Retailer H&M has been fined A$57million (€35million) for illegally compiling detailed records on its employees in Germany. The company had a range of practices that saw them developing records containing extensive details about the private lives of employees.
This post will look at how this conduct would be regulated in Australia.
The practices H&M engaged in included ‘welcome back’ talks that involved managers having detailed discussions with employees after returning from vacation or sick leave. The welcome back talk elicited a high level of detail about vacation experiences and itineraries; and illness symptoms and diagnoses.
The records that H&M compiled also detailed knowledge of employee’s private lives including religious beliefs and family issues.
These records were available to a large number of managers, who used the information in decision making about the individual employees. These practices came to light in October 2019 when a misconfigured system resulted in the records being accessible company wide.
To its credit, H&M was proactive in responding to the breach, rapidly implementing company wide reforms concerning the processing of personal data of its employees. In addition to this, the company apologised and proposed a significant compensation package. The Hamburg Data Protection Commissioner observed that this was ‘an unprecedented acknowledgement of corporate responsibility following a data protection incident.’ Nonetheless, it still issued the second highest fine issued under the GDPR to date.
Employee records in Australia
Under the Commonwealth Privacy Act, which regulates the collection of personal information for most private businesses, there is an exemption for employee records. This means that businesses otherwise subject to the Australian Privacy Principles (APPs) are not required to comply with those rules when handling information that is directly related to the employment of their employees.
The exemption
For the exemption to apply, the handling of personal information must relate to:
- a current/former employment relationship between the business and the individual; or
- an employee record held by the business relating to the individual
So there are a two important points to note.
First – generally, if you are proposing to collect or hold information about an employee it needs to relate to the employment relationship. The Privacy act defines relevant information to include:
- engagement, training, termination/resignation details,
- terms and conditions of employment of the employee including hours, leave and remuneration,
- personal and emergency contact details,
- union or professional body membership,
- performance conduct or discipline matters, and
- tax, bank or superannuation details.
So this means if you are an employer, you should avoid collecting information about an employee’s:
- personal life like who they’re friends with,
- where they went on holidays,
- information about their children or other relatives, or
- health information (unless it impacts their capacity to do their job).
Accordingly, the behaviour engaged in by H&M would be outside of the employee record exemption, and so they would’ve needed to comply with the APPs if they were in Australia.
In other words, if your business does want to hold this kind of information, you will need to do so in accordance with the APPs. This means you need to comply with the general rules regulating collection, use, disclosure and access of personal information. In most situations you will need free and informed consent, and to allow your employees to access or correct the information.
Moreover, it is important to keep in mind that the employee record exemption only applies once the information is included in the record in question. Up to that point, the collection of the information is governed by the APPs. This means you will need to use lawful and fair means to collect the information, and be transparent in your handling of it.
Similarly, this exemption doesn’t cover job applicants. If someone applies to work for you and doesn’t end up getting a job, if you want to keep their information you need to comply with the APPs.
Second, any use or disclosure of information in an employee record needs to be directly related to the person’s employment. So what does that mean?
A clear example of this can be seen in the case of B v Cleaning Company . In this case, the complaint had defaulted on a debt. The organisation to which she owed the money approached her former employer, who disclosed personal information from her employment record including her address and financial details. Unsurprisingly, The Privacy Commissioner found that this disclosure was not directly related to the employment relationship.
A slightly less obvious example is C v Commonwealth Agency . In this case, a husband and wife both worked for the same company. In the course of a workplace compensation claim, the wife submitted that she could not afford certain medical expenses. To rebut this claim, the company gave their lawyers information concerning the husband’s salary. The Privacy Commissioner found that this disclosure was not directly related to the employment relationship between the husband and the company. (Note that the disclosure was ultimately lawful because it was done for the purposes of seeking legal advice.)
Lastly, making a disclosure that is not directly related to the employment relationship can be expensive. Earlier this year, in ‘QF’ & Others and Spotless Group Limited the Privacy Commissioner awarded $60 000 in compensation where a company disclosed information in employee records to a union without consent of the employees.