Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
Collecting employee diversity information can feel like something only large corporates do for annual reports and glossy dashboards.
But for many Australian small businesses, EEO data (equal employment opportunity data) is becoming increasingly relevant. You might be hiring your first few employees, growing across multiple sites, or trying to build a fairer workplace with better retention. Good-quality diversity information can help you spot patterns early and make better decisions.
At the same time, EEO data is often personal information - and sometimes sensitive information. If you collect it carelessly, you can create privacy risks, workplace distrust, or even discrimination issues.
Below, we’ll walk you through what EEO data is, why you might collect it, what you can (and generally shouldn’t) collect, and how to handle it in a privacy-safe, practical way that fits a small business environment.
What Is EEO Data (And Why Does It Matter For Small Businesses)?
EEO data is information about your workforce that helps you understand whether people have equal access to opportunities at work. In practice, it usually means collecting diversity-related information (often on a voluntary basis) and reviewing it in aggregate.
For small businesses, EEO data is less about “ticking a box” and more about answering practical questions like:
- Are certain groups underrepresented in our hiring pipeline?
- Do we promote some groups faster than others?
- Are rostering or flexible work arrangements working fairly?
- Do particular teams have higher turnover, and why?
When handled properly, EEO data can support a culture where people feel included - and reduce the risk of complaints or disputes by helping you identify issues before they escalate.
It can also become relevant when you’re asked for diversity information by:
- government tenders or supplier questionnaires
- industry accreditation programs
- investors or strategic partners
- your own internal reporting goals
The key is that collecting EEO data needs to be done in a way that’s lawful, transparent, and respectful to your team.
Why Collect EEO Data? Practical Benefits (And Common Traps)
If you’re going to collect EEO data, you should be clear about what business problem you’re trying to solve. Collecting data “because we might need it later” is one of the fastest ways to create privacy and trust risks.
Practical Reasons Small Businesses Collect EEO Data
- Hiring and recruitment insights: You can check whether your recruitment sources are attracting diverse applicants (without using that information to make biased hiring decisions).
- Retention and engagement: Patterns in turnover can be an early warning sign of a culture issue, a manager training gap, or an accessibility barrier.
- Training and policies: Diversity information can help you tailor training and workplace processes so they suit your actual workforce.
- Measuring progress: If you introduce changes (like flexible work, accessibility improvements, or structured promotions), you can measure whether it’s working.
Common Traps To Avoid
- Collecting too much: Over-collection makes compliance harder and increases breach risk.
- Using it in performance decisions without safeguards: EEO data is often best used in aggregate for workforce insights. If you do use diversity-related information for individual decisions (for example, to provide a workplace adjustment, meet a legal obligation, or run a lawful “special measure”), you should be clear about the lawful basis and limit access to those who genuinely need to know.
- Not explaining “why”: If employees don’t understand the purpose, they may distrust the process or decline to participate (which also makes the dataset unreliable).
- Accidental discrimination: If a hiring manager can see an applicant’s sensitive diversity information, that can create real legal and cultural problems.
In other words, EEO data can be a powerful tool - but it needs strong guardrails.
What EEO Data Can You Collect (And What Should You Avoid)?
There isn’t one fixed list of EEO data that every small business must collect. What’s appropriate depends on your business, your workforce, and why you’re collecting it.
As a general rule: collect only what you actually need, and keep it voluntary wherever possible.
Common EEO Data Categories
Many workplaces focus on categories such as:
- Gender (including options beyond binary, if appropriate)
- Age range (often bands, not exact date of birth)
- Cultural background / ethnicity (if you have a clear reason and safe process)
- Disability status (especially where you’re assessing accessibility or support needs)
- Indigenous status
- Language spoken at home
- Caring responsibilities (relevant to flexible work planning)
Be careful: some of these categories can be sensitive information under Australian privacy law.
What To Avoid (Or Treat With Extra Caution)
Some data types are higher risk because they’re more personal, more sensitive, or more likely to be misused. Examples include:
- Detailed medical information (unless you genuinely need it for a lawful purpose, like a workplace adjustment process)
- Specific diagnoses (often not needed for EEO reporting)
- Religious beliefs (highly sensitive, and rarely necessary for EEO reporting)
- Sexual orientation (sensitive information; only collect with a clear purpose and strong privacy safeguards)
- Exact dates of birth for diversity reporting (age ranges are usually enough)
If you do need to collect higher-risk information, it’s worth ensuring your employment documentation and practices are aligned - including your Employee Privacy Handbook approach and internal access controls.
Keep EEO Data Separate From Selection Decisions
One practical safeguard we often recommend is structural: separate EEO data collection from recruitment and performance decision-making.
For example, if you collect EEO data in recruitment, consider collecting it via a separate form that is not visible to hiring managers, and only used in aggregate reporting later.
How To Collect EEO Data Lawfully And Respectfully
Collecting EEO data isn’t just a “form” problem - it’s a process problem. The safest approach is to build a clear, repeatable workflow that your team can follow every time.
Step 1: Be Clear On Your Purpose (And Document It)
Before you collect anything, write down:
- what EEO data you want to collect
- why you’re collecting it
- how you will use it (e.g. aggregate reporting only)
- who will have access
- how long you will keep it
This “purpose statement” becomes the foundation for your communications to staff, and for your privacy compliance settings.
Step 2: Use Voluntary Self-Identification Wherever Possible
As a small business, you’ll usually get better outcomes by inviting employees to self-identify voluntarily, rather than “guessing” or inferring categories.
Good practice usually includes:
- a “prefer not to say” option
- allowing updates over time (people’s circumstances can change)
- explaining that participation is optional and won’t affect employment decisions
Step 3: Give a Clear Collection Notice
If you’re collecting personal information (which EEO data often is), you should tell employees key details upfront - what you collect, why, how you store it, and who it may be shared with.
In practice, many businesses handle this with a Privacy Collection Notice tailored to their internal processes.
Step 4: Think About Consent (Especially For Sensitive Information)
Some diversity information may be considered sensitive information. If your business is covered by the Privacy Act 1988 (Cth), collecting sensitive information will usually require consent (unless a specific exception applies), and you should take extra care to keep the request genuinely voluntary and clearly explained.
It’s also important to know that not every small business is covered by the Privacy Act. Many SMEs fall under the “small business exemption” (generally where annual turnover is $3 million or less), and there is also an “employee records exemption” that can apply to certain handling of current and former employee records by private-sector employers, where it’s directly related to the employment relationship. These exemptions are nuanced and not blanket protections - and even where an exemption applies, transparency and careful handling remain best practice (and often still matter under discrimination, WHS, and general workplace obligations).
Step 5: Train The People Who Handle It
You don’t need a huge HR department to do this well, but you do need clarity on who is responsible.
If managers, payroll staff, or team leads may handle EEO data, make sure your internal Workplace Policy documents cover confidentiality and acceptable handling. Training should focus on:
- when EEO data is used in aggregate only, and the limited situations where individual use is appropriate (for example, adjustments)
- not discussing an employee’s diversity information casually
- where the data is stored and who can access it
- what to do if an employee asks to update or remove information
How To Store, Use And Protect EEO Data (Privacy And Security Basics)
Once you collect EEO data, the legal and practical risks often shift from “collection” to storage, access, and security.
Even if your business is small, you should treat EEO data as information that could cause harm if mishandled - particularly where it reveals disability, cultural background, Indigenous status, or other sensitive characteristics.
Have A Clear Privacy Framework
If your business is covered by the Privacy Act 1988 (Cth) (or you choose to align with it as best practice), you’ll want a clear baseline document that explains how personal information is handled. Many small businesses implement this via a Privacy Policy that matches how data is actually collected, stored, and disclosed.
Importantly, employee data can have different rules and expectations compared to customer data. Also, depending on your situation, the small business exemption and/or employee records exemption may change what the Privacy Act requires - but they don’t remove the need to handle EEO data carefully, keep it secure, and avoid discriminatory use.
Limit Access (Role-Based Access Works Well For Small Teams)
A common mistake is giving too many people access “just in case.” With EEO data, access should usually be limited to:
- one nominated HR/admin contact (or business owner)
- possibly payroll (only if they need it, which is often not the case)
- leadership, but only in aggregated, de-identified reporting format
If you’re using HR software, make sure permissions are set correctly so hiring managers don’t see diversity information that could influence recruitment decisions (even unintentionally).
De-Identify Data For Reporting Wherever You Can
If your goal is workforce insights, you usually don’t need names attached.
Good practice includes:
- using aggregated reports (e.g. “% of staff who identify as…”) rather than listing individuals
- avoiding breakdowns so narrow they “reveal” someone (for example, “Indigenous staff in the Wollongong store” when there’s only one employee there)
- keeping raw data separate from day-to-day HR files
Set A Retention Period (Don’t Keep It Forever)
Keeping EEO data indefinitely increases breach risk and can make it harder to justify why you still hold it.
A practical approach is to set retention rules such as:
- retain identifiable EEO data only while the employee is employed (plus a short period after, if genuinely necessary)
- retain de-identified aggregate trend data longer (if it can’t reasonably identify individuals)
Prepare For Data Breaches
Even careful businesses can experience phishing attacks, misdirected emails, lost devices, or internal access mistakes.
Having a simple, documented response process helps you act quickly and reduce harm. Many businesses implement a Data Breach Response Plan so the steps are clear (who investigates, who notifies, how to contain the issue, and what gets recorded).
Align Your Employment Documents With Your Data Practices
If you’re collecting and storing employee diversity information, your employment documentation should match what you’re actually doing. For example, your Employment Contract and internal policies should work together so employees understand confidentiality expectations and your approach to managing personal information.
This is also where it helps to understand the difference between privacy obligations and workplace confidentiality expectations - these issues overlap, but they’re not identical. Getting that framework right reduces confusion and disputes later.
Key Takeaways
- EEO data can help small businesses measure fairness in hiring, retention and progression - but only if you collect it for a clear purpose and use it responsibly.
- Many types of EEO data are personal information, and some are sensitive information, so you should treat them as higher-risk data categories.
- Some small businesses may not be fully covered by the Privacy Act due to the small business exemption, and some handling of employee records may fall within the employee records exemption - but the safest approach is still transparency, minimisation, and strong security controls.
- Use voluntary self-identification and include “prefer not to say” options to keep the process respectful and improve trust.
- Separate EEO data from recruitment and performance decision-making to reduce bias risk and prevent accidental misuse (while recognising there are limited lawful situations where individual information may be used, such as adjustments).
- Protect EEO data with practical safeguards: limited access, de-identified reporting, clear retention periods, and a breach response process.
- Make sure your employment documents and privacy communications match your real-world practices, so your team knows what you’re doing and why.
If you’d like help setting up a compliant approach to collecting and protecting EEO data (including the right privacy documents and workplace policies), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
