If the police come knocking: Employer privacy obligations with requests for information
Most employers would be aware of the stringent obligations in place to protect their employees' personal information. What might not be so clear are employers' obligations when law enforcement request access to this information.
Knowing how to act in this situation is crucial. With the introduction of new data breach disclosure provisions, the standard for protecting an employee's personal information has never been higher (or the punishments more severe!).
Sure, you might be currently shielding employee personal information from unauthorised access. But how should you respond if you are requested by the police to hand over information to assist in the investigation of a crime? Is it OK to comply? Should you?
Privacy at the Federal level in Australia is governed generally by the Australian Privacy Principles in the Privacy Act 1988. The Privacy Principles apply to Commonwealth agencies and most private enterprises (excluding small businesses).
Privacy Principle 6 prevents employers from using or disclosing employee personal information (such as names and contact details) for a purpose unrelated to the primary purpose for which it was gathered. Given that employee personal information is typically gathered for the purpose of allowing that person to be employed, use of that information for the purpose of, for example, a criminal investigation will be plainly unrelated. A breach of the Privacy Act obligations carries with it significant potential financial penalties.
In light of these obligations, what is the best way to respond if police contact you with a request for an employee's personal information, to assist in the investigation of a criminal offence?
Provided the following specific steps are followed, the good news is that you will be permitted to release the information without running the risk of a breach of your disclosure obligations.
Steps to take when asked for personal information by the police
- Check that the entity making the request is an enforcement body. Common examples include the Australian Federal Police, a State police force or the Australian Securities and Investments Commission. Check the full list here.
- The disclosure must be in connection with enforcement related activities, conducted by the enforcement body. This includes the prevention, detection, investigation, prosecution, or punishment of criminal offences. This would include providing information to assist in the initiation of such activities, for example, if the information is necessary to allow the police to commence an investigation.
- You must have a reasonable belief that disclosure is required. You should be able to present evidence to justify this belief. Ideally, you should require any request for information to be made in writing.
- Finally, your belief must be that the information is reasonably necessary for the enforcement related activity. This is an objective test as to whether a reasonable person, properly informed, would agree to disclosure in your circumstances. Again, you should be able to justify why this is the case, and the best chance to do this is to ensure sufficient information is provided by the enforcement body to allow the general nature of the matter to be understood.
How much should I disclose?
While taking the above steps will ensure that your obligations regarding the disclosure of employee personal information are not breached, a general rule of thumb for such disclosures is to disclose the minimum amount of personal information reasonably necessary for the activity in question. If all that is required to assist in the enforcement related activity is an employee's name, only provide that.
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.