What employers need to know about employee data protection—from GDPR to US laws

Not a week goes by without another data breach making the headlines. If hackers gain access to your confidential information, they can steal identities, extort you and your employees, and leave your business in serious legal jeopardy.

While every employer needs to collect confidential information from employees—for things like payroll, taxes, and health insurance—it’s your responsibility to keep their information safe. Implementing a robust data protection plan can help protect your workers and build their trust. But, the specifics around protecting their data will depend on where you and your employees are located. 

Data protection in Australia is primarily governed by the Federal Privacy Act 1988. This act includes the Australian Privacy Principles (APPs), which apply broadly to organisations across the country and affect how they must handle personal information. However, being an Australian-based company doesn’t necessarily exclude you from complying with data protection laws in other countries, such as the United Kingdom and European Union’s General Data Protection Regulation, India's Digital Personal Data Protection Bill and China's Personal Information Protection Law.

Read on for an easy guide on safeguarding employee data, complying with privacy regulations, and reducing your liability as an international employer.

What is employee data protection?

Employee data protection means ensuring your employees’ personal data is safe and secure, especially from third-party breaches. 

However, compliance with privacy laws and maintaining data security limits an employer's ability to collect employee data. Most privacy laws only allow you to collect data that's absolutely necessary. In most cases, employees must be notified of how their data is being used and allowed a say in it. Retention policies (how long you can keep data before destroying it) may also be a requirement, specifically regarding the data of former employees. 

As an Australian-based employer, remember that international regulations will apply to you if you have employees in other countries. For example, Australian companies hiring employees in Germany or France need to comply with the EU’s GDPR. 

What data do employers need to protect?

Employers are responsible for protecting the following kinds of employee data:

• Name
• Address
• Phone number
• Date of birth
• Tax File Number
• Sex and gender
• Sexual orientation
• Race
• Marital/family status 
• Banking information
• Medical information
• Employment history
• Results of background checks
• Performance reviews and other HR files (information from job applicants like resumes)
• Disability status
• Citizenship
• National origin
• Any identifying information

Keep in mind that different jurisdictions may protect varying kinds of information.

Which employee data protection laws apply in the Australia?

Data protection laws in Australia are a mix of federal and state regulations. These are the primary laws to keep in mind: 

• Privacy Act 1988 and Australian Privacy Principles (APPs): Applicable to most government agencies and organisations with an annual turnover exceeding AUD 3 million, as well as all private health service providers, the APPs regulate the collection, use, and disclosure of personal information. Employers are required to manage employee data according to these principles, ensuring that personal information is collected lawfully, used appropriately, and kept securely.

• Health Records and Information Privacy Act (HRIPA): In certain states, such as New South Wales, this specific act governs the handling of health information. It sets standards for the privacy and security of health information, which employers must adhere to when managing health-related employee data.

• Disability Discrimination Act 1992 (DDA): This act prohibits discrimination against individuals with disabilities in various domains, including employment. Employers are required to make reasonable adjustments for employees with disabilities and must manage any related information with high confidentiality and care.

• Workplace Surveillance Act 2005: In states like New South Wales, this legislation governs the surveillance of employees in the workplace, including computer, email, and camera surveillance. Employers must provide explicit notification and obtain consent before any monitoring can begin. Other states may have their own guidelines or lack specific legislation in this area, thus defaulting to the broader privacy standards set by federal law.

• Fair Work Act 2009: While primarily a labour law, this act touches on privacy concerning employer obligations towards employee rights and protections, including how personal information is managed in employment records. 

These federal and state laws ensure that employee data is protected and that privacy is maintained throughout their employment lifecycle, from recruitment to termination and beyond. Employers who fail to protect private data can be fined and liable for damages.

What about my European employees? 

Europe’s robust General Data Protection Regulation (GDPR) protects personal data in the 27 member states of the European Union plus countries in the European Economic Area. The goal of the GDPR is to give EU citizens and residents more control over how their data is collected, used, and protected online. The regulation also applies strict rules on how organisations collect, use, and secure personal data.

Because the GDPR applies to EU citizens and residents, it also applies to organisations outside the EU if they handle EU data (extra-territorial effect). This includes Australian employers who recruit and hire EU citizens and residents. Whether full-time or contract, Australian employers have to comply with the GDPR if they process the personal data of EU citizens.

Here are some things to keep in mind if your company is subject to the GDPR: 

• Inform EU citizens that you’re collecting their data and provide a reason as to why. This can be done in your privacy notice. 
• Perform a data protection impact assessment (DIPA) to reduce risks and improve protection.
• Designate a data protection officer (especially for larger companies) to oversee security and compliance.
• Appoint a representative in the EU, if required. 
• Put adequate safeguards in place before transferring employee records and data to a country outside the EU.
• Prove compliance with the GDPR. This means keeping detailed records of the data you’re obtaining, where it’s stored, how it’s used, and who’s responsible for it. 

If you fail to comply with the GDPR, you might face significant fines of EUR 20,000,000 (AUD 33,120,133) or more.

7 steps to protecting your employee data

Protecting your employee data can be complicated (and understandably so). If you follow the steps below, you’ll be well along your way to ensuring the security of your employee data. 

1. Know the law 

Knowing your data handling responsibilities is critical to creating a protection plan. Doing business in other states and countries adds an extra layer of complexity, so be sure to keep track of applicable regulations—on the federal, state, and local levels. 

2. Establish data privacy policies and security measures 

Be aware of what you’re collecting, who you’re collecting it from, and where you’re storing it. Establish policies that cover your data protection plan and institute specific security measures. 

Here are some measures you can take:

• Limit employee access to data: Follow the 'principle of least privilege,' and allow employees to access only the information they need for their job. 
• Secure physical devices: Company phones and laptops should have strong passwords (or require biometric access), and you should be able to erase devices remotely. 
• Encrypt data: Use data encryption on servers and devices and when transferring data. 

You should be transparent with your employees about your data security. If they know what you’re collecting and how you’re keeping their data safe, it’ll help build trust in the long run.

3. Limit access only to necessary parties

Only people who absolutely need to access confidential data (for example, HR employees) should be able to have it. Enable protocols like multi-factor authentication and review your security procedures on a regular basis.

4. Screen employees with access to sensitive data

If you plan to give employees access to sensitive company data, screen them beforehand. Have them sign an agreement outlining their responsibilities and the penalties for mishandling data. Frequently review who has access and revoke the credentials of anyone who no longer needs it or has left the company. 

5. Provide training to employees

The methods criminals use to steal data are constantly changing. They don’t just rely on breaking into your network; they can go after your employees directly, tricking them into clicking on a link in an email (phishing) or revealing information over the phone. Routinely training everyone in the organisation—not just those who work with sensitive data—can help strengthen data security.

6. Have a plan in place

Hacks happen. And if they do, you need to be prepared. Your company should have a plan in place detailing how to deal with the fallout. Like all security training, it should be revised frequently. Additionally, be sure to share the plan with relevant stakeholders across the organisation. 

7. Choose the right software

The right software can aid in protecting sensitive data and securing employee devices. Choosing the right software for your company is paramount. It can manage access, help prevent security breaches, and ensure you comply with the necessary regulations that apply to your company.

When considering any software, ask yourself: Is it SOC 2 compliant? Does it automatically encrypt sensitive data like tax file numbers and bank details? Does it have strict access controls? Is the data hosted on a secure infrastructure provider?

Securing your employee data with Rippling

How do you deal with the overwhelming amount of employee information scattered across your organisation? 

Rippling can pull together every bit of employee data from HR, IT, Finance, and third-party systems into one secure platform. With Rippling, you can automatically generate and safely share reports and reporting privileges with anyone in or outside your company. Everyone can get all the data they need in one place—without compromising on data security. 

FAQs about employee data protection

What states have strict employee data privacy laws? 

In Australia, the privacy laws are mostly uniform across all states and territories due to the overarching application of the federal Privacy Act 1988 and the Australian Privacy Principles (APPs) contained within it. Therefore, there isn't one state that has significantly stricter privacy laws than others when it comes to private sector data handling, including employee data. The federal law sets a comprehensive baseline that applies nationally.

However, variations can occur in specific sectors or in relation to particular types of information. For example, when it comes to health records and personal health information, states like Victoria and New South Wales have additional legislation that provides further protections.

What is GDPR?

GDPR is the European Union’s General Data Protection Regulation, the strictest privacy law in the world. If your organisation targets or collects data from citizens or residents of the EU, GDPR compliance is a legal obligation. Violating the GDPR can result in fines of EUR 20,000,000 (AUD 33,120,133) or more.

What is a Data Protection Impact Assessment (DPIA), and when is it required?

A Data Protection Impact Assessment (DPIA) is a security audit that identifies the risks of processing personal data to minimise them as early as possible. According to the GDPR, conducting a DPIA is mandatory when data processing is assumed to pose a significant threat to the rights of individuals.

What other data privacy laws apply to my business? 

Besides the Privacy Act 1988 and the Australian Privacy Principles, your business, if based in Australia, might also need to comply with several other relevant data privacy laws. The Spam Act 2003 regulates the sending of unsolicited commercial electronic messages, requiring businesses to obtain consent for marketing communications. The Telecommunications (Interception and Access) Act 1979 details provisions for accessing stored communications and telecommunications data, essential for businesses in or dealing with the telecommunications sector.

State-specific laws like the Health Records and Information Privacy Act 2002 in New South Wales and the Health Records Act 2001 in Victoria govern health information management, stipulating collection, use, and disclosure practices. Additionally, laws such as the Workplace Surveillance Act 2005 in New South Wales set out rules for workplace monitoring, including employee surveillance. Compliance with these laws helps ensure your data management practices are legal and ethical, safeguarding both your business and the privacy of individuals. If you’re processing data from EU citizens, you may have to comply with European regulations; the same goes for other states and countries.

Rippling and its affiliates do not provide tax, accounting, or legal advice. This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for tax, legal, or accounting advice. You should consult your own tax, legal, and accounting advisors before engaging in any related activities or transactions.