How To Create An Employee Privacy Policy In Australia

When you hire staff, you inevitably collect and handle a lot of personal information - from resumes and payroll details to health information, CCTV footage and emails sent on company systems.

Without a clear employee privacy policy, it’s hard to set expectations, stay compliant, and respond quickly when something goes wrong.

In this guide, we’ll break down what an employee privacy policy is, when Australian privacy laws apply, what to include, how to roll it out, and common pitfalls to avoid. We’ll keep it practical and focused on small businesses so you can put the right framework in place with confidence.

What Is An Employee Privacy Policy (And Why It Matters)?

An employee privacy policy is a workplace policy that explains how your business collects, uses, stores and discloses personal information about staff and job applicants, what monitoring occurs at work, and how people can access or correct their information.

It does a few important jobs for your business:

• Sets clear expectations for employees about workplace monitoring, IT use and confidentiality.
• Explains your legal obligations and internal processes for handling personal information and sensitive information (like health data or criminal history).
• Helps you respond consistently to access requests, complaints and data breaches.
• Reduces risk by aligning your day-to-day practices with Australian privacy and surveillance laws.

Think of it as the operational companion to your company-wide Privacy Policy (which focuses on customer/user data and is often published on your website). Your employee privacy policy sits inside your internal HR and IT framework and is written for staff.

Do Australian Privacy Laws Apply To My Business?

Many small businesses ask this first - it’s a fair question. In Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply to most businesses with an annual turnover of more than $3 million, and to some smaller businesses in specific sectors (like health, credit reporting, or those that trade in personal information).

There’s also a specific “employee records exemption” for private sector employers. In simple terms, if you’re a private sector employer, your handling of an “employee record” (e.g. payroll, leave, performance notes) is generally exempt from the APPs when it’s directly related to the employment relationship.

However, that exemption does not cover everything. For example:

• It typically doesn’t apply to prospective employees (job applicants) or contractors.
• It doesn’t override state and territory surveillance laws governing CCTV, computer, phone and location tracking.
• It doesn’t remove your obligations if the APPs apply to you for other reasons (turnover threshold, health services, credit, etc.).

So even if you rely on the employee records exemption, you still need a clear policy and compliant practices. It’s also best practice to handle staff data to a high standard - it builds trust and reduces legal and reputational risk.

What Should Your Employee Privacy Policy Cover?

Your policy should be tailored to how your business actually operates. Use the topics below as a checklist.

1) Collection Of Employee Information

• What you collect: e.g. contact details, emergency contacts, bank and super details, tax file numbers, qualifications, COVID/health information (if relevant), background checks.
• How you collect it: onboarding forms, recruitment portals, third-party recruiters, medical assessments, reference checks.
• Why you collect it: to administer employment, pay and benefits, ensure safety and compliance, and manage performance.

It’s smart to pair your policy with a concise Privacy Collection Notice for applicants and new starters that sets expectations from day one.

2) Workplace Monitoring And Surveillance

Be explicit about what monitoring occurs, such as CCTV in common areas, swipe card logs, GPS tracking of vehicles, or monitoring of emails, internet usage and device activity.

State and territory surveillance laws have strict notice and consent rules. If staff will be monitored, say where, how and why - and do it before the monitoring begins.

It also helps to reference your other policies so everything is consistent, for example your approach to CCTV and the limits of IT monitoring. For more detail on visual monitoring, many businesses also look at the practical guidance in Australia’s security camera laws.

3) Use Of Email, Messaging And IT Systems

Most disputes about “privacy at work” involve email and messaging. Your policy should explain acceptable use, personal use limits, retention and access rules, and when the business may review employee communications on company systems.

Make it clear that company systems are primarily for work purposes and may be accessed for legitimate business reasons (e.g. investigations, legal compliance, operational continuity). For an overview of the legal landscape, see employer access rules around employee emails.

4) Sensitive Information And Health Data

Sensitive information (such as health information or criminal history) requires extra care. Your policy should explain when and how you might collect it (e.g. fitness for work assessments, injury management, background checks), who can access it, how it’s stored, and how long it’s kept.

Only collect what you reasonably need, and limit access to those with a legitimate business reason (e.g. HR or WHS managers).

5) Access And Correction Requests

Even with the employee records exemption, staff may ask to see certain information you hold about them or request corrections. Outline how employees can make a request, who to contact, and the timeframes and exceptions that may apply.

Having a standard process (and form) helps you respond consistently and efficiently. Many businesses complement the policy with simple procedures or an internal request form.

6) Sharing Information With Third Parties And Overseas

Spell out when employee information may be disclosed to third parties, like payroll providers, insurers, medical practitioners, super funds, training providers or government agencies. If you use offshore software or service providers, say so - and explain how you manage those transfers.

When vendors process staff data for you, it’s best practice to have a Data Processing Agreement in place to set expectations and security standards.

7) Data Security, Retention And Destruction

Employees should know how their information is protected and for how long. Outline key safeguards (access controls, encryption for sensitive fields, secure disposal) and retention schedules aligned with legal requirements (e.g. tax, employment records) and business needs.

Consider aligning this with an Information Security Policy so your HR and IT settings support each other.

8) Data Breaches And Incident Response

Set out how your business handles suspected or confirmed data breaches. Who should employees notify? What happens next? If the APPs and Notifiable Data Breaches scheme apply to you, note that serious breaches may require notification.

A clear policy is powerful, but it works best with a practical Data Breach Response Plan so your team can act fast.

9) Confidentiality, BYOD And Remote Work

If your business allows personal devices for work (BYOD) or remote work, set rules for passwords, remote wipe, storage of files, and separation of personal and work data. Reiterate confidentiality obligations and any approval process for new apps or integrations.

10) Recruitment, References And Background Checks

Be transparent about how you handle applicant data, reference checks and background screening. Explain any retention of unsuccessful applicant records and for how long.

This helps ensure your practices at the recruitment stage, when the employee records exemption often won’t apply, are still compliant and fair.

How To Roll Out An Employee Privacy Policy In Your Workplace

Once you’ve drafted a policy that fits how you operate, the next step is embedding it in your day-to-day processes.

Step 1: Map Your Data And Systems

List the information you collect across the employee lifecycle (recruitment, onboarding, performance, exit) and where it lives (HRIS, payroll, shared drives, inboxes, cloud tools). This helps you spot gaps and keep your policy grounded in reality.

Step 2: Draft Or Update The Policy

Write in plain English. Cross-reference related policies so staff don’t get conflicting messages. If you maintain an Employee Privacy Handbook, place the policy there alongside IT and HR procedures for easy access.

Step 3: Consult And Finalise

Share a draft with key stakeholders - HR, IT, line managers - and incorporate feedback. If you have an employee consultative group, invite comments. This builds buy-in and surfaces practical issues (like whether a proposed control is workable on the tools you use).

Step 4: Train Your Team

Introduce the policy in onboarding and run short refresher sessions annually. Use simple scenarios to explain how it works - for example, “When can we access an employee’s inbox if they’re on extended leave?” or “What should I do if I see a spreadsheet with TFNs in a shared folder?”

Step 5: Keep It Live

Set a review cycle (e.g. annually or after a major incident) and update the policy when your tools or processes change. Check that your HR forms, internal checklists and onboarding communications still align.

Related Workplace Policies To Put In Place

Your employee privacy policy works best as part of a coordinated suite of HR and IT policies and contracts. Depending on your business, consider pairing it with:

• IT Acceptable Use and Communications Policy (covering email, messaging, internet, devices and backups).
• Bring Your Own Device (BYOD) and Remote Work Policy (passwords, encryption, remote wipe, approved apps).
• Surveillance and CCTV Protocols (notice, signage, and access rules consistent with state laws).
• Recruitment and Background Checks Procedure (including consent and record-keeping).
• Confidentiality and IP clauses in your Employment Contract and contractor agreements.
• Public-facing Privacy Policy (for customers and website users) aligned with your internal practices.
• Email footers aligned with an Email Disclaimer if you use one.

If a vendor processes staff information on your behalf, put a Data Processing Agreement in place. If your team handles personal information about customers as well as staff, ensure your internal practices match your public-facing Privacy Policy.

Common Pitfalls (And How To Avoid Them)

Most privacy issues we see in workplaces come back to a few avoidable mistakes.

Collecting Too Much

Only collect information you genuinely need for employment and compliance. Sensitive information (like medical data) should be handled sparingly and with clear limits on access and storage.

Unclear Or Unlawful Surveillance

Rolling out new monitoring tools without notice or consent can breach state and territory laws. Document the business purpose, give advance notice, provide signage where required, and keep monitoring proportionate to the risks you’re managing. For visual monitoring, align your practice with established security camera laws.

Gaps Between Policy And Practice

Policies that don’t reflect reality do more harm than good. If your policy says you encrypt all portable devices but you don’t, fix the controls or update the policy. Consistency is key.

Unstructured Email And File Access

Without a clear process, accessing an inbox during an investigation or absence can create legal and trust issues. Set criteria for when access is permitted, who approves it, and how it’s documented. If you’re unsure on boundaries, the rules around employer access to employee emails provide useful context for decision-making.

Keeping Data For Too Long

Holding on to old personnel files and backups increases risk without adding value. Define retention periods for different record types (factoring in tax and employment law) and securely destroy data when it’s no longer needed.

Not Being Ready For A Breach

Breaches happen - lost laptops, misdirected emails, compromised accounts. Your policy should dovetail with a tested Data Breach Response Plan so your team can contain, assess and notify quickly if the law requires it.

How Does This Fit With The Employee Records Exemption?

Even if you rely on the employee records exemption, your business still benefits from strong, documented privacy practices. Here’s why:

• The exemption doesn’t apply to job applicants, contractors or many third-party disclosures.
• State surveillance laws continue to apply to CCTV, computer and phone monitoring and often require prior notice.
• Customers and regulators increasingly expect consistent, high standards across all personal information you handle.
• Good privacy hygiene lowers the impact of incidents and supports compliance across the business.

If other parts of your business are subject to the APPs, it’s often simpler to apply consistent standards to employee data too, adapted to practical needs.

Practical Tips To Get Yours Done This Month

• Start with a one-page outline covering the 10 topics above, then build out the details.
• Keep the writing plain, specific to your tools and processes, and free of jargon.
• Cross-check against your onboarding forms, HRIS settings, device management, and any vendor agreements.
• Run a short manager briefing so they know how to handle common scenarios (access requests, inbox access, CCTV footage requests, suspected breaches).
• Put a reminder in your calendar to review the policy annually or after a system change or incident.

Key Takeaways

• An employee privacy policy sets clear rules for collecting, using, monitoring and protecting staff information and helps your business stay compliant.
• Even with the employee records exemption, you still need to consider recruitment data, contractors and state surveillance laws - a policy brings these moving parts together.
• Cover collection, monitoring, emails/IT, sensitive information, third-party sharing, retention, access/correction and breach response, and align with your systems.
• Pair your policy with practical tools like an incident response plan, an information security policy and appropriate vendor terms such as a Data Processing Agreement.
• Train staff, keep the policy up to date, and ensure what you say in the policy matches what you actually do day to day.

If you’d like a consultation on drafting or updating your employee privacy policy (and aligning it with your broader privacy and HR framework), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.