall be limited to the scope of the specific purposes for collecting such data. F. What are the consequences of breach? CPDPA & PDPA An employer in violation of either the CPDPA or PDPA may be subject to civil, criminal and/or administrative liabilities. PDPA The PDPA increases the civil, criminal and administrative liabilities to provide more protection for individual s right of privacy. G. What are the main pitfalls? An employer should pay close attention to the effective date of the PDPA as well as the upcoming passages of or amendments to the enforcement rules and supplemental laws and regulations in relation to the PDPA. Contributed by Lee, Tsai & Partners 28 Employee Data Privacy in Asia

33 Executive Summary THAILAND A. Is there a law regulating employee personal data? Currently, there is no law that regulates employees personal data although the Personal Data Protection Bill (the Bill ) has long been expected to be put in place. B. Do I need to have a privacy statement or agreement? Not currently, but if the Bill comes into force, an employer will need consent from its employee to handle the employee s personal data. C. How long must I retain employee data? What is best practice? Under the Thai Labour Protection Act, an employer must keep an employee s register for not less than two years after termination of employment. If the Bill becomes law, the employee s personal data processed for any purpose may not be kept longer than necessary for such purpose. D. Can I transfer employee data overseas? Currently, there is no law that prohibits transfer of an employee s personal data overseas, but if the Bill comes into effect, written consent from the employee will be required. E. Can I transfer employee data to a third party? Currently, there is no law that prevents an employer from transferring its employee s personal data to a third party, but if the Bill takes effect, written consent from the employee will be needed. F. What are the consequences of breach? If an employer s use or disclosure of personal data causes damage to an employee, the employer may be subject to civil and/or criminal punishment. If the Bill becomes law, any breach may be subject to administrative and/or criminal penalties. 29

34 THAILAND G. What are the main pitfalls? If the Bill is issued, any collection, utilization and disclosure of an employee s personal data will require such employee s express consent. The employer will also need a secured personal data collection system to prevent exploitation or disclosure of the personal data. Contributed by Mayer Brown JSM (Thailand) Limited 30 Employee Data Privacy in Asia

35 Executive Summary VIETNAM A. Is there a law regulating employee personal data? Yes. B. Do I need to have a privacy statement or agreement? Yes. C. How long must I retain employee data? What is best practice? There is no statutory requirement regarding how long employee data can be retained. In practice, the employer should agree with the employee on the time limit for retaining his/her data. It would be preferable that written consent from the employee is obtained. D. Can I transfer employee data overseas? Yes, subject to the employee s consent. E. Can I transfer employee data to a third party? Yes, subject to the employee s consent. F. What are the consequences of breach? The employee would sue the breaching party in a court of law. G. What are the main pitfalls? The breaching party, depending on the seriousness of the breach, would be subject to an administrative penalty. If the breach causes damages to the employee s health, honour, dignity or reputation, compensation must be paid. Contributed by Mayer Brown JSM (Vietnam) 31

36 32 Employee Data Privacy in Asia

37 The Expanded Answer to the Questions by Jurisdiction AUSTRALIA Australia A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? Privacy in the employment context usually concerns the use by an employer of personal information 1 about an employee, including information about the employee s health and fitness. In Australia, legal obligations in respect of privacy of personal information are largely derived from statute. There is no constitutional protection of privacy rights similar to that which exists in other jurisdictions such as the United States. Privacy in Australia is regulated at both the federal and State level. Therefore, privacy obligations differ across the various jurisdictions, as well as between the public and private sectors. In each Australian jurisdiction, privacy of personal information may be regulated by specific privacy legislation and also by legislation in respect of health records, freedom of information and electronic surveillance. A summary of some of the key legislation that regulates privacy in Australia is set out below. Privacy Act 1988 (Cth) The Privacy Act 1988 (Cth) ( Privacy Act ) regulates the use, storage, handling, access, disclosure and security of personal information by Australian and Australian Capital Territory government agencies and Australian private sector organisations with an annual turnover greater than AUD 3 million. 1 It has been assumed for the purposes of this Australian section that the reference to personal data has the same or a similar meaning as the term personal information under the Privacy Act 1988 (Cth). Privacy issues also arise from the undertaking of workplace surveillance and monitoring. The issue of workplace surveillance and monitoring has not been covered in this report. 33

38 Australia AUSTRALIA There are some small businesses which may have an annual turnover of less than AUD 3 million whose activities are regulated by the Privacy Act. This includes health service providers or businesses that trade in personal information. The Privacy Act is intended to protect personal information about individuals who can reasonably be identified from the information. Personal information is generally defined as [i]nformation or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or an opinion. The Privacy Act establishes 12 National Privacy Principles which (together) operate to regulate the use, storage, handling, access and security of personal information by organisations in respect of which the Privacy Act applies. Organisations may discharge their obligations by creating and complying with a code of practice tailored to the organisation, and approved for use by the Privacy Commissioner. The Privacy Act expressly excludes acts done, or practices engaged in, by an employer (who is regulated by the Privacy Act) of an individual, if the act or practice is directly related to a current or former employment relationship between the employer and the individual and an employee record held by the organisation and relating to the individual. Employee records are broadly defined as a record of personal information relating to the employment of the employee. Examples of personal information relating to the employment of the employee are health information about the employee and personal information about, amongst other things, the engagement, training, disciplining or resignation of the employee; the termination of the employment of the employee; the terms and conditions of employment of the employee; the employee s personal and emergency 34 Employee Data Privacy in Asia

39 Australia contact details; the employee s performance or conduct; the employee s hours of employment; the employee s salary or wages; the employee s membership of a professional or trade association and the employee s taxation, banking or superannuation affairs. Practically, this means an employer does not need to comply with the National Privacy Principles (for example, in relation to storage, access, use, disclosure and handling of the information) in relation to records about its employees which fall within the above definition. The existence of the employee records exemption does not mean that all activities of an employer that relate to employment are excluded. For example, a prospective employee does not have an employment relationship with the potential employer. Therefore, potential employers and/or recruitment agencies must comply with the obligations of the Privacy Act in respect of candidates for employment. Another limitation to the exemption is that it will no longer apply once an employer discloses the employee records to a third party which is not involved in the employment relationship. On 14 October 2009, the Federal Government announced that it would commence a reform of the Federal privacy laws. Part of the second stage of those reforms may include consideration of whether the employee records exemption should be removed. Fair Work Act 2009 (Cth) The Fair Work Act 2009 (Cth) regulates the employment relationship between employees and national system employers. A national system employer is broadly defined in the Fair Work Act and relevantly includes all incorporated employers and, subject to the location in which the employment is based, various other employers in Australia. 35

40 Australia AUSTRALIA Privacy rights under the Fair Work Act arise insofar as unions have certain rights to access employment records in respect of their members. In some cases a non-member record can be accessed, particularly in circumstances where the nonmember consents or Fair Work Australia makes an order granting access. It is important to note that unions that access employee records must then comply with the obligations set out in the Privacy Act in respect of those records. Further, the employee records exemption will not apply in respect of the union s management of those records. Accordingly, unions accessing employee records pursuant to their rights under the Fair Work Act will still be required to comply with the privacy obligations under the Privacy Act in respect of those records. State and Territory privacy legislation In most States and Territories, privacy regulation is limited to the public sector. Employers should be mindful of the following legislation: Victoria Information Privacy Act 2000 (Vic) and the Charter of Human Rights and Responsibilities Act 2006 (Vic); New South Wales Privacy and Personal Information Protection Act 1998 (NSW); Queensland Information Privacy Act 2009 (Qld); Western Australia Freedom of Information Act 1992 (WA); and South Australia Information Privacy Principles (IPPs) reissued by the State Government of South Australia in Employee Data Privacy in Asia

41 Australia There is also limited State legislation regulating privacy in respect of health records. In most States, access to health records retained by a public hospital or public health service is regulated by freedom of information legislation. Freedom of information legislation The Freedom of Information Act 1982 (Cth) provides that every person has a right to access documents held by federal government agencies or Ministers, other than exempt documents. Relevantly, one of the classes of exempt documents is where the disclosure of the document would involve the unreasonable disclosure of personal information of any person other than the applicant who has made the request. A number of factors will be taken into account in determining whether the disclosure would be unreasonable. Each State and Territory also has legislation dealing with freedom of information. B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? There is no general legal requirement to have a document to deal with employees personal data. However, as indicated in our response in section A above, organisations may discharge their privacy obligations by creating and complying with a code of practice tailored to the organisation and approved for use by the Privacy Commissioner. Employers may also be assisted in their compliance with privacy obligations by implementing privacy policies and procedures, setting out the kinds of information that are protected, relevant obligations and best practice. 37

42 Australia AUSTRALIA Accordingly, as a matter of risk management and regulatory compliance, it is prudent for an organisation to develop, implement and comply with a privacy policy or code of practice. This will be particularly important in circumstances where it is not clear whether employee records are being collected, used or disclosed for the purpose of the employment relationship. For example, employers should obtain a written consent from prospective employees in relation to the collection, use and disclosure of personal and sensitive information which is obtained during the recruitment process. C. For how long must an employer retain an employee s personal data? What is best practice? Provided that the personal data falls within the employee records exemption under the Privacy Act, there are no obligations with respect to the retention of personal data under the Privacy Act. However, various Federal and State legislation requires that employers retain certain records relating to employees (which could include personal data). The Fair Work Regulations 2009 (Cth) requires that specific employee records be retained for all employees (with certain limited exceptions) for a period of seven years. For the purposes of the Fair Work Regulations, record means any record about the employee (or former employee) containing information about the nature of their employment and their entitlements (e.g. applicable industrial instruments, classification, pay rates, hours, shift work, overtime, leave, superannuation etc.), and also information about the employee s termination (if a former employee). However, the Fair Work Regulations do not require that employers keep records relating to an employee s performance. 38 Employee Data Privacy in Asia

43 Australia The Fair Work Regulations stipulate that records must be kept in a legible form in the English language and in a form that is readily accessible to a Fair Work Inspector. Importantly, the Fair Work Regulations do not stipulate that the record must be an original copy, or kept in hard-copy. The Superannuation Guarantee (Administration) Act 1992 (Cth) requires corporations to retain specific superannuation documents for a period of five years. Further, the Income Tax Assessment Act 1997 (Cth) requires that specific taxation records must be retained for five years. Obligations in relation to employee records also arise under workers compensation legislation in each of the States and Territories. For example, in NSW employers are required under the Workers Compensation Act 1987 (NSW) to retain wages records (which may include personal data). Finally, it is important to note that where litigation is anticipated or has been commenced, an employer must not destroy or dispose of any documents that may be required for the purposes of the litigation (which may include employee records). D. What are the legal restrictions on transferring employees personal data outside your jurisdiction? Transborder data flows are the subject of a specific National Privacy Principle referring to the movement of personal data across national borders. The Privacy Act originally dealt only with personal information collected and handled within Australia. However, it has since been amended to apply to acts done, or practices engaged in, by an organisation outside Australia and the external Territories. The purpose of these amendments to the Privacy Act was to prevent organisations from avoiding their privacy obligations by transferring the handling of personal information to countries with lower privacy protection standards. 39

44 Australia AUSTRALIA An organisation in Australia can only transfer personal information outside Australia if: the organisation reasonably believes a law, binding scheme or contract applies at the destination which effectively delivers privacy standards substantially similar to the National Privacy Principles; the individual consents to the transfer; the transfer is for the benefit of the individual and it is impracticable to obtain consent, but it is likely consent would have been given; the transfer is required by a contract between the individual and the organisation, or a contract between the organisation and a third party in the interests of the individual; or the organisation has taken reasonable steps to ensure the information will not be held, used or disclosed by its recipient inconsistently with the National Privacy Principles. The Privacy Commissioner has powers to oversee complaints that arise in respect of a breach which occurs outside of Australia and which fall within the scope of the Privacy Act. E. What are the legal restrictions on transferring employees personal data to a third party? As set out in our response in section A above, the obligations set out in the Privacy Act do not apply to the collection, use, disclosure and storage of personal information contained within an employee record, provided that the act or practice directly relates to the employment relationship. Unfortunately directly related is not defined in the Privacy Act and there is presently no case law which has considered the meaning of directly related to the employment 40 Employee Data Privacy in Asia

45 Australia relationship in a privacy context. However, an act which may not directly relate to the employment relationship may include sending a list of employee details to another organisation for marketing purposes. If an employer that is an organisation covered by the Privacy Act seeks to collect, use or disclose employee records in a way not directly related to the employment relationship, it must comply with the National Privacy Principles. Relevantly, we set out the key aspects of National Privacy Principles 1 and 2 below. National Privacy Principle 1 Collection An organisation must only collect personal information that is necessary for one or more of its legitimate functions or activities (the primary purpose). An organisation must only collect personal information by lawful and fair means and not in an unreasonably intrusive way. At the time of collection (or as soon as practicable afterwards) an organisation must take reasonable steps to ensure that the individual is told: the identity of the organisation and how to contact it; that they can access the information; why the information is collected; the disclosure practices of the organisation; and any law that requires the particular information to be collected and the consequences (if any) for the individual if the information is not provided. Where practicable, an organisation should collect personal information directly from the individual. 41

46 Australia AUSTRALIA National Privacy Principle 2 Use and disclosure As a general rule, an organisation should only use or disclose personal information for the purpose for which it was collected (the primary purpose). But an organisation can use or disclose personal information about an individual for another purpose (the secondary purpose) if: the individual has consented; or the secondary purpose is related to the primary purpose and might reasonably be expected to be used or disclosed for the secondary purpose. Special additional provisions apply for direct marketing and sensitive information (including health information). Legislation in the Australian Capital Territory, New South Wales and Victoria regulates organisations which collect, hold and use health information. Such legislation contains health record privacy principles which are broadly similar to the National Privacy Principles. In certain circumstances, if the employer collects health information, the employer will be required to comply with the health records legislation in the relevant State or Territory. F. What are the consequences of breaching privacy laws in your jurisdiction? General If an organisation breaches a National Privacy Principle, the organisation will have contravened section 16A(2) of the Privacy Act and interfered with the privacy of an individual contrary to section 13A(1)(b) of the Privacy Act. Individuals must make any complaints regarding an interference with privacy to the relevant organisation. If the complaint is not resolved it can be referred to the Office 42 Employee Data Privacy in Asia

47 Australia of the Privacy Commissioner for conciliation, and if this is not successful, for formal determination (enforceable by the Federal Court of Australia). Privacy Commissioner functions (a) Powers without complaint Under section 27(1)(ab) of the Privacy Act, the Privacy Commissioner has the power to investigate an act or practice of an organisation that may be an interference with the privacy of an individual because of section 13A and, if the Commissioner considers it appropriate to do so, to attempt, by conciliation, to effect a settlement of the matters that gave rise to the investigation. Where the Commissioner has investigated an act or practice (without a complaint having been made under section 36 of the Privacy Act), the Commissioner must report to the Minister about the act or practice, if the Commissioner thinks the act or practice is an interference with the privacy of an individual. The Minister must table the report before each house of the Federal Parliament. In this way, the report acts to name and shame contraveners of Privacy Act obligations. (b) Powers following complaint Pursuant to section 40 of the Privacy Act, the Commissioner must investigate an act or practice if: the act or practice may be an interference with the privacy of an individual; and a complaint about the act or practice has been made under section 36 of the Privacy Act. Pursuant to section 44 of the Privacy Act, if the Commissioner has reason to believe that a person has information or a document relevant to an investigation, the Commissioner may give to the person a written 43

48 Australia AUSTRALIA notice requiring the person to give the information to the Commissioner and/or to produce the document to the Commissioner. The Commissioner is also empowered to examine witnesses and direct persons to attend compulsory conferences for the purpose of the investigation. After investigating a complaint, the Commissioner may, under section 52 of the Privacy Act, find the complaint substantiated and make a determination, including a declaration that: the respondent has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct; the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant; and/or the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint. A determination by the Commissioner is not binding or conclusive between any of the parties to the determination. An organisation that is the respondent to a determination made under section 52: must not repeat or continue conduct that is covered by a declaration that determined the respondent has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct; and must perform the act or course of conduct that is covered by a declaration that determined the 44 Employee Data Privacy in Asia

49 Australia respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant. The complainant or the Commissioner (if a determination was made under section 52) may commence proceedings in the Federal Court or the Federal Magistrates Court for an order to enforce a determination. If the court is satisfied that the respondent has engaged in conduct that constitutes an interference with the privacy of the complainant, the court may make such orders (including a declaration of right) as it thinks fit. The court may, if it thinks fit, grant an interim injunction pending the determination of the proceedings. G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? Employers should be mindful to ensure that any records held which contain the personal information of employees are only dealt with in a manner that directly relates to the employment relationship. That is, any employee records should only be collected, used and disclosed for the purpose of the employment relationship. Employers should obtain a written consent from prospective employees in relation to the collection, use and disclosure of personal and sensitive information which is obtained during the recruitment process. Employers should consider including such consents in their contracts of employment. Such consents will reduce the likelihood of an employer inadvertently breaching the Privacy Act in relation to information that does not directly relate to the employment relationship. 45