Commission Advice 2013/14: Use and disclosure of employee information

Last updated: 16 May 2013

This page is: current

Use and disclosure of personal information

The Australian Public Service Commission (the Commission) has developed a series of advices to assist APS agencies to understand the changes made by the Public Service Amendment Act 2013 (the Amendment Act) to the Public Service Act 1999 (the Act) and the related changes to subordinate legislation. The advices are available on the Circulars and advices page of the Commission’s website.

This Advice informs agencies of changes to the Act and the Public Service Regulations 1999 (the Regulations) in respect of the use and disclosure of personal information in the employment context, and the action that agencies may need to take to implement the changes.

The commencement date for the changes to the Act and Regulations is 1 July 2013. The changes to the Act and Regulations will become Commonwealth law on that date. Agencies will need to take action to prepare for these changes before the commencement date.

Why are these changes being made?

Changes are being made to the Act and the Regulations to provide more certainty for Australian Public Service (APS) agencies as to the circumstances in which they may disclose personal information about their employees to other agencies, and the circumstances in which they may legitimately use personal information about employees within an agency.

Many agencies have detailed policies and procedures relating to the collection, storage, use and disclosure of personal information about employees. Clear advice to employees about what may happen to their personal information remains important, and the amendments to the Act and Regulations do not detract from agencies’ obligations under the Privacy Act 1988.

The amendments are intended to facilitate appropriate sharing of information within and between agencies, including information relating to Code of Conduct determinations and sanctions.

What changes are being made?

Details of the amendments to the Act and Regulations are provided in the Appendix to this Advice.

Changes in summary

The Amendment Act repeals section 76 of the Act and replaces it with new section 72E, which authorises the making of regulations relating to the use or disclosure of personal information (within the meaning of the Privacy Act 19881) in specific circumstances set out in the Regulations.

Regulation 9.2, as amended, effectively provides that an agency head may:

  • use personal information in their possession or control where the use is necessary or relevant to the agency head’s employer powers, and
  • disclose personal information in their possession or control where the disclosure is necessary or relevant to:
    • the agency head’s employer powers, or the employer powers of another agency head, or
    • the powers or functions of the Australian Public Service Commissioner (the Commissioner) or the Merit Protection Commissioner (the MPC), or the functions of an Independent Selection Advisory Committee (ISAC).

The definition of ‘employer powers’ in the Regulations has been amended to refer to the ‘rights, duties and powers of the agency head under the Act’. Regulation 9.2, as amended, also authorises use and disclosure of personal information by the Commissioner, and disclosure by the MPC, in certain circumstances.

New subregulations 9.2(7) and (8) provide that a use or disclosure of personal information in accordance with the Regulations is a use or disclosure ‘authorised by or under a law’ in accordance with Information Privacy Principle (IPP) 10.1(c) or IPP11.1(d) set out in section 14 of the Privacy Act.

Changes in detail

The changes to the Act and Regulations are intended primarily to provide more certainty to APS agencies about the circumstances in which they may disclose and use personal information.

Disclosure and use of employees’ personal information is legitimate in a wide range of circumstances under the existing framework (for example, as a result of agency policies, the application of common law principles applying to the employer-employee relationship, and other legislation). The amendments are intended to provide an additional source of authority, and provide clarity to agencies about the scope of what is authorised.

‘Necessary or relevant’

The Act and associated regulations in place before the amendments authorised the sharing of personal information in circumstances where it was ‘necessary’ for certain purposes. Regulation 9.2 has been amended to authorise explicitly the use or disclosure of personal information where it is necessary or relevant for certain purposes.

A use or disclosure of personal information may be relevant to a power or function under the Act where the use or disclosure might reasonably be considered to have a bearing on it in all the circumstances. The Macquarie Dictionary defines ‘relevant’ as ‘bearing upon or connected with the matter in hand; to the purpose; pertinent’.

Use of personal information

Regulation 9.2 provides that an agency head may use personal information in their possession or control where the use is necessary or relevant to the exercise of the agency head’s employer powers. The dictionary to the Regulations defines ‘employer powers’ to mean the rights, duties, and powers of an agency head under the Act. (This has been amended to cover all of an agency head’s employer powers, rather than only those in Part 4 of the Act.)

While use of employee personal information may be permitted under other sources of authority, new regulation 9.2 provides a further, arguably clearer source of authority for the use of personal information where that use is necessary or relevant to an agency head’s employer powers. Authorised use of personal information may include, for example:

  • use of employee misconduct information (e.g. decisions about breaches of the Code of Conduct and imposition of sanctions) for the purposes of internal recruitment, including promotion decisions or movements within agencies,
  • use of employee personal information obtained in recruitment processes to commence or inform Code of Conduct investigations, where relevant,
  • use of relevant employee personal information to monitor compliance with internal agency policies (e.g. use of log-in information to check attendance or whether an employee has been browsing client records),
  • use of relevant employee personal information to monitor inappropriate internet browsing;
  • use of relevant employee personal information for ensuring that employees satisfy conditions of engagement.

Subregulation 9.2(4) authorises the Commissioner to use personal information obtained as part of the Commissioner’s review or inquiry functions where it is necessary or relevant to a Code of Conduct inquiry undertaken by the Commissioner.

Disclosure of personal information

Regulation 9.2, as amended, clarifies certain circumstances in which personal information may be disclosed by an agency head, the Commissioner, and the MPC.

Agency heads are authorised under this regulation to disclose personal information in their possession or control if the disclosure is necessary or relevant to:

  • the exercise of their employer powers or the employer powers of another agency head,
  • the exercise of a power or function of the Commissioner or MPC, or
  • the functions of an ISAC.

The Commissioner is authorised to disclose personal information if the disclosure is necessary or relevant to an agency head’s consideration of alleged misconduct by an APS employee.

The Merit Protection Commissioner is authorised to disclose personal information obtained by the MPC in the course of a review of action (including through a Promotion Review Committee) where the disclosure is necessary or relevant to an agency head’s consideration of alleged misconduct by an APS employee.

Commissioner’s guidelines

New subregulation 9.2(6), which substantially replicates existing subregulation 9.2(3), provides for the Commissioner to issue guidelines after consultation with the Australian Information Commissioner. No such guidelines have been issued by the Commissioner to date. The Commissioner intends to issue guidelines under the new subregulation in the coming months to help agencies to understand more clearly when they may use or disclose employees’ personal information.

What do agencies need to do?

Before the amendments commence on 1 July 2013, agencies should review any policies, procedures, notices, and publications that refer to the use or disclosure of personal information, and consider whether they wish to update these to reflect the changes to the legislative framework.

What transition arrangements need to be put in place?

The provisions that commence on 1 July will operate alongside existing policies and procedures in each agency that concern the use and disclosure of personal information. When considering using or disclosing personal information after the new provisions commence, agencies will need to have regard to any commitments they have made to employees—through, for example, policies and notices (e.g. IPP 2 statements)—about what will be done with their personal information.

Agencies are encouraged to discuss these matters with their Privacy Contact Officers.

Further information

The Amendment Act, the Public Service Amendment Regulation 2013 and the Australian Public Service Commissioner’s Directions 2013 are available on the Comlaw website.

This Advice should be read in conjunction with:

Enquiries from agencies’ corporate services staff can be made by email at ethics@apsc.gov.au or by telephone on 02 6202 3737.

APS employees who have queries about how the changes will affect them are asked to contact the HR area in their agency.

 

Karin Fisher
Group Manager, Ethics
Australian Public Service Commission

May 2013

Appendix

Section 72E of the Public Service Act 1999, as amended by the Public Service Amendment Act 2013

72E Release of personal information

The regulations:

  1. may authorise the use or disclosure, in specific circumstances, of personal information (within the meaning of the Privacy Act 1988); and
  2. may impose restrictions on the collection, storage, access, further use or further disclosure of personal information used or disclosed under regulations made for the purposes of paragraph (a).

Note: The Freedom of Information Act 1982 and the Privacy Act 1988 have rules about the use and disclosure of personal information.

Regulation 9.2 of the Public Service Regulations 1999, as amended by the Public Service Amendment Regulation 2013

9.2 Use and disclosure of personal information (Act s 72E)

  • For paragraph 72E(a) of the Act, an Agency Head may use personal information in the possession, or under the control, of the Agency Head, if the use is necessary for, or relevant to, the performance or exercise of the employer powers of the Agency Head.
  • For paragraph 72E(a) of the Act, an Agency Head may disclose personal information in the possession, or under the control, of the Agency Head if the disclosure is necessary for, or relevant to:
    • the performance or exercise of the employer powers of the Agency Head or another Agency Head; or
    • the exercise of a power or performance of a function of the Australian Public Service Commissioner; or
    • the exercise of a power or performance of a function of the Merit Protection Commissioner; or
    • the performance of a function of an ISAC.
  • For paragraph 72E(a) of the Act, the Merit Protection Commissioner may disclose personal information in the possession, or under the control, of the Merit Protection Commissioner if:
    • the information was obtained by the Merit Protection Commissioner during the course of a PRC or review of action; and
    • the disclosure is necessary for, or relevant to, an Agency Head’s consideration of alleged misconduct by an APS employee.
  • For paragraph 72E(a) of the Act, the Australian Public Service Commissioner may use personal information in the possession, or under the control, of the Australian Public Service Commissioner if:
    • the information was obtained as part of the Australian Public Service Commissioner’s review or inquiry functions; and
    • the use is necessary for, or relevant to, an inquiry relating to the Code of Conduct conducted by the Australian Public Service Commissioner.
  • For paragraph 72E(a) of the Act, the Australian Public Service Commissioner may disclose personal information in the possession, or under the control, of the Australian Public Service Commissioner if:
    • the information was obtained as part of the Australian Public Service Commissioner’s review or inquiry functions; and
    • the disclosure is necessary for, or relevant to, an Agency Head’s consideration of alleged misconduct by an APS employee.
  • Use or disclosure under this regulation must be consistent with any guidelines issued by the Australian Public Service Commissioner after consultation with the Australian Information Commissioner performing the privacy functions.

Note: Privacy functions has the meaning given by section 9 of the Australian Information Commissioner Act 2010.

  • Use of personal information under this regulation is an authorised use for paragraph 1(c) of Information Privacy Principle 10 set out in section 14 of the Privacy Act 1988.
  • Disclosure of personal information under this regulation is an authorised disclosure for paragraph 1(d) of Information Privacy Principle 11 set out in section 14 of the Privacy Act 1988.

Note: The Freedom of Information Act 1982 and the Privacy Act 1988 have rules about the disclosure of personal information.


1 For further information about the meaning of ‘use’, ‘disclosure’ and ‘personal information’ see the definitions in section 6(1) of the Privacy Act 1988 and relevant guidelines issued by the Privacy Commissioner.

The term ‘use’ is interpreted broadly, and relates to managing personal information with an agency. As a general rule, any accessing by an agency of personal information in its control is a ‘use’. This includes searching records for any reason; using personal information in a record to make a decision; and passing a record from one part of an agency to another part with a different function.

Disclosure’ under the Privacy Act is a release of personal information from the effective control of the agency. An agency may release the personal information automatically, to a person or body that the agency knows has a general authority to access that personal information; or in response to a specific request.

(See Plain English Guidelines to Information Privacy Principles 8–11: Advice to agencies about using and disclosing personal information, Privacy Commissioner, November 1996, pp. 11–13.)