Circular 2007/2: The Privacy Act and employee information concerning Code of Conduct matters
Last updated: 06 Jul 2007
This page is: archived
This circular clarifies the circumstances in which information can be provided concerning Code of Conduct matters when APS employees move from one APS agency to another. The circular takes into account the Privacy Act 1988.
The APS Values, together with the Code of Conduct, provide an ethical framework for APS employees’ relationships with the Government, the public and colleagues, and their personal behaviour. APS employees who are suspected of having, or who have, breached the Code of Conduct should not be able to avoid misconduct action by moving agencies.
The circular provides advice on steps agencies can take to ensure that employees are reasonably likely to be aware of the circumstances in which Code of Conduct information may be disclosed to another APS agency, thus ensuring compliance with the Privacy Act.
The circular also covers steps an agency can take to gain a prospective employee’s consent to the release of Code of Conduct information from a current or former agency.
In each case, a judgment will need to be made about providing information concerning Code of Conduct matters to another agency. The receiving agency will also need to exercise judgment in using information that is provided to it, bearing in mind that it can be used only for the purposes for which it was collected. As part of making judgments about providing or using information, decision makers can only have regard to relevant information. Information on a record that is not relevant to the conduct at issue should be removed or blanked out before the information is used in an internal investigation or disclosed to another agency.
This circular should be read in conjunction with Handling Misconduct: A human resources practitioner’s guide to the reporting and handling of suspected and determined breaches of the APS Code of Conduct.
This circular provides general guidance. If an agency is in doubt as to whether it can lawfully release information to another agency in a particular case, it should seek legal advice. If an agency is in doubt about whether it can lawfully collect and use information in a particular case, it should seek legal advice.
This circular has been prepared in consultation with the Office of the Privacy Commissioner.
The Privacy Act
The Privacy Act recognises that there is a legitimate need to meet people’s privacy expectations, in particular in relation to the collection, storage, access and correction, and use and disclosure of their personal information. Information concerning Code of Conduct investigations and their outcomes is regarded as personal information.
Meeting the requirements of the Information Privacy Principles
The Information Privacy Principles (IPPs) set out in section 14 of the Privacy Act govern the way personal information is both ‘used’ (e.g. IPP 10) and ‘disclosed’ (e.g. IPP 11). Those two principles provide that personal information will only be used or disclosed for the purpose for which it was obtained, and that personal information will not be used or disclosed for the purposes other than for which it was obtained, except in certain specified circumstances.
IPP 10 sets out the specific circumstances in which agencies may use information for another purpose including with the consent of the individual (IPP 10.1(a)) or where the purpose is directly related to the purpose for which the information was obtained (IPP 10.1 (e)).
IPP 11 sets out the specific circumstances under which an agency can disclose information including where the individual is reasonably likely to have been aware or made aware (IPP 11.1(a) or with (informed and free) consent (IPP 11.1(b).
Making the employee aware – IPP 11 and IPP 2 notices
Information can be disclosed where there has been clear advice available to employees on an agency’s policies and practices for use and/or disclosure of Code of Conduct information. If an employee is aware (or is reasonably likely to be aware) of the bodies or persons to whom it is the agency’s usual practice to disclose Code of Conduct information, and the circumstances in which such information would usually be disclosed (for example, for employment related purposes), the disclosure will be consistent with the IPPs and the Privacy Act.
Agencies should therefore take steps to make APS employees aware upon commencing employment with an agency as to the potential disclosure of Code of Conduct information (for example, by including information in personal information collection forms, induction materials and programs).
Where this process is thorough, it can cover employees who have been notified that they are under investigation, as well as employees who are the subject of allegations that have not yet been addressed. Attachment A provides a suggested form of words agencies can use to notify employees.
Where an agency proposes to disclose information concerning an investigation into a breach of the Code of Conduct and its outcomes to another agency for employment related purposes, it is good practice to give the employee concerned the opportunity to comment prior to release and to address, for example, why the disclosure of their personal information is not appropriate or would be unfair. This is a matter of courtesy. The agency does not need the employee’s consent to pass the information to another agency.
General availability of information
Agencies need to ensure that their policies and procedures on collecting, using and disclosing personal information (including Code of Conduct information) are readily accessible to all employees. This can be achieved by, for example:
- having policies and practices for people management and for the handling of personal information (privacy) available online, such as on agency Intranet sites
- advising employees in the guidance material on handling misconduct that information concerning Code of Conduct matters may be disclosed to another agency for employment related purposes
- reminders, for example, online messages at logon
- conducting awareness raising and training activities on the APS Values and Code of Conduct and expected standards of behaviour
- reminding employees who are the subject of Code of Conduct allegations or investigations that information relating to the matter (and its outcome, if any) may be released to another agency for employment related purposes.
Seeking consent to disclosure of information - IPP 10.1(a) and IPP 11.1(b)
An APS agency that is considering employing a current or former employee of another APS agency could seek the (prospective) employee’s consent, as part of the pre-engagement or movement checking process, to the agency seeking information about suspected or determined misconduct and any Code of Conduct processes from, and disclosure by, the person’s current or former agency.
Agencies should consider advising in their applicant information packs that this information may be requested if there are concerns raised about the applicant’s conduct from information provided during the selection process.
If an agency want to use exceptions IPP 10.1(a) and IPP 11.1(b) then the person the information is about must be informed about and freely consent to the use or disclosure of their information. A ’consent’ from a person who has or reasonably believes they have no real choice but to consent (for example if they are told that the job offer may depend on their giving consent to the disclosure) is not adequate for exceptions under IPPs 10.1(a) or 11.1(b).
Agencies need to be able to demonstrate that the person the information is about:
- is accurately informed of what they are consenting to, or
- can reasonably be assumed to understand what they are consenting to, at the time they consent and
- is aware of the consequences.
Agencies should note that if the individual from whom they are obtaining consent has no practical alternative but to consent then the consent is not freely given.
Use of disclosed information
Information about Code of Conduct matters could be disclosed by the employee’s old agency, and used, where relevant, by the new agency for employment related purposes, such as:
- recruitment decisions, including whether the employee has the relevant work related qualities for the particular duties;
- ensuring the employee satisfies conditions of engagement, including conditions dealing with probation, or security and character clearances; and/or
- considering the need to make decisions about investigating and determining whether there has been a breach of the Code of Conduct in the former agency or imposing sanctions for a determined breach (where the employee moves from the APS agency).
Secure handling of the information (IPP 4)
Agencies need to ensure that employees’ personal information concerning Code of Conduct matters is used and disclosed on a strict ‘need to know’ basis. Only those employees with a direct interest in the information for a relevant purpose for which the information was collected (eg selection delegate, head of human resources, misconduct investigator and/or decision maker, or sanction delegate) should be able to access such records.
Agencies also need to develop policies and guidelines to ensure that information is disclosed only by employees authorised to do so. If information is inappropriately released, the agency may be held accountable, even though it was unaware of, and did not authorise, the disclosure (see, for example, M v Australian Government Agency  PrivCmrA 10 ).
The attached flowchart (at B) sets out an example of good practice in sharing personal information concerning Code of Conduct matters between APS agencies. The scenarios at Attachment C provide illustrative examples of circumstances in which it is appropriate and inappropriate for such information to be passed between agencies.
The Office of the Privacy Commissioner has issued advisory guidelines to the Information Privacy Principles (available at www.privacy.gov.au/act/guidelines/index.html#3.4).
Agencies should have regard to the Australian Public Service Commission’s guidance on setting Conditions of Engagement when engaging new APS employees, including former employees who have resigned or retired (available at: www.apsc.gov.au/publications09/conditions.htm).
Selection panels, supervisors and referees should refer to the Commission’s guidance on having regard to, or providing, information about breaches of the Code of Conduct in selection processes in the Handling Misconduct good practice and summary guides (a copy of the summary guide is enclosed. Both good practice and summary guides are available at www.apsc.gov.au/publications07/misconduct.htm ).
Questions on this circular should be directed, in the first instance, to agencies' central corporate areas with responsibility for human resource functions. Agencies' central corporate areas with questions on this circular should contact the Commission’s Employment Policy Adviceline—e-mail firstname.lastname@example.org. It may be appropriate for more complex or sensitive queries to be dealt with in writing.
6 July 2007
Notice to employees of the bodies or persons to which it is the agency’s usual practice to disclose employees’ personal information concerning Code of Conduct matters, and the circumstances in which such information would usually be disclosed, could be provided in the following terms.
- are found to have breached the Code of Conduct and been sanctioned and subsequently leave <agency name>; or
- are found to have breached the Code of Conduct and leave <agency name> before a decision about imposing a sanction is made; or
- become the subject of a conduct allegation and leave <agency name> before the matter is resolved,
then information about the breach or allegation may be disclosed to any prospective or new employing APS agency.
It is the usual practice of <agency name> to pass such information to another agency where <agency name> believes that the information might be relevant to employment related decisions which might need to be considered or made by the other agency, including:
- recruitment decisions;
- decisions as to whether or not you have breached the Code and whether or not you should be sanctioned for any Breach that is determined; and
- decisions as to whether or not you should be sanctioned in relation to a breach of the Code.
Example of good practice for sharing of personal information
Step 1: Agency X makes all staff aware that information regarding misconduct may (in certain circumstances) be provided to another APS agency (IPP2)
Step 2: Agency Y tells all job applicants that it may seek information about their conduct (amongst other things) from their current or former employers
Step 3: During the recruitment process agency Y has concerns raised (by information provided by P or P’s referees) about P’s conduct in a previous or current job
Step 4: Agency Y is likely to make a job offer to P so requests the free and informed consent of P to seek information from their former or current employer about their conduct (IPP11b)
This augments agency X’s steps to make employees aware of the way their information may be used amongst agencies. If agency X has not taken that step, agency Y can still seek the information they required if they are given free and informed consent from P
Is consent given?
Consent given: Agency X provides the information to agency Y for employment related purposes, i.e.
- Investigate and sanction (where no, or incomplete investigation occurred in agency X)
- Sanction (where completed investigation in agency X)
Consent not given but staff made aware:
Step A: If agency X has made all staff aware that information regarding misconduct may (in certain circumstances) be provided to another APS agency (IPP2)
Step B: Agency X provides information to agency Y
Step C: Agency Y uses information for purpose(s) sought
Agency Y must apply the rules of natural justice / procedural fairness
Consent not given and staff not made aware:
Step A: If agency X has not made all staff aware that information regarding misconduct may (in certain circumstances) be provided to another APS agency (IPP2)
Step B: Information cannot be passed from agency X to agency Y
Step C: Agency Y makes decision(s) on the basis of the information already available
Agency Y must apply the rules of natural justice / procedural fairness
Scenario 1 – the individual concerned consented to the release of personal information concerning a Code of Conduct matter (IPP 11.1 (b) satisfied)
Lee works in agency Y and is being considered for a move to agency X. During the interview, Lee’s response to a question raised a concern about conduct. One of Lee’s referees also indicated that there was an issue of concern that was under investigation, but had not been finalised. Agency X gave Lee a chance to comment on the matter.
Agency X continued with the selection process and the delegate decided to offer Lee a position. The letter of offer from agency X’s HR delegate was conditional on Lee consenting to agency X seeking information from agency Y, and agency Y releasing information, concerning Lee’s conduct. Lee agreed and commenced employment with agency X.
The agency head’s delegate in agency X considered Lee’s conduct file and decided that no further action on investigating Lee’s suspected misconduct was warranted as the alleged behaviour was minor and would likely not result in a sanction, but should be dealt with as part of performance management. Lee and Lee’s manager agreed on performance targets and development strategies to improve Lee’s conduct.
In this case, Lee’s suspected misconduct was taken into account in both the recruitment process and in agency X making a decision on whether to investigate Lee’s suspected misconduct.
Scenario 2 – individual made aware that personal information concerning Code of Conduct matters may be provided to another agency (IPP 11.1 (a) satisfied)
Ashley worked in agency C. Agency C has a policy of providing employment related information to other agencies. Agency C has taken steps to make sure all its employees are aware of this policy and the circumstances in which personal information may be passed to another agency.
Ashley has been the subject of a Code of Conduct investigation. At the beginning of the investigation, Ashley was reminded of agency C’s policy concerning passing misconduct information to other agencies. The investigation was completed and Ashley was advised, in the final week of Ashley’s employment with agency C, before taking leave prior to moving to agency D that the decision maker had found that Ashley had breached the Code of Conduct. The sanction delegate in agency C had not determined and advised Ashley of the sanction to be imposed before Ashley left.
The agency head’s delegate in agency C, in response to a request from agency D, provided information to the HR manager in agency D, concerning Ashley’s breach of the Code of Conduct.
Under agency D’s policy, the sanction delegate considered the matter and determined an appropriate sanction (a fine) was warranted. The sanction delegate informed Ashley of the reasons for determining a sanction and the opportunity to comment and provide further information, before finalising the decision and imposing the sanction.
In this case, Ashley’s misconduct was taken into account only in determining an appropriate sanction.
Scenario 3 – individual neither aware, nor gave consent to, personal information being provided concerning Code of Conduct matters (IPP 11.1 (a) and (b) not satisfied)
Lesley worked in agency G. Agency G did not advise its employees that personal information relating to Code of Conduct matters may be released to another agency for employment related purposes.
Lesley was found to have breached the Code of Conduct and a sanction of reduction in classification imposed.
Lesley was promoted to a position in agency H (which overrode the sanction in agency G).
Agency H’s HR manager learnt about Lesley’s prior misconduct from agency G’s HR area through informal channels and passed the information onto Lesley’s manager. Lesley’s consent was not sought at any stage.
The manager raised the issue with Lesley who was shocked to find that information had been given to the manager without any forewarning that it might be released by agency G or requested and used by agency H.
In this case, neither agency G nor agency H has complied with the relevant Information Privacy Principles set out in the Privacy Act.
Agency G has not taken steps to make sure that its employees would be aware that personal information about Code of Conduct matters would be passed to another agency. Even if it had made employees aware that such information may be passed, agency G has not used appropriate and authorised channels for providing such information.
Agency H has not sought Lesley’s consent to its acquiring, and to agency G releasing, Lesley’s personal information.
The effects of non-compliance with the IPPs is that:
- agency H cannot use the information it has acquired about Lesley’s breach of the Code of Conduct
- Lesley could raise the inappropriate release and use of the information with either or both agencies. If dissatisfied with the response(s), Leslie may be able to seek redress from the Federal Privacy Commissioner for the inappropriate release and use of the information.