The Privacy Act employee records exemption (section 7B): what it covers and what it doesn't

What section 7B does

Section 7B of the Privacy Act 1988 provides an exemption from the Australian Privacy Principles (APPs) for certain activities involving employee records. This exemption applies when an organisation’s act or practice is directly related to a current or former employment relationship between the employer and an individual. The exemption specifically covers employee records held by the organisation.

The rationale behind this exemption stems from the established regulatory framework governing workplace relations, which is primarily addressed by the Fair Work Act. This framework already provides significant oversight of how employers handle employee data.

As of 2026, a proposal to remove or narrow this exemption is under consideration, but has not yet been enacted into law.

What an 'employee record' covers

The Privacy Act defines an 'employee record' as a record containing personal information relating to the employment of an employee. This means the record must pertain to the individual’s role and responsibilities within the organisation.

Examples of information that would fall under this definition include details about an employee’s health, personal and emergency contacts, the terms and conditions of their employment, performance and conduct, hours worked, leave taken, salary and superannuation, and any disciplinary actions taken. These records directly relate to the ongoing employment relationship.

It is important to recognise that records pertaining to job applicants and prospective employees are not considered 'employee records' for the purposes of this exemption. The exemption only applies once employment commences.

What the exemption does NOT cover

The exemption relating to employee records is not universal. It does not extend to information about prospective employees, meaning recruitment data is not covered. Similarly, records pertaining to independent contractors are excluded, as they are not considered employees for the purposes of this exemption. Customer data, such as policy information held by an insurer, also falls outside the scope of the exemption. Privacy Act 2026 readiness

Furthermore, the exemption does not override other legislation that protects personal information. This includes state surveillance Acts, the Notifiable Data Breach scheme, which continues to apply where data breaches occur, and the new statutory privacy tort. Compliance with these other obligations remains mandatory regardless of the employee records exemption.

• Recruitment data
• Independent contractor records
• Customer data
• State surveillance Acts
• The Notifiable Data Breach scheme
• The new statutory privacy tort

The exemption’s limitations mean organisations must still carefully consider their obligations under other privacy laws when handling employee information.

Practical implications

The employee records exemption in the Privacy Act does not remove all privacy obligations. While it provides a specific carve-out for personal information held or collected primarily for a current or former employee’s employment, it does not mean that employee data is free from privacy risk. Organisations must still recognise that employee information is sensitive and requires careful handling.

Regulators, courts, and the new statutory tort continue to expect organisations to implement robust controls over employee data. These controls should cover areas such as access, security, retention, and disclosure. Failing to do so can still result in significant legal and reputational consequences.

The exemption should be understood as a defined exception, not as a blanket privacy holiday. Organisations should treat it as such and maintain a strong privacy posture regarding employee records.