Data protection for HR in Australia
Reviewed by Mellow Editorial Team, HR & payroll content team
Australian employers handling employee personal information must comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). These create binding obligations around how you collect, store, use and disclose that information — with real consequences for getting it wrong.
Who the Privacy Act covers
The Act applies to private sector organisations with an annual turnover above $3 million. Smaller employers can fall under it too if they trade in personal information, provide health services, or have opted in. If you are an employer of any size, the safest assumption is that the APPs apply to your HR data.
Some employment records have a specific exemption under the Act — records created and used directly in the employment relationship are carved out for certain purposes. But this exemption is narrower than many employers believe. It does not cover recruitment records, pre-employment checks, or information you share outside the employment relationship. Treat it as a limited carve-out, not a blanket shield.
What counts as employee personal information
HR data spans far more than a name and bank account number. In practice it includes:
- Tax file numbers (TFNs) — governed by the Tax File Number Rule 2015 as well as the APPs
- Payroll data: salary, superannuation fund details, PAYG withholding amounts
- HECS/HELP repayment band information collected during onboarding
- Health and medical records, including workers' compensation files
- Performance reviews, disciplinary records and written warnings
- Visa and right-to-work documentation
- Emergency contact details
Health information is treated as sensitive information under the APPs and attracts stricter handling rules. You generally need express consent to collect it, and you cannot use it for an unrelated purpose.
Core obligations under the Australian Privacy Principles
Collect only what you need. APP 3 requires that you collect personal information only by lawful, fair means and only if it is reasonably necessary. That means no sweeping background questions on an application form that go beyond what the role requires.
Tell employees what you are collecting and why. At or before collection, you must give a privacy notice (sometimes called a collection notice) explaining what you are collecting, why, who you might share it with, and how people can access or correct it. A statement buried in a contract of employment at page twelve is not sufficient if it is not drawn to the person's attention.
Use and disclose information for the purpose it was collected. APP 6 restricts secondary use. Payroll data collected to process wages cannot be used to profile employees for unrelated commercial purposes. Sharing an employee's personal details with a third party — including offshore payroll processors — requires that the recipient handle the data to an equivalent standard, or you must take reasonable steps to ensure that protection.
Cross-border disclosure. APP 8 is the key provision when you use overseas HR or payroll platforms. Before sending personal information offshore, you must be satisfied the overseas recipient will not breach the APPs, or you must obtain the individual's consent — and even then you may remain accountable. This applies directly when payroll is processed across multiple countries on a single platform.
Security. APP 11 requires reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. For HR systems this means access controls, audit logs, encryption at rest and in transit, and a clear process for what happens when an employee's role changes or ends. Stale access is one of the most common gaps.
Destruction and de-identification. Once you no longer need personal information, and there is no legal reason to retain it, you must destroy or de-identify it. Note that Fair Work record-keeping rules require you to retain certain payroll and employment records for seven years — so your destruction policy needs to account for both obligations running in parallel.
TFN handling — a separate regime
Tax file numbers sit under the Privacy (Tax File Number) Rule 2015, which imposes obligations on top of the APPs. You may only collect a TFN because the employee has provided it voluntarily for payroll purposes. You cannot use it as a general identifier across your HR system, and you must store it securely and separately where practicable. Mishandling a TFN — including using it as a login credential or printing it on documents unnecessarily — is a specific breach.
What the Office of the Australian Information Commissioner can do
The OAIC can investigate complaints, conduct audits, and make determinations that include ordering compensation payments. Serious or repeated breaches can attract civil penalties. The Notifiable Data Breaches scheme, which sits under Part IIIC of the Privacy Act, also requires organisations to notify the OAIC and affected individuals when a breach is likely to result in serious harm. An HR system intrusion that exposes salary data, TFNs or health records would almost certainly meet that threshold.
Practical steps to get the baseline right
Review every system that touches employee data and document what you collect, where it is stored, and who can access it. Update your employment contracts and onboarding materials to include a clear collection notice. Confirm the data-handling terms of any payroll or HRIS vendor, especially if they process data outside Australia. Assign a named internal owner for HR data governance — even a small business can do this without dedicated legal resources. Run a brief access review each time someone leaves the organisation or changes roles.
---
Run HR and payroll in Australia with Mellow
Mellow brings HR, payroll and 12 AI agents into one platform — built to handle Australia properly, with payroll included, from £4 per employee per month. The AI agents don't just answer questions; they generate contracts, run cost estimates and draft letters for you.
[Start a free trial →](/register)