Employers hold a lot of sensitive information about their people — tax file numbers, bank details, health information, emergency contacts. Handling it is governed by the Privacy Act 1988 and its Australian Privacy Principles (APPs), with some nuances specific to employee records — and the rules are tightening. This guide explains what applies, the much-misunderstood employee records exemption, your data-breach duties, and what’s changing in 2025–26. Put good practice in place with our free data protection and information security policy templates.
Quick summary
- The framework:
The Privacy Act 1988 and 13 Australian Privacy Principles govern personal information
- Employee records:
An exemption covers records used directly in employment — but it’s narrower than people think
- Breaches:
Eligible data breaches must be reported under the Notifiable Data Breaches scheme
- Reform is coming:
A privacy tort (2025) and the exemption is under review — don’t over-rely on it
The Privacy Act and the APPs
The Privacy Act 1988 and its 13 Australian Privacy Principles (APPs) set how organisations collect, use, store, disclose and secure personal information. They apply to most businesses with an annual turnover over $3 million and to some smaller businesses (for example those handling health information). The APPs cover the whole lifecycle — only collecting what you need, being transparent about it, keeping it secure, and giving people access to their information.
The employee records exemption (and its limits)
Here’s the part employers most often get wrong. Under the Privacy Act, an employee records exemption means the APPs generally don’t apply to personal information a private-sector employer holds about a current or former employee when it’s used directly in relation to the employment relationship. So a current employee’s pay records used for payroll typically fall inside the exemption.
But the exemption is narrower than it sounds:
- It doesn’t cover job applicants — the APPs apply to unsuccessful candidates’ information.
- It generally doesn’t cover third parties — payroll, HR or recruitment providers handling the data under contract may need to comply.
- It applies to the employment relationship — using the data for unrelated purposes can fall outside it.
- Surveillance, health and tax file number rules apply regardless — see our guide to workplace surveillance.
And it may not last — see the reforms below.
Handling employee data well
Practical steps
-
Collect only what you need, and tell people why you’re collecting it
-
Secure it — access controls, encryption where appropriate, and limits on who can see sensitive data (a data protection policy sets the standard)
-
Store TFNs and health information carefully — these have extra protections
-
Keep it accurate and up to date, and don’t keep it longer than you need
-
Have a data breach response plan ready before you need it
-
Vet your providers — payroll/HR vendors handling the data have their own obligations
Data breach obligations
Under the Notifiable Data Breaches (NDB) scheme, if a data breach is likely to result in serious harm to affected individuals and you can’t prevent that harm, you must notify both the affected individuals and the Office of the Australian Information Commissioner (OAIC). Employee data — bank details, TFNs, health information — is exactly the kind of information that can trigger this. A written response plan, kept with your information security policy, is what lets you act fast.
What's changing in 2025–26
Don't over-rely on the employee records exemption
The Privacy Act and Other Legislation Amendment Act (passed late 2024) started a wave of reform. A statutory tort for serious invasions of privacy commenced in 2025, and from 10 December 2026 businesses must disclose the kinds of decisions made through automated means and the personal information used. The government has also agreed in principle to narrow or remove the employee records exemption. The direction of travel is clearer obligations, not fewer — so build good privacy practice now rather than leaning on the exemption.
Good workforce systems make privacy easier: keep employee data in one secure place with role-based access rather than scattered spreadsheets and inboxes. RosterElf’s HR software centralises records with controlled access, and the Fair Work Ombudsman’s workplace privacy guide is a useful reference.
Keep employee data secure and in one place. RosterElf centralises staff records with role-based access and secure storage — easier privacy compliance than spreadsheets and inboxes. Start from our free data protection & information security policy templates.
Frequently asked questions
Does the Privacy Act cover employee records in Australia?
Partly. Under the employee records exemption, the Australian Privacy Principles generally don’t apply to personal information a private-sector employer holds about a current or former employee when it’s used directly in relation to the employment. However, the exemption doesn’t cover job applicants or (generally) third-party providers, and other rules — surveillance, tax file numbers, health information — still apply. The exemption is also under review.
What is the employee records exemption?
It’s a Privacy Act provision that exempts private-sector employers from the APPs for personal information about a current or former employee used directly in the employment relationship — for example pay and leave records used for payroll. It’s narrower than many assume: it doesn’t extend to candidates, unrelated uses, or (usually) external providers, and the government has agreed in principle to narrow or remove it.
What employee data can an employer collect?
Employers can collect personal information reasonably necessary for the employment relationship — identity and contact details, tax file number, bank and super details, emergency contacts, qualifications and, where relevant, health information. The principles are to collect only what you need, be transparent about why, keep it secure and accurate, and not retain it longer than necessary.
Do employers have to report a data breach?
Yes, under the Notifiable Data Breaches scheme. If a data breach involving personal information is likely to result in serious harm and you can’t prevent that harm through remedial action, you must notify the affected individuals and the OAIC as soon as practicable. Employee data such as bank details, TFNs and health information commonly meets this threshold, so a response plan is essential.
What is changing with Australian privacy law?
Reforms from the Privacy Act and Other Legislation Amendment Act (2024) are rolling out: a statutory tort for serious invasions of privacy commenced in 2025, automated-decision transparency obligations apply from 10 December 2026, and the government has agreed in principle to narrow or remove the employee records exemption. The overall direction is stronger obligations, so employers should strengthen privacy practices now.