Privacy Act Obligations for HR Investigations in Australia

Why privacy law matters in workplace investigations

Workplace investigations generate significant quantities of personal information: allegations, witness accounts, employment history, health information, and sensitive communications. Every organisation subject to the Privacy Act 1988 (Cth) must handle this information in accordance with the Australian Privacy Principles (APPs). Getting this wrong can result in complaints to the Office of the Australian Information Commissioner (OAIC), regulatory action, and reputational damage.

The 2025 amendments to the Privacy Act have substantially increased penalties for serious or repeated privacy breaches, up to $50 million or more for large organisations. HR and investigation teams need to understand their obligations.

Which organisations are covered?

• Private sector organisations with an annual turnover of more than $3 million
• Health service providers regardless of size
• Commonwealth Government agencies
• Credit reporting bodies and credit providers

Some small businesses below the $3 million threshold are still covered if they handle health information, provide services under a Commonwealth contract, or are related to a larger covered entity. State and territory public sector bodies are generally covered by their own privacy legislation.

Collection of personal information (APP 3)

You may only collect personal information that is reasonably necessary for a legitimate purpose. In the investigation context, that means information relevant to the allegations being investigated. Collecting excessive information (e.g., reviewing years of emails when the allegation is narrow in scope) may breach APP 3.

Collection must be by lawful and fair means. You cannot obtain personal information by deception, and you must generally notify individuals of the collection (APP 5). In an investigation context, the notification should be given at the time of interview or when requesting documents.

Sensitive information requires heightened protection

Health information, racial or ethnic origin, sexual orientation, criminal record, and union membership are all "sensitive information" under the Privacy Act. This is particularly relevant where:

• The allegation involves a health-related matter (e.g., mental health, injury)
• The alleged conduct relates to a protected attribute under discrimination law
• A witness discloses personal health information during interview

Sensitive information can generally only be collected with the individual's consent, or where collection is required or authorised by law. You should document the basis on which you collected it.

Storage and security (APP 11)

You must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. For investigation records, this means:

• Storing investigation files in a secure, access-controlled system (not shared drives accessible to all staff)
• Restricting access to people with a need-to-know
• Using encryption for electronic records and secure storage for physical documents
• Having a clear retention and destruction policy: retain records for as long as reasonably necessary (typically at least 7 years), then securely destroy them

Disclosure and use (APPs 6 and 7)

Investigation findings and the underlying evidence can only be disclosed for a purpose related to the reason they were collected. You can share the report with the decision-maker, legal counsel, and others with a direct need to know. You cannot share it with:

• Staff who are curious but have no operational need
• The respondent's line manager, unless they are the decision-maker
• Third parties (e.g., clients or suppliers) without a specific legal basis

The respondent is entitled to know the substance of findings affecting them, but you are not obliged to provide witness evidence in a form that would identify a witness if doing so would create safety or retaliatory risks. Balance the right of response against witness protection.

Cross-border disclosure

If your organisation stores investigation records with offshore cloud providers or shares findings with overseas parent entities, you may need to comply with APP 8 (cross-border disclosure). Generally, you must take reasonable steps to ensure the overseas recipient handles the information consistently with the APPs. Check your cloud storage and HR platform providers' data residency commitments.