HR’s growing role in protecting employee privacy

While privacy and information protection might traditionally be seen as the domain of IT teams, two senior lawyers from Holding Redlich emphasise that it has become a crucial responsibility for HR professionals as well.

As Australian privacy laws evolve and the imperative to safeguard personal information grows stronger, the responsibility for legal compliance and data protection has extended beyond the IT department.

HR professionals now find themselves at the forefront of these vital issues, with their role extending well beyond recruitment and employee relations.

Speaking with HR Leader, special counsel Emily Booth, and partner Charles Power from Holding Redlich, discussed the expanding role of HR teams in safeguarding personal information, ensuring compliance with privacy laws, and navigating the challenges that come with these evolving responsibilities.

What is HR’s role?

Emily Booth explained how HR professionals now serve as “custodians” of their organisation’s wide range of “personal and sensitive information”.

While employee records in the private sector are currently exempt from many provisions of the Privacy Act, Booth cautioned that this exemption is “relatively narrow and does not apply to job applicants and contractors”.

“As well as this, there are other legal obligations companies owe to employees to protect their personal information, such as under the Fair Work Act and surveillance devices legislation,” she said.

In light of this complex legal landscape, Booth emphasised that HR teams must have a clear and comprehensive understanding of the data they collect and the purposes for which it is gathered.

“Being the custodian of that data, HR teams need to be aware of what is being collected, for what purposes, what notifications are given to individuals on collection, and how that information is used, stored, disclosed and kept secure,” she said.

“When new projects are proposed that involve the collection, use or disclosure of personal information ‘held’ by the HR team, they should engage with the privacy officer to organise an initial privacy threshold assessment, and then a full privacy impact assessment if risks are identified initially.”

Navigating privacy challenges

However, compliance is not without its challenges. Charles Power acknowledged the difficult balancing act HR professionals face between protecting employee privacy and meeting business needs.

“Human resource professionals are often required to balance and even mediate conflicts between business interests and employee privacy in the workplace,” he said.

“This task is not made easy by the fact that the laws protecting workplace privacy in Australia are piecemeal, uncertain, and, in many cases, largely untested. Meanwhile, the technology that enables workplace surveillance is becoming more sophisticated and widespread.”

To address these challenges, Power recommends that organisations establish “clear systems and processes” to ensure workplace privacy is maintained in a manner that is “justified, proportionate, and transparent”.

“This would include conducting mandatory risk assessments and consulting with affected employees,” he said.

Power also cautioned that surveillance and data collection should only occur under clearly defined policies and in situations where such measures are demonstrably justified.

“Workplace surveillance should only be undertaken in accordance with a policy that is promulgated to employees. Covert or intrusive surveillance methods should only be deployed in justifiable circumstances, with independent oversight,” he said.

“Organisations should, therefore, refrain from collecting or using employees’ biometric data unless there is a legitimate purpose that cannot be achieved through less intrusive means.”

What questions HR teams need to ask

As privacy risks grow in tandem with digital capabilities, both Booth and Power stressed the importance of proactive self-auditing within HR teams.

Booth stressed that one of the most critical questions HR teams should ask themselves is: “Why do I have this data, and is it necessary for the purposes that have been notified to the individual?”

According to Booth, “this is what requires most input from business functions themselves, as they will be best placed to answer”.

Power encouraged HR professionals to critically assess their existing data holdings to determine whether any information can be safely destroyed or anonymised.

“The HR team should also review the existing data they hold to determine if it can be securely destroyed or de-identified. Holding on to this data for longer than legally required or beyond its original purpose can expose organisations to significant risk,” he said.

Preparing for the future

Looking ahead to FY2025–26, Power encourages HR teams to prepare for a likely shift towards more robust workplace privacy protections.

“Organisations can start preparing for the expected [modernisation] of workplace privacy protections. A useful guide can be found in the recent recommendations of the Victorian government’s Economy and Infrastructure Committee, which conducted an inquiry into workplace surveillance,” he said.

“HR professionals should also keep an eye more broadly on upcoming changes in privacy laws to see how these changes may impact their role as custodian of an important category of personal information.”