Resources: Blog

Employees’ access to personal information


Just one look...

Just one look... or in the case for one former job centre employee, thirty five unauthorised “looks” at an ex-lover’s job seeker profile.

Just one look... or in the case for one former job centre employee, thirty five unauthorised “looks” at an ex-lover’s job seeker profile.

It was recently reported in the media that an employee who worked for a job services provider was convicted of criminal offences for accessing restricted data without authorisation.

The employee was involved in a personal relationship with a co-worker, which ended in 2014. When the co-worker eventually left the employment in 2015, the employee repeatedly called him and his new girlfriend.

Since the break-up, the former co-worker had changed his mobile number on multiple occasions and had only divulged his number to a limited number of people and organisations. One of those organisations was a job services provider that used the Department of Employment’s restricted access “Employment Services System.” The employee also had access to the “Employment Services System” in her employment.

When charging the employee with offences, the NSW Police alleged that the employee had used the restricted Employment Services System to obtain her former co-worker’s mobile numbers. The employee illegally accessed his profile on the Employment Services System a total of thirty five times.

Naturally, the employee required access to the Employment Services System to do her job, but in this case her access was misused to obtain personal information about her ex-lover.

Wherever personal information is collected and stored, there exists a risk of rogue employees doing the wrong thing with personal information. Businesses have special responsibilities to ensure that personal information is not misused and is safely stored – this includes access and use by their own employees.

The Australian Privacy Principles (APPs) set out under the Privacy Act 1988 (Cth) provide that personal information must only be used for the purpose it was collected for and must not be used or disclosed for another purpose without consent (subject to certain exceptions). Furthermore, the businesses must keep personal information secure and protect it from misuse, unauthorised access and disclosure.

Human resources professionals often have access to and handle more personal information than other positions and should be alert to and aware of their privacy obligations. For example, what can be disclosed about an employee as part of an employment check or loan application?

To ensure compliance with privacy obligations, businesses must adopt a privacy policy that, at a minimum, outlines:

  • What is “personal information”;
  • How personal information is collected and maintained;
  • How personal information will be secured, including determining or limiting who will have access to personal information;
  • That personal information must not be misused (including used for a personal reason or financial gain);
  • That personal information must not be disclosed to unauthorised persons or for a purpose other than which that information was collected for; and
  • Consequences for breaches of the privacy policy and/or privacy laws.

Access to personal information must be strictly on a “need to know” basis. Employers should monitor and restrict access to personal information to those who require the information for their normal duties and provide training to employees about accessing other people’s personal information and their obligations.


Similar articles

What is the difference between confidential information and “know-how”?

No way, know how

During the course of the employment relationship, employees will inevitably gain knowledge or be exposed to information about the employer’s business that is considered confidential to its operations and which the employer does not want to be put out into the public domain.


Fair Work Commission finds out-of-hours drink driving offence was not a valid reason for dismissal

Off the clock

Generally, the way in which an employee conducts themselves out-of-hours does not fall within the realm of what the employer can supervise or control. However, there are times where an employee’s conduct after business hours and away from work can impact the employment relationship.


Vaccinations and the workplace

Shots fired

One of the most topical questions for employers during the COVID-19 pandemic has been whether they need to introduce policies that mandate vaccinations and, if so, what can be done to enforce them in the workplace.


Commission finds mask mandate to be a lawful and reasonable direction

Mask up

Employees have a duty to comply with lawful and reasonable directions from their employer. In the current COVID-19 context, a key concern for employers is whether it is lawful and reasonable to issue directions related to safety matters arising from the pandemic.


Lack of consultation rendered mandatory vaccination requirement unreasonable

Talk before you walk

Consultation with employees always plays an important part when introducing changes in the workplace. Under work health and safety legislation, employers have a duty to consult with their workers as far as reasonably practicable in relation to health and safety matters.


Offers of alternative employment in redundancy cases

An offer you can refuse

In most cases of redundancy, employers have an obligation to consult with affected employees about the proposed redundancy and consider whether or not anything can be done to mitigate or minimise the impact on the employee, such as redeployment or obtaining other acceptable employment for the employee.


Let's talk

please contact our directors to discuss how ouR expertise can help your business.

We're here to help

Contact Us
Let Workplace Law become your partner in Workplace Relations.

Signup to receive the latest industry updates with commentary from the Workplace Law team direct to you inbox.