As businesses expand across country borders and human resource (HR) and payroll functions are globalised, employee information is increasingly transmitted and stored overseas, and privacy obligations relating to employee information become more complex.
Multinational businesses
Within multinational businesses, employee information is likely to be held at numerous locations (eg national office, HR location, payroll office and head office), and may be transmitted or available in electronic form to various persons within the business (including its related entities). Employees may be unaware that their information has been transmitted outside of their local office or home country, or that such information is available to or held by entities related to their employer.
Relevant privacy obligations
Multinational employers need to ensure that they comply with privacy laws and their own internal privacy policies which relate to employee information obtained from each location where employees work. While privacy laws differ from country to country, often they are based on the same principles, as outlined below.
In some countries, the cross-border sharing of employee information may be considered a breach of privacy and of local law. Transmission of employee information may be allowed where consent has been obtained from the employee, or permission has been obtained from the relevant privacy authority. Some countries require the country receiving employee information to have equivalent privacy laws to the country of origin, or if not, for the employer to have privacy protocols in place that reflect the country of origin’s privacy laws.
Australia’s privacy law
The Privacy Act 1998 (the Act) is the primary legislation in Australia relating to privacy, although privacy legislation also exists at state level. The Act specifically excludes coverage for employee records, although it may be amended in future to remove this exception. While (subject to relevant state law) this exemption leaves flexibility for employee information to be used and transmitted across country borders within an employer, experience suggests that many Australian employees will expect to have their personal information protected from unnecessary dissemination or disclosure (including transmission overseas). It is recommended to obtain consent from employees to the transmission and storage of their personal information, and to have reasonable safeguards to prevent unnecessary disclosure.
Moving to a global privacy policy
Having a global privacy policy relating to employee information can ensure greater consistency in treatment of employee information across countries. While privacy laws differ (and some countries do not have privacy laws), a global policy will ensure that ‘best practice’ is adopted.
Employers should consider the following privacy principles when dealing with employees’ personal information as a matter of best practice:
- collection – employee information should be obtained by lawful and fair means and, where appropriate, with the employee’s knowledge or consent
- relevance – employee information gathered should be relevant to the purpose for which it will be used
- accuracy – employee information should be kept accurate, complete and up to date
- purpose – employees should be told the purpose for which information about them is gathered
- use and disclosure – employee information should only be disclosed or made available for the purpose for which it was gathered, except with the consent of the employee or relevant authority
- protection – information should be protected by reasonable safeguards against risk of unauthorised access, disclosure, loss, destruction or modification, and
- access and correction – employees should be given reasonable access to information held about them and be able to request corrections.
A global privacy policy may need separate sections dealing with country or state-specific obligations to meet any requirements of local laws.
Ensuring compliance – privacy audit
A global privacy audit is a helpful means of measuring compliance with local law and company policies. An audit may identify actions that can be taken to reduce the risk of privacy breaches and prosecution.
Risk areas for multinational employers include:
- unnecessary duplication of employee information across multiple sites, resulting in increased costs and inaccurate or incomplete records
- unauthorised disclosure of employee information across country borders, and
- insufficient safeguards to protect employee information from unauthorised disclosure and use, particularly where the information is in electronic form.
Employee consent
It is helpful to have the consent of each employee to the use and disclosure of their personal information within an employer and its related entities. Subject to local law, this may be incorporated into the employee’s employment agreement or may be signed as a separate document.
