Employee Privacy Rights In Australia: What Employers Need To Know

As a small business owner, you’re probably handling a lot of “people data” every day without even realising it.

Employee records, rosters, performance notes, medical certificates, CCTV footage, swipe-card logs, emails, Slack messages, and even GPS tracking for vehicles can all involve personal information. And as workplaces become more digital (and more flexible), privacy issues can pop up quickly and unexpectedly.

This is where understanding employee privacy rights in Australia becomes essential. If you collect, use, store or share employee information in the wrong way, you can create serious legal and HR risk for your business, including disputes, complaints, reputational damage, and in some cases regulatory consequences.

Below, we’ll walk you through the main privacy considerations for employers in Australia, what you should have in place, and what to watch out for when you’re monitoring staff or managing sensitive information.

What Are Employee Privacy Rights In Australia (And Why Do They Matter For Small Business)?

“Employee privacy rights” generally refers to the idea that employees should have their personal information handled fairly and responsibly at work, and that workplace monitoring should be reasonable, lawful, and transparent.

In practice, employee privacy rights in Australia come from a mix of sources, including:

• Privacy laws (including the Privacy Act 1988 (Cth), where it applies)
• State and territory surveillance laws (especially for recording and workplace monitoring)
• Workplace laws (like the Fair Work Act and general protections, bullying and discrimination risk)
• Contract and policy obligations (like confidentiality clauses, IT policies, and workplace surveillance policies)
• Work health and safety (WHS) duties (especially where monitoring relates to safety)

Even if you’re a small business and you think privacy laws “don’t apply”, it’s still crucial to manage employee data carefully. Privacy concerns often become employment disputes, and good privacy practices help you build trust and reduce risk.

What Counts As “Personal Information” In The Workplace?

In an employment context, personal information can include:

• contact details, date of birth, emergency contacts
• bank account details and payroll records
• tax file number information (and other HR onboarding details)
• performance records, warnings, investigation notes
• medical information (certificates, return-to-work clearance, injury records)
• CCTV footage and audio recordings
• device data (location tracking, logins, usage logs)

If you’re collecting any of this, you should be thinking about what you collect, why you collect it, who has access, and how long you keep it.

Does The Privacy Act Apply To Employers And Employee Records?

This is one of the most common points of confusion for small businesses.

In Australia, the Privacy Act 1988 (Cth) generally applies to “APP entities” (organisations that must comply with the Australian Privacy Principles). Some small businesses are exempt if they have an annual turnover of $3 million or less, but the “small business exemption” has important exceptions, and it can be affected by how you operate (including the kinds of personal information you handle and the services you provide).

On top of that, even where the Privacy Act applies to your business, there is an employee records exemption that can apply to certain handling of employee records.

The Employee Records Exemption (In Plain English)

The employee records exemption can mean that some acts or practices relating to employee records are not covered by the Australian Privacy Principles, as long as they are:

• about a current or former employee (not usually job applicants or contractors), and
• directly related to the relevant employment relationship.

However, the exemption is not a “free pass”. It has limits, and it doesn’t automatically protect you from other legal risks (like surveillance laws, Fair Work disputes, discrimination claims, or breaches of confidentiality obligations).

Also, not everything you handle is necessarily an “employee record”. For example, information about job applicants may be treated differently, and data held by third-party providers may introduce additional complexity.

If your business is covered by the Privacy Act (or you’re close to the threshold and scaling), it’s often wise to treat privacy compliance as part of good governance from the start, including having a Privacy Policy where appropriate.

When Small Businesses Can Still Have Privacy Obligations

Even if you’re under $3 million turnover, you may still have privacy obligations if you:

• provide certain services (for example, some health-related services)
• contract with larger organisations that require privacy compliance as part of the commercial terms
• collect and store significant personal information through systems, apps or platforms
• operate in a way that triggers an exception to the small business exemption

Practically, many privacy issues for employers aren’t just about whether the Privacy Act technically applies. They’re about whether you can justify what you’re doing, whether you’ve communicated it clearly, and whether your approach is consistent and fair.

Workplace Monitoring: Emails, CCTV, GPS Tracking And Recording Conversations

Many small businesses monitor staff in some way, whether it’s security cameras, reviewing work emails, tracking vehicle locations, or using software that logs activity on devices.

The key is that monitoring can be lawful in Australia, but it needs to be handled carefully. Different states and territories regulate surveillance and recordings differently, and the rules can change depending on whether you’re monitoring visually, through computer systems, or by listening/recording audio. Your obligations can also depend on where the workplace (and the relevant people and devices) are located.

CCTV And Cameras In The Workplace

CCTV is common for security, safety, and loss prevention. But cameras create privacy risks if they’re used inappropriately or installed without proper notice.

As a starting point, you should be thinking about:

• purpose (why the cameras are needed and what risk they address)
• placement (avoid areas where employees expect high privacy, like bathrooms or change rooms)
• notice (clear signage and policy communication)
• access and storage (who can view footage, how long it’s kept, and how it’s secured)

For a general overview of Australian workplace camera rules and best practices, CCTV laws in Australia is a helpful reference point.

If you’re operating in a specific state (especially Victoria), you also need to account for state-based surveillance rules, including Victoria recording laws where relevant.

Monitoring Emails, Messages And Work Devices

It’s common for employers to access and review work emails and business systems, particularly where there’s a suspected breach of policy, a security risk, or a performance issue.

The safest approach is to ensure you have clear documentation in place, such as:

• a workplace IT/communications policy explaining what monitoring occurs
• an employment contract that supports confidentiality and appropriate use of systems
• clear onboarding training so there are no surprises

A tailored Employment Contract is often the “foundation document” that helps set expectations around workplace conduct, confidentiality, and appropriate use of company property and systems.

Recording Conversations (Including Phone Calls)

Recording in the workplace is one of the fastest ways for privacy issues to escalate into legal issues.

Whether you can record a conversation depends on the state or territory, the type of conversation, and whether consent is required in that jurisdiction. In some places, recording may be legal with consent, but unlawful without it. There can also be strict rules about using or sharing a recording, even if it was lawfully obtained.

If your business records customer calls, monitors phone systems, or you’re dealing with internal disputes where someone might record a meeting, it’s worth understanding the legal landscape around business call recording laws.

And if your business is based in Queensland or you have staff there, you should be cautious about state-specific rules, including recording conversations in Queensland.

GPS Tracking And Location Monitoring

GPS tracking (for delivery drivers, mobile technicians, company cars, or safety reasons) can be legitimate and even beneficial. But it can also feel intrusive if it’s not handled transparently.

Practical risk-reduction steps include:

• tell employees what is tracked, when it is tracked, and why
• avoid tracking outside work hours unless there is a clear, lawful reason
• limit access to location data (need-to-know basis)
• set clear retention periods

If monitoring is excessive, inconsistent, or used “punitively”, it can increase the risk of employee complaints and can complicate disciplinary processes.

Handling Sensitive Employee Information (Medical, Performance And Investigations)

Some of the most sensitive privacy issues arise when you’re handling employee health information, performance records, or allegations of misconduct.

This information is often highly personal, and even if you’re allowed to collect it, you still need to handle it carefully and limit access.

Medical Information And Fitness For Work

You might collect medical information when an employee is:

• taking sick leave
• seeking workplace adjustments
• returning to work after injury or illness
• involved in a workers’ compensation matter

As an employer, you generally should only request medical information that you reasonably need. For example, you may need confirmation that a person is fit to return to work, rather than full medical records.

This is especially important in “return to work” situations, where there can be legitimate safety and operational concerns. If you’re unsure what you can request, medical clearance to return to work is a useful guide for the typical boundaries and practical steps.

Performance Records, Warnings And HR Notes

Performance management often involves keeping records: meeting notes, written warnings, improvement plans, and documented outcomes.

To manage privacy risk here:

• only record what is relevant and factual
• avoid language that is insulting, speculative, or unnecessary
• store records securely and limit access
• be consistent (inconsistent record-keeping can look unfair later)

Privacy and HR process are closely linked. If an employee alleges unfair treatment, bullying, or discrimination, your records become important evidence. Keeping them accurate and confidential protects both your business and your staff.

Workplace Investigations And Confidentiality

If you’re investigating misconduct, you may be collecting information from witnesses, reviewing messages, accessing footage, or taking written statements.

A common mistake is over-sharing information “for transparency”. While it’s important to give an employee procedural fairness, you usually still need to limit sharing of sensitive details to:

• those who are directly involved in the process
• those who need information to perform their role (for example, HR, management, external investigators)

It’s also important to maintain confidentiality around witness identities and statements where possible, particularly if there is a risk of victimisation or workplace conflict escalating.

What Policies And Legal Documents Help You Manage Employee Privacy Properly?

Most privacy issues in the workplace don’t happen because a business owner is trying to do the wrong thing. They happen because expectations weren’t set early, policies weren’t clear, or the business grew faster than its internal systems.

Having the right legal documents in place makes it easier to prevent problems before they start, and to respond consistently if a concern is raised.

Key Documents To Consider

• Employment Contract: sets expectations about confidentiality, appropriate use of systems, and workplace conduct. A tailored Employment Contract can also support your disciplinary processes and reduce disputes.
• Workplace Policies: an employee handbook (or suite of policies) can cover IT use, monitoring, social media, CCTV, data handling, and complaint management. Depending on your workplace, Workplace Policy documents can help you communicate what’s “in bounds”.
• Privacy Policy (where relevant): if your business is covered by the Privacy Act, or you collect significant personal data through platforms and systems, a clear Privacy Policy helps set expectations and supports compliance.
• Consent Forms (where appropriate): if you’re collecting sensitive information or implementing certain monitoring tools, written acknowledgements can reduce ambiguity (though consent is not always a cure-all if the monitoring itself is unlawful).
• Data Breach Response Plan: if employee data is lost or accessed improperly, a plan helps you respond quickly and consistently. This becomes more important as you scale or rely on cloud systems and external providers.

Why “Transparency” Is Usually Your Best Friend

A strong theme across employee privacy rights in Australia is transparency.

If you’re collecting information, monitoring systems, or using surveillance tools, you should generally aim to ensure employees understand:

• what is being monitored or collected
• why it is necessary
• who will have access
• how long it will be kept
• what the consequences are for policy breaches

This won’t just reduce legal risk. It also reduces the likelihood of staff feeling blindsided, which is often what triggers formal complaints.

Key Takeaways

• Employee privacy rights in Australia are shaped by privacy laws, workplace laws, and state/territory surveillance rules, and they can affect how you manage everything from HR files to CCTV footage.
• The Privacy Act may apply to your business depending on turnover and other factors. Even if the employee records exemption applies in some situations, it is limited (including to current and former employees and handling directly related to the employment relationship) and it doesn’t remove other legal risks.
• Workplace monitoring (emails, CCTV, GPS, recordings) can be lawful, but you should be transparent, have a clear business reason, and comply with the specific state/territory recording and surveillance laws that apply to your workplace.
• Sensitive information like medical details, performance records, and investigation materials should be collected only when necessary, stored securely, and shared on a strict need-to-know basis.
• Clear documentation is a major risk reducer, including an Employment Contract, workplace policies, and (where relevant) a Privacy Policy that matches how your business actually operates.

If you’d like help reviewing your workplace privacy practices or putting the right documents in place, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.