Since the introduction of the Notifiable Data Breaches Scheme (NDBS) provisions into the Privacy Act in 2018 the belief has been that the NDBS provisions (i.e. the requirement to notify an "eligible data breach" to the OAIC and all affected individuals) do not apply to "employee records". That is, a data breach involving records which have been collected and are held by an organisation (otherwise subject to the APPs) that is the employer of the individual where that collection and holding of those employee records is directly related to a current or former employment relationship between that organisation and the individual will not be mandatorily notifiable (even where serious harm was likely). However the position at least in practice, is not quite settled.
An "employee record", as defined in s6 of the Privacy Act, is a record of personal information of an employee relating to the employment of that employee. Various examples are given in section 6 of the Privacy Act of what may constitute an employee record. Note, tax file numbers (TFNs) are specifically subject to the NDBS provisions, are generally governed under sections 17 and 18 of the Privacy Act and are not considered as an "employee record" for the purposes of the exemption.
In the past 12–18 months the OAIC has been suggesting that employee records which are subject to a data breach via the unauthorised access of a third party are not exempt from the NDBS provisions given that the unauthorised access by a third party is not "an act or practice engaged in by the employer organisation" and so does not benefit from the employee records exemption. This part of the exemption, “the act done or practice engaged” in by the employer organisation which obtains the exempt status, is what is relied on by the OAIC. That is, a third party obtaining unauthorised access to the employee records in question is not an act (i) of the employer; and (ii) in relation to the employment relationship.
So, while the information is question is still an employee record and is generally exempt from the Privacy Act/APPs, the OAIC believes any data breach containing employee records is not therefore exempt because it is not an act or practice engaged in by the employer organisation directly related to the employment relationship.
The OAIC has pushed this argument in a number of recent data breaches (especially where a third party has obtained unauthorised access to employee records) and it seems to be gathering significant momentum, to the point that it may be difficult to 'turn it around'.
While it is important to understand the approach/policy of the OAIC in this regard (and we caution that care should always be taken in any circumstances where employee records suffer unauthorised access), we do not agree with the OAIC's position on this issue. We believe that they have misinterpreted/misread the combined provisions of sections 7(1)(ee), 7B(3),15 and 26WE of the Privacy Act. Without going into detail here, effectively we believe that once exempt the relevant employee records are then no longer subject to the NDBS provisions (or other parts of the Privacy Act or APPs), unless and until an act or practice of the employer itself in relation to those employee records is other than in relation to the employment relationship between that employer and the individual. That is, an unauthorised access to employee records by a third party is not an act or practice of the employer contrary to the exemption and therefore does not enliven (i.e. subject the employee records to) the NDBS provisions of the Privacy Act.
Of course any data breach involving purported employee records (or any personal information of employees) should be seriously considered in terms of the NDBS provisions, especially given the OAIC's stated current stance, and appropriate legal advice should be obtained before determining whether or not such is an "eligible data breach" which requires notification to the OAIC and all affected individuals. Also, what is and is not an employee record is often misunderstood. For personal information of employees subject to the data breach which is not an "employee record" the NDBS provisions must be considered and applied in respect of such data breach. What is clear is that, unless you wish to fight the OAIC, in practice at least employee records the subject of a data breach by a malicious third party must be considered under the NDBS provisions to determine if an eligible (i.e. notifiable) data breach has occurred.
We are happy to assist you in clarifying whether your “employee records” are not (or are) subject to the NDBS provisions and the best strategy for dealing with this issue.
How can we help?
Clyde & Co has the largest dedicated and rapidly expanding cyber incident response and privacy advisory practice in Australia and New Zealand. Our experienced team has dealt with thousands of data breach and technology related disputes in recent times, privacy reviews, assessments and solutions advices, including a number of the largest and most complex incidents in Asia Pacific to date.
From pre-incident readiness reviews, solutions and advice, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients globally across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in financial services information technology prudential requirements and managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.
Our 24-hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on:
Australia: + 61 2 9210 4464
New Zealand: 0800 527 508