Your guide to safeguarding sensitive employee information

When it comes to sensitive employee data, the stakes couldn’t be higher. This information isn’t just the backbone of your business operations; it’s also at high risk of cyber threats, legal scrutiny, and a focal point of regulatory compliance. The rise of the digital age has seen a simultaneous rise of sophisticated cyber threats and the tightening of data protection laws, which means that securing this data is non-negotiable.

But where do you start? How do you ensure your company is doing enough to protect this vital information? That’s exactly what this article is here to unpack.

Here, we’ll walk you through proven best practices for securely storing and managing employee information, helping you mitigate risks and maintain compliance with data storage regulations for Australian businesses.

Privacy and personal information: what does it refer to?

Before we explore the legal nuances, it’s important to first understand what privacy and personal information mean. Privacy is all about protecting our personal data and having control over who can access or use it. Personal information includes anything that helps identify us, like photos, email addresses, phone numbers, or tax file numbers.

Then, there’s sensitive personal information, which goes a step further. This includes things like health records, criminal history, and religious beliefs that, if mishandled, could lead to significant harm.

Australian Privacy Principles and employee data: what are the legal requirements?

The Privacy Act 1988, includes the Australian Privacy Principles (APPs) which outlines the requirements for the collection, storage, use, and disclosure of personal information. It provides a framework for how businesses and organisations should handle personal data to ensure individuals’ privacy is respected.

The APPs apply to:

• Businesses that have an annual turnover of three million or more;
• All private health service provides;
• A limited range of small businesses; and
• All Australian Government agencies.

If your company falls under any of the above and is required to follow the APPs,  you must introduce a workplace Privacy Policy. We recommend consulting employment law professionals in creating this policy.

What does the Fair Work Act 2009 say about employee data security in Australia?

The Fair Work Act 2009 (Cth) (FW Act) requires all employers to keep thorough records about an employee’s employment – this information must be kept for at least seven years.

Personal information held by an employer regarding a current or former employee isn’t subject to the APPs if it is considered to be an ‘employee record.’ An employee record is defined as personal information relating to the employment of an employee including:

1. the engagement, training, disciplining or resignation of the employee;
2. the termination of the employment of the employee;
3. the terms and conditions of employment of the employee;
4. the employee’s personal and emergency contact details;
5. the employee’s performance or conduct;
6. the employee’s hours of employment;
7. the employee’s salary or wages;
8. the employee’s membership of a professional or trade association;
9. the employee’s trade union membership;
10. the employee’s recreation, long service, sick, personal, maternity, paternity or other leave; and
11. the employee’s taxation, banking or superannuation affairs.

However, the APPs do apply to personal information about unsuccessful job candidates, such as resumes, contact information, references, and academic transcripts.

Who can employers disclose personal information to?

1. A Fair Work Inspector can request employee information to ensure compliance with employment obligations. Employers must provide records if a ‘notice to produce’ is issued.
2. Government agencies may request employee information, and you may also need to provide it to the police or under Court orders. It’s always best to verify the legal basis for such requests.
3. A permit holder can enter your workplace to investigate suspected breaches of workplace laws, inspecting and copying relevant documents on-site or requesting access later.
4. Employees or former employees can request access to their own employment records, and you must provide a legible copy for inspection.

What’s best-practice when it comes to cybersecurity for employee data?

Forward-thinking employers don’t just meet the minimum legal requirements; they go above and beyond. At the heart of this effort is transparency. Employees should always know what personal information is being collected, the reasons why it’s being collected, where it might be shared, and how they can access or update it. A comprehensive workplace privacy policy is the foundation for clear communication, providing a roadmap that outlines these practices. Expert guidance, like that from our Citation HR experts, can be invaluable in crafting, implementing, and regularly updating such policies to keep pace with evolving privacy standards.

Equally important is establishing straightforward policies regarding internet use, email, social media, and company devices. These policies should set clear expectations, ensuring employees understand that their electronic communications may not be private, data can be deleted as needed, and workplace technologies are increasingly being used to monitor performance and compliance.

Lastly, training is critical for both managers and employees. Educating your team on workplace privacy policies, Privacy Act compliance, and data handling procedures fosters understanding, encourages employees to proactively update their personal information, and gives them the confidence to raise any concerns. Providing additional resources can make this process seamless and empower your workforce to prioritise privacy, creating a workplace that’s not only compliant but also respected for its integrity.

How can Citation HR help?

Whether you need guidance on how to correctly store this sensitive data or advice on employee data retention policies, our workplace relations experts can help. With Citation HR’s award-winning HR Software, you’ll enjoy incredible speed and reliability but also the peace of mind that your most important employee data is safe and secure behind multiple layers of industry-leading encryption, two-factor authentication, and role-based access permissions. From the 24/7 HR Advice Line and our HR Software to the hundreds of legal documents, templates and checklists, our HRIS software and services help businesses mitigate workplace risks and ensure they’re compliant with Australian employment law.

If any of this information has raised questions about sensitive employee information management or you’ve got another workplace compliance matter you need assistance with, please reach out to our experts via our 24/7 HR Advice Line.

Not a Citation HR client? To learn more about how Citation HR can help streamline your people management and take your business to the next level, reach out to our friendly team for a confidential, no-obligation chat.

About our author

Tuvini Jayakody is a Workplace Relations Advisor at Citation HR. She assists clients with a range of employment relations and compliance matters via the HR Advisory Service. She is currently studying for a Bachelor of Commerce and Laws.