The Privacy and Other Legislation Amendment Act 2024 (Cth) (POLA Act 2024) passed by both Houses of Parliament on 29 November 2024 marks the first wave of amendments to the Privacy Act 1988 (Cth). The Act introduces a new statutory cause of action for ‘serious invasion of privacy’ that will directly impact employers, especially in relation to how employee personal information is managed.
Serious breaches of the law could lead to penalties of $3.3 million for companies or $660,000 for individuals. Employers must understand these changes to ensure compliance and mitigate potential risks in their workplace operations.
Introduction of a Statutory Tort for Serious Invasions of Privacy
A key change under the POLA Bill 2024 is the introduction of a statutory cause of action for “serious invasions of privacy.” Previously, employees had limited avenues for seeking legal recourse in cases where their personal information was misused in the workplace. Now, individuals can pursue compensation through the courts if their privacy is invaded, either through an intrusion into their seclusion or the misuse of personal information.
The elements of the cause of action are as follows:
a. an invasion of privacy (by intrusion upon seclusion or misuse of information, or both)
b. a reasonable expectation of privacy in all the circumstances
c. fault (either intention or recklessness)
d. seriousness of the invasion, and
e. that the public interest in protecting the plaintiff’s privacy outweighs countervailing public interests that are raised by the defendant
What Employers Need to Know:
- Vicarious Liability Risk: Employers may now be held vicariously liable for serious invasions of privacy carried out by their employees during the course of employment. For example, an employee using company-issued devices to record or share private information about another employee could lead to a privacy breach and subsequent liability for the employer.
- Defences and Exemptions: While the law includes defences, such as consent or public interest considerations (e.g., press freedom), employers should take proactive steps to mitigate risks by embedding privacy protection practices within their workplace.
Expanded Penalties and Enforcement Powers
The reforms introduce greater transparency requirements and enhanced enforcement powers, which have far-reaching implications for employers:
- Increased Enforcement by the OAIC: The Office of the Australian Information Commissioner (OAIC) now has expanded powers to investigate and monitor breaches, and it may initiate public inquiries into privacy matters.
- Criminal Offences for Malicious Doxxing: New criminal offences specifically target maliciously releasing personal information, known as “doxxing,” over carriage services. Employers should be aware of the risk that their employees may engage in this harmful activity.
Employee Record Exemption:
Although the employee records exemption has not been removed, the government has agreed to further consultations with employers and employees to better align privacy and workplace relations laws. This could lead to changes in how employee records are handled in the future, particularly regarding the privacy of sensitive information.
Practical Steps Employers Should Take
To comply with the new privacy reforms and reduce the risk of legal challenges, employers should consider the following actions:
- Review and Update Privacy Policies: Ensure that their privacy, surveillance and cybersecurity policies clearly outline how personal information is accessed, used, and disclosed. This should include specific procedures for addressing any misuse of employee data.
- Update Employment Contracts: Contracts should impose clear obligations on employees regarding the protection and use of personal information. This can help to prevent accidental misuse of sensitive data.
- Implement Privacy Training: Management and employees should be trained on the updated privacy provisions, especially regarding what constitutes an invasion of privacy and how to handle employee information responsibly.
- Limit Personal Information Collection: Avoid collecting excessive personal data from employees and ensure that the information gathered is strictly necessary for the employment relationship.
- Monitor Developments: Stay informed about further privacy law reforms, particularly those related to the employee records exemption. The government’s ongoing commitment to reform means additional changes may be on the horizon.
Further Advice
For further guidance on this issue and tailored advice for your business contact Maguire Legal here