Purpose of this guidance
The purpose of this guidance is to assist Australian Public Service (APS) agencies to understand how regulation 9.2 of the Public Service Regulations 1999 (the Regulations) affects their ability to use and disclose the personal information of their employees, within their agencies and with other APS agencies.
This guidance has been prepared following consultation with the Office of the Australian Information Commissioner (OAIC).
This guidance replaces Commission Advice 2013/14: Use and disclosure of employee information.
Regulation 9.2 provides agencies with significant flexibility in the use and disclosure of personal information, including very sensitive personal information, of their employees. The personal information of employees should be used or disclosed carefully. Generally, personal information should not be used or disclosed for a reason other than that for which it was collected.
In deciding whether disclosure of personal information is relevant or necessary to an employer power, agencies might consider:
- Is the disclosure or use of the information genuinely necessary or relevant to the matter under consideration?
- If so, how much of that information is actually relevant or necessary? Some of the personal information in a document may be relevant or necessary to a particular matter, but the document may contain other personal information that is not. Agencies will need to be careful to ensure that only that part of the material that is genuinely relevant or necessary to the exercise of the employer power is used or disclosed. Use or disclosure of the balance of the material may not be permitted by the Australian Privacy Principles (APPs).
- Is the agency considering the exercise of an employer power?
- Is the use or disclosure justifiable in the circumstances? Some employer powers and employment decisions are more important than others, and some personal information is more sensitive than other information. There may be occasions where the power being exercised is of a relatively minor character and a reasonable person would form a view that it did not justify the disclosure of sensitive personal information. This will always be a matter for judgement by the delegate.
The use and disclosure of employees' personal information requires careful, balanced consideration in each case. On one hand, employees have a right to expect that their personal information is held in confidence and only used or disclosed for proper, defensible reasons. On the other, APS agencies need to be able to:
- use information they hold about their employees to make employment decisions that are lawful, sensible and based on the available evidence, and
- disclose employee information to other APS agencies to support their decision-making.
Scope of regulation
Section 72E of the Public Service Act 1999 (the Public Service Act) authorises the making of regulations relating to the use and disclosure of personal information in certain circumstances.
Regulation 9.2 authorises the use and disclosure of employees' personal information.
Regulation 9.2 provides an authorisation for the use and disclosure of employees' personal information in accordance with APP 6.2(b).
Regulation 9.2 provides that an agency head or delegate may:
- Use personal information in their possession or control where the use is necessary or relevant to the agency head's employer powers, and
- Disclose personal information in their possession or control where the disclosure is necessary or relevant to the agency head's employer powers, or the employer powers of another agency head, or the powers or functions of the Australian Public Service Commissioner, the Merit Protection Commissioner, or an Independent Selection Advisory Committee.
Relationship with the Privacy Act
Schedule 1 of the Privacy Act 1988 (the Privacy Act) contains the APPs that regulate how APS agencies must deal with personal information.
The key provision in the Privacy Act governing the use and disclosure of personal information is APP 6. The starting point for this Principle is that agencies should generally only use or disclose personal information about an individual for the particular purpose for which it was collected (the 'primary purpose') unless a permitted exception applies.
If an agency wishes to use or disclose information for a purpose other than that for which it was collected (a 'secondary purpose') then it must obtain the consent of the individual or determine whether a relevant exception applies.
APP 6.2(b) provides an exception that allows the use or disclosure of information for a secondary purpose where that use or disclosure is authorised by or under an Australian law.
In the context of the Public Service Act and Regulations, 'personal information', 'sensitive personal information', 'use', 'disclosure' and 'collection' have the same meaning as in the Privacy Act and Australian Privacy Principles Guidelines (the Guidelines). The Guidelines describe the mandatory requirements of the APPs, how the OAIC will interpret the APPs, and matters the OAIC may take into account when exercising functions and powers under the Privacy Act.
What does 'use' mean in regulation 9.2?
Generally, an agency will 'use' an employee's personal information when it handles and manages information that is within the agency's possession or control. This includes searching records for any reason; using personal information in a record to make a decision; and passing a record from one part of an agency to another part with a different function.
What does 'disclose' mean in regulation 9.2?
An agency 'discloses' personal information when it makes the information accessible to others outside the agency. It is not always necessary to distinguish the concepts of 'use' and 'disclosure', as many of the same requirements apply to both. 'Disclosure' under regulation 9.2 will generally only be made to another APS agency and not, for example, to a member of the general public.
What are 'employer powers'?
Regulation 9.2 authorises the use and disclosure of personal information by agency heads where it is necessary or relevant to their employer powers. The Regulations define 'employer powers' as the rights, duties and powers of the agency head under the Public Service Act.
This includes engagement of employees, determining the terms and conditions of employment, assignment of duties, moves between agencies and other selection decisions, termination of employment, investigations into alleged misconduct and the imposition of sanctions for misconduct.
The duties of an agency head also include responsibilities to comply with the Code of Conduct and to uphold and promote the APS Values and Employment Principles. This includes, for example, responsibilities to:
- provide flexible, safe and rewarding workplaces
- provide workplaces that are free from patronage and favouritism.
In some circumstances, the use or disclosure of personal information may be necessary or relevant for reasons other than those for which it was collected.
In addition to the powers specified in the Public Service Act, Division 3.1 of the Regulations provides a non-exhaustive list of the employer powers of agency heads:
- imposing a health clearance as a condition of engagement
- directing an employee to attend a medical examination in certain circumstances
- approval of schemes for non-ongoing APS employees to gain skills and experience
- engaging employees (ongoing, non-ongoing, SES and non-SES employees), and
- suspending employees from duties.
What does the regulation mean by 'necessary or relevant'?
Regulation 9.2 authorises the use or disclosure of personal information where it is necessary or relevant for certain purposes.
Something is 'necessary' where it is reasonably appropriate and adapted, rather than essential or indispensable. A use or disclosure will not be considered 'necessary' if it is just helpful, desirable or convenient.
A use or disclosure of personal information may be 'relevant' to a power or function under the Act where the use or disclosure might reasonably be considered to have a bearing on it in all the circumstances.
It may be helpful for agencies to consider whether the use or disclosure of information would make a difference to the decision being made or the action being taken. If it would, then it is likely that the use or disclosure would be necessary or relevant.
Where it is clear to an agency that a use or disclosure of information is authorised under regulation 9.2, agencies may proceed to do so. In cases where there is some uncertainty, it may be advisable for agencies to seek consent from the employee to the use or disclosure of the relevant information.
Consent from the employee will permit that use or disclosure under the APPs.
Seeking that consent is consistent with acting toward them with respect and courtesy, and provides the person with an opportunity to raise any concerns that he or she may have about the use or disclosure for the delegate to consider.
If the employee withholds or withdraws consent it does not necessarily prevent the subsequent use or disclosure by the agency. Regulation 9.2, or one of the other exceptions available under APP 6, may still authorise the use or disclosure.
What do 'use' and 'disclose' cover in practice?
As one employer, the Commonwealth will from time to time need to share information about its employees both within and between agencies. Regulation 9.2 provides authority for an agency head to use or disclose personal information where it is necessary or relevant to the exercise of their employer powers.
Examples of 'use' of personal information may include:
- accessing and reading the information
- searching records for the information
- making a decision based on the information, and
- passing the information from one part of the agency to another.
As well as the general examples of 'use' outlined above, regulation 9.2 may also authorise the use or disclosure of personal information where that is necessary or relevant to the exercise of an employer power such as:
- recruitment and selection decisions, including:
- the use of personal information such as conduct, performance or health records for internal recruitment, and
- disclosure of personal information to another agency, such as providing a referee report, conduct-related information, or performance-related information about a current or former employee.
- security clearances, including:
- use of information about an employee such as conduct records, conflict of interest declarations, or police checks to manage risks particular to individual employees, and
- disclosure of personal information to agencies with responsibility for making security assessments.
- performance management processes, including the use of building access and attendance records, medical histories, internet browsing records, system access monitoring, and referee reports.
- Code of Conduct processes, including
- the use of information such as building access and attendance records, medical histories, internet browsing records, previous decisions about breaches of the Code of Conduct and any sanctions imposed, and
- the disclosure of information such as information about previous warnings or counselling given to a former employee of the agency, misconduct and sanction decisions, or information about a former employee's conduct that is relevant to a conduct inquiry being conducted by their current agency.
APP 5 requires agencies to take reasonable steps to advise employees at the time of collecting their personal information why the information is being collected and how that information may subsequently be used or disclosed. In many cases, this advice will take the form of a written collection notice. The collection notice should provide evidence of the primary purpose of collection.
It is open to agencies to use those collection notices to specify that the personal information that is being collected may be used or disclosed for a variety of purposes including, for example, where it is necessary or relevant to the exercise of any employer power. A collection notice of this kind would help agencies to establish that they may use or disclose the information for the purposes set out in the notice. The notice can help the agency show that the employee has consented to, or would reasonably expect, those uses or disclosures.
This would be in addition to the power available to them under regulation 9.2.
Agencies may also include a notice in pre-employment information provided to prospective employees informing them of the circumstances in which their personal information may be used or disclosed by the agency.