Most small businesses collect more employee information than they realise.
Even if you don’t run a “data-driven” business, you probably store resumes, tax file number declarations, bank details for payroll, emergency contacts, medical certificates, performance notes, swipe-card logs, CCTV footage, and sometimes even device or location data.
That’s where having an employee privacy policy (sometimes called a workplace privacy policy) becomes practical, not just “nice to have”. It sets expectations, reduces confusion, and helps you manage privacy risks before they become a workplace dispute or compliance headache.
Below, we’ll walk you through what an employee privacy policy typically covers in Australia, when you should have one, and how to roll it out in a way that actually works in a busy small business.
What Is An Employee Privacy Policy (And Why Does It Matter)?
An employee privacy policy is an internal document that explains how your business handles personal information relating to:
- job applicants
- employees (including casuals and part-timers)
- contractors (where relevant)
- former employees (in relation to retained records)
In plain terms, it answers questions like:
- What personal information do you collect from staff and candidates?
- Why do you collect it, and how do you use it?
- Who can access it internally (and when)?
- Do you share it with anyone else (like payroll providers or IT vendors)?
- How do you store it securely and for how long?
- What monitoring happens at work (CCTV, email, devices), and what’s off-limits?
- How can an employee access or correct their information?
For small businesses, the “why it matters” usually comes down to three things:
- Trust: staff want to know what’s happening with their information (especially if you’re monitoring devices or using cameras).
- Consistency: a written policy makes it much easier to train managers and avoid “different rules for different people”.
- Risk management: privacy issues can escalate quickly into complaints, adverse action claims, reputational damage, or investigations.
Is An Employee Privacy Policy The Same As A Privacy Policy?
Not quite.
A public-facing Privacy Policy usually explains how you collect and use personal information from customers and website users.
An employee privacy policy focuses on the employment lifecycle (recruitment, employment, performance management, and offboarding). Some businesses combine them, but many keep them separate so the employee document can deal with workplace-specific issues like monitoring, personnel files, and internal investigations.
Do Small Businesses In Australia Need An Employee Privacy Policy?
There’s no single rule that says every business must have a standalone employee privacy policy.
But in practice, many small businesses still need one (or at least need workplace privacy terms embedded in their contracts and policies) because:
- you’re collecting sensitive information (like health information) from employees
- you’re using workplace surveillance or monitoring tools
- you share employee data with third-party providers (payroll, HR, rostering, IT)
- you want a clear, documented process for access, correction, and retention
- you’re growing and need consistent onboarding and management practices
What About The Privacy Act And The “Small Business Exemption”?
In Australia, the Privacy Act 1988 (Cth) applies to many businesses, but some small businesses may be exempt (often referred to as the “small business exemption”). As a general guide, this exemption can apply where a business has an annual turnover of $3 million or less, but there are important exceptions where the Privacy Act can still apply regardless of turnover.
For example, the Privacy Act can still apply to some small businesses that:
- provide a health service and handle health information
- trade in personal information
- are related to an entity that is covered by the Privacy Act (for example, part of a corporate group that includes an APP entity)
- are contracted service providers for the Australian Government (in some circumstances)
- have opted in to be bound by the Privacy Act
Even where an exemption might apply, relying on it as your “privacy strategy” is risky. Why?
- Your business can grow. What was “small” at startup may not be small in 12-24 months.
- Exceptions can apply. Some activities and industries have privacy obligations regardless of size.
- Other laws still matter. Workplace surveillance, discrimination, Fair Work, and WHS issues can still arise even if the Privacy Act doesn’t apply to you in the way you expect.
The “Employee Records Exemption” (And Why You Still Need Good Policies)
There is also an “employee records exemption” in the Privacy Act that can affect how the Australian Privacy Principles apply to certain acts and practices by private sector employers, but only where those acts and practices are directly related to a current or former employment relationship and relate to an employee record.
Practically, this means the exemption may not cover everything you do with “people data”, such as:
- how you handle job applicant information before employment starts
- personal information collected about contractors in some situations
- some uses or disclosures that aren’t directly related to the employment relationship
And even where the exemption does apply, it doesn’t mean “anything goes” with employee data. From a practical standpoint, you still need to manage:
- confidentiality and security (including limiting access to HR files)
- workplace policies and contractual obligations
- surveillance and monitoring laws (which can vary by State/Territory)
- the expectations you set with staff (which can impact disputes if things go wrong)
So even if you’re unsure whether the Privacy Act technically applies to your particular scenario, a clear workplace privacy framework is still one of the easiest ways to prevent misunderstandings and protect your business.
What Should Your Workplace Privacy Policy Cover?
A good workplace privacy policy is practical and specific to how you actually run your business. It’s not just legal wording-it’s an operational guide for your managers and team.
Here are the key areas most Australian small businesses should consider including.
Start by listing common categories of personal information collected at each stage:
- Recruitment: resumes, references, interview notes, right to work checks.
- Onboarding/payroll: address, date of birth, bank details, superannuation details, tax file number declarations, emergency contacts.
- Employment management: rosters, timesheets, leave records, performance notes, training records, incident reports.
- Health and safety: medical certificates, injury management information, fitness-for-work documentation (where relevant).
- IT and access controls: access logs, device identifiers, system login records.
Be careful with sensitive information (like health information). If you’re collecting it, be clear about why, how it’s stored, and who can access it.
2. Purpose: Why You Collect And Use Employee Data
In a small business, the most common purposes include:
- payroll and superannuation
- work health and safety compliance
- workplace investigations and misconduct processes
- performance management and training
- IT security and business continuity
This is also the place to align with what you tell staff in onboarding documents and in your Employment Contract (for example, confidentiality and acceptable use obligations).
Your policy should set a baseline for security that your team can follow day-to-day, for example:
- where personnel files are stored (HR system, locked cabinet, secure drive)
- who can access them (owners, HR, specific managers)
- password and access control requirements
- rules for sending files by email and using personal devices
- what happens if there’s a suspected data breach (who to report to and what to do next)
If you use contractors (like outsourced HR or IT), it’s worth thinking about how you control access and ensure they only access what they need.
Many small businesses share employee information with third parties as part of normal operations, such as:
- payroll and accounting providers
- cloud storage providers
- HR platforms
- rostering and time-tracking systems
- background check providers (where relevant)
- insurers, brokers, or workplace rehabilitation providers (where relevant)
Your policy should explain the types of third parties you use and the general reasons you share information. This helps avoid the “I didn’t know you were sending my details to X” problem.
5. Workplace Monitoring: CCTV, Devices, Email, And Internet Use
This is often the most sensitive (and most practical) part of an employee privacy policy.
If you use CCTV, monitoring software, time-and-attendance systems, GPS tracking, or review emails and messages on work systems, you should be clear about:
- what is monitored
- why it is monitored (e.g. safety, security, productivity, compliance)
- when monitoring occurs (continuous vs ad hoc)
- who can access monitoring data
- how long data is retained
It’s also important to line this up with your broader workplace policy framework (for example, acceptable use of company devices, passwords, and reporting security issues).
If you’re installing cameras or already have them operating, the rules can vary depending on where you operate and how the monitoring is carried out (including notice and consent requirements). It’s worth also checking practical guidance around CCTV laws and how they interact with your internal policies and notices.
6. Call Recording And Meeting Recordings
Many small businesses record calls for training, quality assurance, or customer dispute management. If employees are using a phone system that records calls, your employee privacy policy should address it (including who can access recordings and how long they’re kept).
You should also be careful with call recording rules, which can differ across Australia (and may depend on factors like who is a party to the call, whether consent is required, and whether the recording is covert). It helps to align your internal documents with practical guidance on business call recording laws.
7. Access And Correction Requests (And How Staff Can Raise Concerns)
Your policy should explain how an employee can:
- request access to their personal information (and what the process looks like)
- ask you to correct inaccurate information
- raise a privacy concern internally (who they should contact)
Even in a small team, having a simple process reduces conflict and helps you respond consistently.
8. Retention: How Long You Keep Employee Records
Most businesses keep certain employment records for a number of years for legal, payroll, and tax reasons. Your policy doesn’t need to list every statutory retention period, but it should clearly explain:
- you retain some records after employment ends
- retention is for legal and business reasons
- you take steps to securely destroy or de-identify information when it’s no longer needed
How Do You Put An Employee Privacy Policy In Place Without Creating Confusion?
A policy only helps if your team understands it and you can apply it consistently.
Here’s a practical rollout approach that works well for small businesses.
Step 1: Map Your “People Data” In A Simple List
Before you write anything, identify:
- what employee information you collect
- where it sits (email inboxes, paper files, HR software)
- who has access
- what third parties receive it
Most privacy problems come from “we didn’t realise we were collecting that” or “we didn’t realise everyone could access it.” A simple map helps you tighten things up.
Step 2: Decide What Goes In Your Policy vs Contracts vs Other Policies
In a small business, your “privacy framework” is often split across multiple documents, such as:
- your employee privacy policy (high-level rules)
- your employment contracts (individual obligations and consents)
- IT/acceptable use policies (how devices, email, and platforms can be used)
- workplace surveillance notices (where required)
Many businesses include these in their broader workplace policies and onboarding materials, so expectations are in one consistent place.
Step 3: Communicate It Clearly (Especially Around Monitoring)
If your policy includes monitoring (CCTV, email review, device logs), don’t bury it.
In onboarding, explain:
- what tools you use
- what you’re trying to achieve (e.g. safety, cyber security)
- how employees can ask questions
This is one of those areas where being upfront usually reduces pushback-people are more likely to accept monitoring if they understand the purpose and boundaries.
Step 4: Add A Short Collection Notice At Key “Collection Points”
A policy is helpful, but employees and candidates often need a clear notice at the time you collect information.
For example:
- in your job application form
- when you ask for references
- when you collect emergency contact details
This is where a Privacy Collection Notice can be a practical add-on, because it sets expectations at the exact moment you’re collecting information.
In small businesses, privacy often fails in the day-to-day moments:
- a manager storing performance notes in an unsecured folder
- someone forwarding a medical certificate to the wrong person
- sharing roster information too broadly
Training doesn’t need to be complicated. Even a 20-minute session on “what goes where” and “who can access what” can prevent the most common issues.
Common Employee Privacy Policy Mistakes Small Businesses Make
Most privacy issues aren’t caused by bad intentions-they’re caused by unclear systems and inconsistent practices.
Using A Generic Template That Doesn’t Match Your Business
If your policy says you don’t monitor devices but you actually do, or it says you retain data for 12 months but you keep it indefinitely, you’ve created a credibility problem.
Your workplace privacy policy should reflect reality, then help you improve that reality over time.
Not Addressing CCTV, Email, Or Device Monitoring
If you do any monitoring, it needs to be addressed clearly. This is often the number one trigger for workplace conflict, especially when an employee feels “surprised” by monitoring being used in performance management or misconduct matters.
A good rule of thumb: if you don’t need it, don’t collect it. Over-collection creates storage and security risks, and it makes it harder to justify why you have certain information.
Letting Too Many People Access Personnel Files
In small teams, it’s tempting to let “everyone who needs it” access HR information. Over time, that can become “everyone”.
Limit access to a genuine need-to-know basis and document who has access (and why).
Forgetting Contractors And Job Applicants
Your employee privacy policy should usually cover candidates (during recruitment) and may also cover contractors, depending on how your business engages them and what information you collect.
This is especially relevant if you rely on subcontractors but still manage their onboarding, identity verification, and access to systems.
Key Takeaways
- An employee privacy policy (or workplace privacy policy) sets clear expectations about how you collect, use, store, and disclose employee and candidate personal information.
- Even if you’re a small business, privacy risks still come up in everyday operations-especially around recruitment, payroll, medical information, and workplace monitoring.
- Your policy should clearly cover what you collect, why you collect it, who can access it, when it’s shared with third parties, and how long it’s retained.
- If you use CCTV, device monitoring, or call recording, being upfront in your policy and onboarding process can reduce disputes and help you apply rules consistently.
- Policies work best when they match your real practices, are communicated clearly, and your managers are trained on how to follow them.
Important: This article is general information only and doesn’t take into account your specific circumstances. It isn’t legal advice. If you’d like advice on putting an employee privacy policy (and supporting workplace documents) in place for your small business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
