COVID-19 Updates

Employer Legal Compliance

As a transport operator, you will handle sensitive information (such as criminal records and drug and alcohol test results) and receive requests for various personal records for compliance and safety purposes

When must I comply with the Privacy Act?

All businesses with an annual turnover of more than $3 million must comply with the Privacy Act 1988 (Cth) and have both a privacy policy and privacy collection statement. The privacy policy must clearly outline the purposes for which personal information may be collected and the parties to whom that personal information may be disclosed.

While most small businesses with an annual turnover under $3 million do not need to comply with the Act, there are certain circumstances where a small business must comply. This checklist on the Office of the Australian Information Commissioner website provides a useful summary.

What is considered personal or sensitive information?

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable, for example, a person’s name, signature, address, telephone number, date of birth, bank account details and employment details. It can also include opinions or commentary on performance, behaviour or competency.

However, personal information does not include employee records if the records are directly related to a current or former employment relationship. This means that records relating to employees are generally not covered by the Privacy Act, but records relating to prospective employees and your subcontractors and their employees are covered.

Sensitive information is a form of personal information that is given a higher level of privacy protection under the Act. For transport operators, drug and alcohol test results, medical screening tests and driving history checks would all be classified as ‘sensitive information’.

What should I do when a third party asks for personal information concerning my drivers or subcontractors?

The answer depends on whether the driver is a subcontractor or a current or former employee.

Subcontractors, prospective employees and employees of subcontractors:

Their personal information may only be used or disclosed for the purpose for which it was collected (the primary purpose) unless one of the exceptions to the rule apply.

Usually, the records of a subcontractor will not have been collected for the primary purpose of being provided to a customer or third party and therefore cannot be disclosed.  However, there are some exceptions to this general rule.  From a transport operator’s perspective, the most relevant exception is where the sub-contractor has consented to the use or disclosure of their personal information for another purpose.

It is good practice to always seek consent (preferably in writing) from a subcontractor before releasing their personal information. Alternatively, provide them with a collection statement that explains the purpose of collecting the information at the time the records are obtained.

Current and former employees:

Employee records are excluded from the operation of the Privacy Act if the records are directly related to a current or former relationship between the employer and the individual. This includes things such as the employee’s skills, performance, conduct, and their terms of employment.

This means that transport operators are usually able to provide information to third parties about current or former employees of the business at any time, though best practice would be to seek consent before releasing any personal information.

Before handing over ‘personal information’ to a third party, you should think about how you obtained that information. There are strict rules around obtaining information without permission, let alone sharing that information with another person. Advancements in technology can create further challenges when it comes to privacy.

Requests from regulators and government agencies

Authorised officers under the Heavy Vehicle National Law and some government agencies, such as the Australian Tax Office, have powers to request information from businesses and individuals. You should confirm that the person or agency requesting the information is properly authorised and has the power to do so.


Checklist for best practice on workplace privacy

  • Develop a policy describing how personal information is collected and handled and ensure it is communicated to staff and customers.
  • Inform individuals why you are collecting their personal information, to whom you might give it to and allow employees to access the personal information about themselves.
  • Only collect information about employees that is necessary.
  • Ensure the personal information held by your business is correct and up-to-date.
  • Securely keep personal information.
  • Seek consent before releasing personal information to a third party.
  • If the information is being provided to meet a lawful request, only provide information that is necessary to comply with that request.
  • Implement procedures for the use of electronic equipment which sets out appropriate personal and business use and which explains how your business monitors employee use of electronic equipment.