Artboard 1Icon/UI/CalendarIcons/Ionic/Social/social-pinterestIcon/UI/Video-outline

Employers, employees and data breach risks – a recent case

27 March 2018

3 min read

#Workplace Relations & Safety

Published by:

Rose Sanderson

Employers, employees and data breach risks – a recent case

The Notifiable Data Breach scheme, established by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), commenced on 22 February 2018. Broadly, the scheme provides that companies must take reasonable steps to notify all potentially affected individuals of an eligible data breach, and report the breach to the Office of the Australian Information Commissioner. 

One month on from the commencement of the scheme, Svitzer Australia has reported a notifiable data breach involving the personal information of approximately half of its employees. This breach is one of the first to be notified under the new laws.

This breach occurred over a period of nearly 11 months, and involved the auto-forward function which saw emails from three employee accounts being automatically forwarded to an external source. Investigations are currently being undertaken, but it has been confirmed that the leaked information may include employee information such as tax file numbers and superannuation details.

What is the risk?

Apart from the risk of business disruption, loss of faith by employees, customers and service providers, and potential claims by those affected, businesses operating in Australia now face significant penalties if they don't have in place sufficient systems to prevent, detect and report on cyber security data breaches.

But these were employee records. Does this mean employers cannot rely on the employee records exemption?

It is well established that the Privacy Act 1988 (Privacy Act) contains an exemption whereby the handling of personal information by a private sector employer does not trigger the application of the Privacy Act if it directly relates to an employee’s current or former employment relationship.

However, the question of whether employee records are exempt from the reach of notifiable data breaches is less clear. 

In circumstances where personal information is not captured under the employee records exemption, the requirements under the Privacy Act must be complied with. For example, information in relation to prospective employees, independent contractors, work experience students or other volunteers will not be captured by the exemption. 

Further, information which does not directly relate to an employee’s employment may also be captured by the Privacy Act. 

The types of information disclosures which would not directly relate to an employee’s employment is a grey area, and caution should be exercised.

Key takeaways

  • Do not consider the employee records exemption as a blanket protection. If in doubt, seek further advice or notify!
  • Organisations should be prepared in the event that a data breach occurs. Ensure your data breach policies and notification plans are up to date. 

 
Authors: Rachel Drew & Rose Sanderson

Contacts:

Melbourne

Charles Power, Partner
T: +61 3 9321 9942
E: charles.power@holdingredlich.com

Benjamin Marshall, Partner
T: +61 3 9321 9864
E: ben.marshall@holdingredlich.com

Sydney

Stephen Trew, Managing Partner, Sydney
T: +61 2 8083 0439
E: stephen.trew@holdingredlich.com

Michael Selinger, Partner
T: +61 2 8083 0430
E: michael.selinger@holdingredlich.com

Brisbane

Rachel Drew, Partner
T: +61 7 3135 0617
Erachel.drew@holdingredlich.com


Disclaimer


The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this publication is accurate at the date it is received or that it will continue to be accurate in the future. We are not responsible for the information of any source to which a link is provided or reference is made and exclude all liability in connection with use of these sources. 

Published by:

Rose Sanderson

Share this