Australia: DSARs – Employees, prospective employees, and BYOD challenges
A data subject access request ('DSAR') is a request made by an individual to an organisation or agency, asking for access to any personal information collected or stored regarding the individual. Katherine Sainty, Director at Sainty Law, considers how, under Australian law, organisations should handle DSARs involving employees and prospective employees, also discussing situations where personal information is stored on employee's own devices used during the course of their work.
If you receive a DSAR, you must generally comply with the request and give the individual access to the information within a reasonable amount of time, as well as bear the reasonable costs of doing so.
Individuals usually make DSARs in relation to personal information and under applicable regulations. Both the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and UK General Data Protection Regulation ('UK GDPR'), as well as the Australian Privacy Act 1988 (Cth) ('the Privacy Act') recognise the rights of individuals to request access to their personal information held by an organisation. The regulations share common requirements regarding the requirement to provide access, transparent handling of data, and compliance with privacy principles.
DSARs from employees
The Privacy Act gives individuals a general right to access their own personal information held by organisations operating in Australia. Individuals who deal with an organisation in some capacity may wish to make a request to access and correct their personal information held by the organisation. For instance, a consumer may want to view their sales history or confirm their contact details are up to date. We note that in Australia, individuals have no right to erasure of their personal information so DSARs can only be made for access and correction of personal data.
Employee record exemption
Employee records are exempt from the definition of personal information under the Privacy Act, meaning the same rules that govern how organisations must handle personal information do not extend to employee records. This exemption is unique to Australia and means that there is no privacy basis supporting a DSAR from a former or current employee if the information requested is an employee record.
An employee record can include:
- basic employment details;
- terms of employment;
- time worked;
- wages paid;
- payslips; and
- performance reviews.
This exception does not extend to prospective employees such as job applicants or to contractors.
Public sector employees
The employee record exemption does not apply to public sector employees. Under the Privacy Act, individuals who work in the public sector are entitled to make a DSAR to access their employee records and any personal data stored by their employer.
Accessing employee records
There are workplace laws and regulations that govern employee records. The Fair Work Act 2009 (Cth) requires employers to keep accurate employee records for seven years.
Employees can request their employer to make their employee records available for inspection by the employee and the employer must comply under the Fair Work Regulations 2009 ('the Fair Work Regulations'). Former employees can rely on the same regulations to access their employee records held by former employers.
Therefore, employees in Australia can rely on the Fair Work Regulations to access their employee records where the Privacy Act exempts employers from having to comply with DSARs due to the employee record exemption. In practice, this means that an employer must respond to any DSAR from an employee, where the regulatory basis of the request is the Fair Work Regulations not the Privacy Act.
DSARs from job applicants
The personal information of job applicants is protected under the Privacy Act, and therefore prospective employees can submit a DSAR to the organisation they applied to for a job. The organisation must comply with the request, like any other DSAR that is not exempt under the Privacy Act.
However, if complying with a DSAR would reveal any intentions about the employer in relation to any negotiations with an individual that could influence or prejudice those negotiations, there may be a basis for the employer to refuse access. In this situation it is important to comply with the DSAR, but an organisation may isolate the personal information provided from any documents that would influence or prejudice employment negotiations.
DSARs where employees use their own devices
The Privacy Act does not specifically address how employers should comply with DSARs where employees use their own devices, such as a personal computer or mobile phone, for work purposes. This is much more common since the the COVID-19 work-from-home revolution.
If employees use their own devices as their work devices, any personal data collected and stored on those devices is likely to be within the scope of a DSAR request. For instance, this might arise if a supervisor reviews a colleague's performance and stores their notes on a local drive.
Generally, if employees use their own devices in an official working capacity, the employer is still in control of any data stored or processed on those devices. This would be particularly the case if the company has a comprehensive Bring Your Own Device ('BYOD') policy that sets out these principles. However, if the data is stored on a local drive it is less accessible.
Interestingly, an employers' ability to easily access data on a personal device is irrelevant to whether data stored on that device is within the scope of a DSAR. If the use of personal devices cannot be avoided in a working environment, employers should clearly establish that if there is a DSAR, the employer may search and access personal information of the organisation to comply with the DSAR.
A risk of this approach is that employees may claim that their employer is interfering with their 'right to privacy', as they may store their own personal information on their device which they do not want their employer to access. Therefore, organisations should have a comprehensive BYOD policy which specifies the way personal devices can be used for work in an organisation and access to its data. This could require all organisation data to be collected, accessed, and stored only on nominated corporate cloud servers or platforms and not saved locally to a personal device.
Understanding how to comply with a DSAR made by employees, and other data subjects can be complex and you should seek independent legal advice if you are unsure of your response.
Katherine Sainty Director
Sainty Law, Sydney