Industrious Conversations: What employers need to know about new privacy law

Jennie Mansfield:

Hello and welcome to Ashurst Legal Outlook and the third episode in our Industrial Conversations series for 2025, bringing you insights into workplace developments in Australia from our leading Employment team at Ashurst. I'm Jennie Mansfield, a partner in our Employment practice in Sydney, and I'm joined by Geoff McGrath, a partner in our Australian Digital Economy practice, who specialises in privacy law. In this episode, we'll be talking about the implications for Australian employers of the new statutory tort for serious invasions of privacy, which came into effect on 11 June this year. Geoff, tell us about the new tort and what it's designed to protect. How is it different from current privacy laws?

Geoff McGrath:

Australia's introduction of the new statutory tort is basically a legal right of action that allows individuals to sue for serious invasions of privacy. Now this is a first on a few fronts: One, it's worth mentioning that employee records or employment records used for the purpose of employment aren't typically covered by the Privacy Act requirements due to an exemption under the Privacy Act. This right of action, however, is not limited by concepts under the Privacy Act, including the employee records exemption.

So for the first time, there is this broad right that individuals may be able to bring a claim under in relation to invasion of their privacy, including from the employment perspective.
Similarly, it's also a first for giving individuals a direct right to sue for an invasion of privacy or a breach of privacy, where previously they would need to go through the regulator. They used to need to make a complaint to the Information Commissioner and go through that process. The tort applies where there is a misuse of information or an intrusion upon seclusion that is either reckless or intentional, where the individual has a reasonable expectation of privacy and the invasion was serious. These concepts are quite flexible and it's likely that they'll start to apply to more things than you think. For example, the concept of misuse is very broad. It extends to things like storage or use of information and not just a very broad breach of information in a lot of other contexts.

Jennie Mansfield:

That is a significant change for HR professionals and employment lawyers as well to absorb. I think traditionally we've relied pretty heavily on the employee records exemption and treated privacy as a fairly limited issue, typically dealt with by getting upfront consents and employment contracts.

What do you think are the likely parameters of an employee's reasonable expectation of privacy when it comes to their workplace and their working activity?

Geoff McGrath:

That's a really interesting question because certainly there are aspects where an employee would not necessarily have a reasonable expectation of privacy when it comes to the workplace and when it comes to the activities they're undertaking within their employment capacity. However, particularly when we start to look at the intrusion upon seclusion aspect, this area could apply to things like employee surveillance where that surveillance starts to look at employees' private affairs. Now that could be surveillance via cameras, it could be data surveillance, it could be emails that are passed back and forth on a system that relate not to the employment relationship, but to the employee's personal activities. All of those types of activities could then be something that is outside of the employee's reasonable expectation of privacy and potentially a risk area under the new tort.

Jennie Mansfield:

You said there would need to be intent or recklessness. Is negligence enough to make an employer liable in this context?

Geoff McGrath:

Importantly, no. You're right, it does need to be either intentional or reckless, but the recklessness threshold is something that needs to be thought of quite carefully. It's a recklessness threshold that comes from the Commonwealth criminal code and there's a fair opportunity for recklessness to be established where an employer, for example, might have actually known about the potential for some kind of data breach or some kind of misuse of information in the past, there's evidence of knowledge of that particular risk or that potential of misuse, and the employer did not do anything to respond to it, or even potentially worse, knew about it and deliberately did not invest in particular steps that they could've taken, such as investing in cyber security measures that may have prevented a misuse under that tort.

Jennie Mansfield:

You talked about serious breach, so I take it that not every breach of privacy will be tortious. How do you see the limits of seriousness being set?

Geoff McGrath:

Yes, so the limits of seriousness, it's something that will certainly be dealt with through the courts as the tort is developed. There's not a huge amount that is set out in the legislation itself. This is a limb that will continue to be developed, but that important threshold is there, so we're not expecting that there would be an ability to make a claim for very minor limited breaches. However, the things that do come into account when you are looking at seriousness might be things that are relevant to the particular individual. If that individual has a particular risk or a particular vulnerability that you may be aware of, or there is some kind of concern that has been noted or you have records of, that's something that would go to towards seriousness. There is also some commentary around the volume of information or the extent of a particular misuse, in particular where there's a major data breach. The fact that there's a large volume of information may well go to it being serious in and of itself.

Jennie Mansfield:

In the absence of case law, and looking forward to seeing how that develops, do you think there's room for employers to help to set the employee's expectation of what is reasonable? I'm thinking about those quite typical warnings that you see where an employer notes that employees shouldn't have an expectation of privacy when it comes to using their work email or perhaps their work mobile phone or other company IT systems. Is there an opportunity to be a bit proactive in explaining to employees what is and isn't regarded as private by the company?

Geoff McGrath:

I think there's definitely room to set some of those expectations. For example, being a bit more transparent about the activities that are undertaken and being clear about the limitations of what employees can and cannot do with their technology within the workplace, and then, where it's relevant, making sure that you have consent. Now, one of the defences under the statutory tort is that you have consent to the particular invasion of privacy so, where you have terms and conditions in place and where you have an employment agreement that does have consent to that particular activity, that may well protect you in the future against claims for that particular invasion of privacy.

Now, there's probably a limit to how broad those consents can beare. The consent does need to relate specifically to the particular invasion of privacy and so, when we're starting to think about things like workplace surveillance type activities, you need to be clear about it. It needs to be known, and the consent needs to be voluntarily given as well. One thing that hasn't been tested in the Australian context, but has come up a couple of times in the UK context from a data protection and privacy perspective, is this argument that consent may not necessarily be fully voluntary from an employee-perspective when the employee has no choice or has limited choice around whether or not they can consent to certain activities being undertaken.

Jennie Mansfield:

So the idea of perhaps just having a privacy policy for employees that spells out lots of examples may not be enough to achieve a consent, it's more about setting that reasonable expectation and evidence that employees were told not to have that expectation.

Geoff McGrath:

Correct, and I think it's both sides of the equation. It's having consents where you can get those consents and it's having that transparency or that information available to set the reasonable expectation in the first place.

Jennie Mansfield:

So just thinking through some of the very typical disclosures that employers might need to undertake when they're holding employee information, what about something like sharing information with an external payroll provider? Could that fall within the scope of the tort?

Geoff McGrath:

The sharing of that information would likely be something that you'd certainly try to get consent for, or look to ensure that there is a reasonable expectation that that type of information may well be shared as part of the usual provision of payroll activities and the management of the employment relationship. There's some of those things where perhaps the reasonable expectation is already there or if it's not, you could bolster that by, as you said, bringing in examples of the things that are taking place and the uses of information that are taking place at the moment.

Jennie Mansfield:

Yes, I think maybe what you're saying is transparency is the best cure, but perhaps in that case it's not a serious breach unless the external payroll provider does something untoward with it. It's all in the interest of getting people paid, so perhaps no one would raise a complaint about it in any case.

Geoff McGrath:

There might be an example though where information is being provided to a payroll provider or some other third party provider, the recruitment context here is relevant I think, but then the third party is using that to train an AI model or to use that information for other purposes where that isn't transparent to the employee. Those types of situations may well start to become a lot more problematic if there is no consent and there is no reasonable expectation that it would be happening. There may well be a reasonable expectation that CVs or pay information that is between me and my employer would be protected and only used in certain ways and, if it's being used in ways outside of that expectation, that's where it may well be an issue.

Jennie Mansfield:

What about a situation that we deal with quite typically, sharing information with a doctor for the purposes of an independent medical examination? I must say we're generally pretty careful to get consents around these things even under the existing legislation, but how would you tackle that with the tort hanging over us as well?

Geoff McGrath:

I think, again, that same piece around consent and transparency is really the key there. The combination of the two and ensuring that the information when it is shared or when responses from a doctor are collected, that is only being used for the specific purpose or the purpose for which it was consented to that the individual was made aware of.

Jennie Mansfield:

You mentioned workplace surveillance, which is interesting because in New South Wales and the ACT in particular, there's existing workplace surveillance legislation which requires employers to tell people what they're doing and get consents upfront. I think in other states it's less clear what the employer obligation is and what limits there are. What are some of the examples of data that's gathered through surveillance that could become subject to claims under the tort?

Geoff McGrath:

Well, when devices, laptops, phones, things like that are used in a dual sense – when there are personal aspects of someone's life being used on a laptop, on the phone and there are emails going back and forth or whatever it might be, those aspects and surveillance of those aspects may well be problematic if there is no layer of consent and notice. As you said with the ACT and New South Wales, there may well be that higher level where there's the consent required. I think perhaps in bringing in the tort, we bring the high water mark up to something similar for all other jurisdictions because the tort is under Federal legislation. It'll be available to anyone in any state in Australia.

Jennie Mansfield:

Yes, and it's framed more broadly and perhaps catches a more up-to-date set of circumstances than workplace surveillance legislation that came into effect 20 years ago in New South Wales. I don't think back then we anticipated how much data you could get from someone's mobile or even from their swipe card.

Geoff McGrath:

Oh, absolutely.

Jennie Mansfield:

What about something like a situation where you send your employees out to a third party site and the host wants vaccination records? Is that potentially problematic?

Geoff McGrath:

I think that is, again, potentially problematic, particularly where consents are not obtained or going back to the question that I'd mentioned before around circumstances where consents are not necessarily freely given as well. If that's something that an employee is being forced to give, employers really do need to think through, what are the other exceptions, and is there a circumstance here where it may be an invasion of privacy, it may be serious, and potentially a risk coming out from the statutory tort side. The risk might not necessarily be from the initial provision of that information, but there may well be additional risks if that information is retained and used for purposes that you didn't initially expect as well.

Jennie Mansfield:

Yes, I can see it's logical that if you're dealing with sensitive health information like vaccination records, you would be prudent to do something more than rely on a general consent in an employment contract. Speaking of contracts, what do you think employers should be doing now to guard against tort breaches and to make sure employees understand how their data might legitimately be used?

Geoff McGrath:

I think there is a point here where it should be important to start to look at your standard consents and any notices that you use in relation to employment onboarding in the employment contracts themselves, but then also expanding out to the policies and procedures that currently exist now. Because of the employee records exemption and the limited effect that the Privacy Act might have in the employment context, there may be areas in the employment context where perhaps you haven't had that full level of review around what information is being used, where it's being used, how it's being used, and how that is then being documented, whether it's in policies that are provided to individuals and whether there are other internal documents that allow you to understand how that information is being used.

With the statutory tort, it brings all of those particular areas under scrutiny and so the same level of review that you might have for external customer personal information or any other personal information from a third party, you should probably bring the same lens to the way that you're using employee information. I think it then comes back to those consents and the notices being transparent and being clear about what is actually happening so you can set that reasonable expectation around those activities.

Jennie Mansfield:

Yes, and I suppose that broad review dovetails quite neatly with the consideration you might have to do about how you're using AI-

Geoff McGrath:

Absolutely.

Jennie Mansfield:

In respect of employee records, have you talked to clients about that as well?

Geoff McGrath:

We have been and the use of AI is one that is particularly relevant here. I mentioned the example of a third party payroll provider or recruitment provider using AI, but it comes back down to that reasonable expectation, particularly where you already have large data stores from individuals and want to start to use AI in relation to that information. Well, when that information was originally collected, no one had in contemplation the fact that it might be used to train an AI model and create a new version of you, or whatever it might be, using this AI model. It's certainly something that from the Privacy Act perspective, is being looked at by the Privacy Commissioner in terms of how AI is being used, what's being trained and how it's being trained, but then also, and this is absolutely relevant under the statutory tort as well and relevant to the employment relationship, whether or not there is that reasonable expectation that information would be used for training an AI model or being input into an AI model. If not, do you have consents in place that are broad enough or specific enough to actually allow for that? A consent that simply says, 'we can use your information for whatever purpose,' may well not get you there, and it may be necessary to either obtain specific consents or be very clear through notices, through transparency and through policies that are provided to employees about what is happening or what is happening with their information in order to set the reasonable expectation that, "Hey, the information that I have provided to my employer may well be used in these AI use contexts."

Jennie Mansfield:

Well, it certainly sounds as though it's important to take a wholistic approach, and rather than HR trying to look at this alone, there'd have to be a connection between the privacy team, the HR team, and potentially a lot of stakeholders within any organisation to make sure that they're not leaving gaps. You talked a little bit about training AI models, I suppose there's an important opportunity to train employees, not just to uplift awareness about how their data is used, but to make sure they don't breach the tort in their use on the job of other data that the employer handles.

Geoff McGrath:

I think that's absolutely right, and when we go back to one of the other limbs, that recklessness limb where there is an opportunity for the organisation to put in place practices, procedures or systems that allow you to prevent some of these things happening or some of these misuses of information happening, for example, then one of the measures that you might be expected to undertake would be employee training. Employees' knowledge and understanding should be lifted up to a level that would allow them to work in a way that doesn't breach the statutory tort unknowingly. That is one of the measures that is useful to include and would be a good argument, should there be a claim, to say, "Well, no, we haven't been reckless about this. There are all of these measures that we have put in place and we've been very specific" and not necessarily get it rising to the level of recklessness through the activities we've undertaken.

Jennie Mansfield:

Well, Geoff, thank you very much for uplifting my awareness and the awareness of our listeners about this particular aspect of compliance with privacy law and thank you to our audience for listening to this episode of Industrious Conversations on Ashurst Legal Outlook.

To hear more Ashurst podcasts and to ensure you don't miss any future episodes in our Industrious Conversations series, subscribe now on Apple Podcasts, Spotify, or your favourite podcast platform.

Also, please do reach out to our Employment team if you'd like to discuss this topic more. It's one that we're following closely and have a keen interest in, and we can certainly connect you with Geoff's team as well for the wholistic sort of review we've been discussing.

We hope you'll join us next time as we continue to explore key workplace developments in Australia and hear insights from other members of our leading Employment and Privacy teams here at Ashurst. Until then, thank you for listening and goodbye for now.