Gender Equality Act 2020 and Privacy

The Gender Equality Act 2020 (GE Act) requires defined entities¹ to develop a Gender Equality Action Plan² (GEAP) and conduct a workplace gender audit³ (audit). The GEAP must include the results of the audit and must be submitted to the Commission for Gender Equality in the Public Sector (the Commission).⁴

Most defined entities have privacy obligations under the Privacy and Data Protection Act 2014 (PDP Act)⁵ and Health Records Act 2001 (HR Act)⁶ requiring them to collect, use, and disclose personal and health information in accordance with the Information Privacy Principles (IPPs) and Health Privacy Principles (HPPs). This resource discusses privacy considerations for defined entities when complying with their obligations under the GE Act.

WHAT IS PERSONAL, SENSITIVE, AND HEALTH INFORMATION?

Personal information is any information about an individual whose identity is apparent or can reasonably be ascertained from the information.⁷ Certain personal information is classed as sensitive information including racial or ethnic origin, religious beliefs or affiliations, and sexual preferences or practices.⁸ Sensitive information is subject to additional restrictions on collection, use and disclosure.

Health information includes information about the physical, mental or psychological health of an individual, or a disability of an individual.⁹

WHAT PERSONAL, SENSITIVE, OR HEALTH INFORMATION IS RELEVANT TO THE AUDIT AND GEAP?

The audit must assess the state and nature of gender inequality in a defined entity’s workplace with regard to a range of factors set out in the GE Act. This includes:

• the workplace gender equality indicators which cover gender pay equity, gender composition at all levels of the workforce, gender composition of governing bodies, workplace sexual harassment, recruitment and promotion, gendered work segregation, leave and flexibility;¹⁰ and
• the disadvantage or discrimination that a person may experience on the basis of aboriginality, age, disability, ethnicity, gender identity, race, religion or sexual orientation.¹¹

The audit must be based on gender-disaggregated data and, if available, data about aboriginality, age, disability, ethnicity, gender identity, race, religion, and sexual orientation.¹² Therefore, conducting the audit and submitting a GEAP to the Commission requires the collection, use, and disclosure of:

• Personal information – Information about an employee’s classification, salary, gender, and employment basis; and
• if available, sensitive information – Information about an employee’s aboriginality, ethnicity, race, religion, and sexual orientation; and
• if available, health information – Information about an employee’s disability.

CAN A DEFINED ENTITY USE PERSONAL, SENSITIVE, OR HEALTH INFORMATION IT ALREADY HOLDS TO CONDUCT THE AUDIT AND DEVELOP A GEAP?

Using personal information and sensitive information already held

Under IPP 2.1, a defined entity must not use personal or sensitive information for a purpose other than the primary purpose for which it was collected. Personal or sensitive information already held by a defined entity that is relevant to conducting the audit and developing a GEAP will likely have been collected in the context of recruiting employees, for human resource purposes. As such, this information cannot be used for any other purpose unless an exception to IPP 2.1 applies.

However, IPP 2.1(f) permits personal and sensitive information to be used where the use is required or authorised by law. As a defined entity has a legal obligation under section 10 and 11 of the GE Act to conduct the audit and develop a GEAP, it is permissible for a defined entity to use personal and sensitive information already held about employees to do so.

Using health information already held

Under HPP 2.2 a defined entity must not use health information for a purpose other than the primary purpose for which it was collected. However, HPP 2.2(c) permits health information to be used where the use is required or authorised by law. As a defined entity has a legal obligation under sections 10 and 11 of the GE Act to conduct the audit and develop a GEAP, it is permissible for a defined entity to use health information already held about employees to do so.

Notifying employees

Where a defined entity uses personal, sensitive, or health information it already holds to conduct the audit and develop a GEAP, it is best practice to notify employees of the new use of their information. For example, this could be done by an email to all staff notifying them that the GE Act requires an audit to be undertaken and their personal information will be used as part of that process. Providing notice promotes transparency about the entity’s information handling practices and ensures individuals are aware of how their information is used.

CAN A DEFINED ENTITY COLLECT PERSONAL, SENSITIVE, OR HEALTH INFORMATION TO CONDUCT THE AUDIT AND DEVELOP A GEAP?

Collecting personal information

As the GE Act requires certain personal information to be included in the audit, a defined entity can collect personal information from its employees if it does not already hold this information. A defined entity should collect this information directly from its employees.

Collecting sensitive information

As noted, in the context of the GE Act, sensitive information includes any information about an employee’s aboriginality, ethnicity, race, religion, or sexual orientation.

Section 11(3)(b) of GE Act requires sensitive information to be used for the audit “if available”. Thus, a defined entity is permitted to use sensitive information it already holds, however it is not required to collect sensitive information nor are employees required to disclose sensitive information.

If a defined entity wants to collect sensitive information to conduct the audit and develop a GEAP, it must seek the employee’s consent as required by IPP 10.1(a). An employee is entitled to refuse the collection of their sensitive information and should be informed of this.

Collecting health information

As noted, in the context of the GE Act, health information includes any information about an employee’s disability.

Section 11(3)(b) of the GE Act requires health information for the audit “if available”. Thus, a defined entity is permitted to use health information it already holds, however it is not required to collect health information nor are employees required to disclose health information.

If a defined entity wants to collect health information to conduct the audit and develop a GEAP, it must seek the employee’s consent as required by HPP 1.1(a). An employee is entitled to refuse the collection of their health information and should be informed of this.

Notifying employees

When collecting new personal, sensitive, or health information, a defined entity must take reasonable steps to notify its employees of a range of matters related to the collection including the purpose for which the information is collected, any law requiring the collection and the organisations or individuals to whom the information is usually disclosed.

This is commonly referred to as a collection notice and it should be provided to employees at or before the time the defined entity collects the personal, sensitive or health information (or if that is not practical, as soon as possible after the information is collected).¹³

Valid consent

Where a defined entity collects sensitive or health information with consent, it should ensure the employee’s consent it valid. For consent to be valid, it must be voluntary, informed, specific, current and provided by someone with capacity to consent. For detailed information on the elements of consent, see OVIC’s guidance.

CAN A DEFINED ENTITY DISCLOSE PERSONAL, SENSITIVE, OR HEALTH INFORMATION TO THE COMMISSION?

Section 12(1) of the GE Act requires a defined entity to submit its GEAP to the Commission, and section 10(1)(a) requires the GEAP to include the results of the audit.

• IPP 2.1(f) permits the disclosure of personal and sensitive information where the disclosure is required or authorised by law.
• HPP 2.2(c) permits the disclosure of health information where the disclosure is required or authorised by law.

Thus, a defined entity can disclose personal, sensitive, and health information contained in the GEAP and the audit to the Commission.

CAN A DEFINED ENTITY OR THE COMMISSION PUBLISH PERSONAL INFORMATION?

Section 51 of the GE Act prohibits the publication of personal information, including sensitive information.

A defined entity is required to publish its GEAP on its website but must remove any personal information from the GEAP before doing so.¹⁴

A defined entity must advise the Commissioner whether its GEAP contains personal information.¹⁵ The Commissioner may publish a submitted GEAP¹⁶ and is required to remove any personal information from it before publication or further distribution.¹⁷

WHAT STEPS CAN A DEFINED ENTITY TAKE TO MINIMISE THE RISK OF PUBLISHING PERSONAL INFORMATION?

Whether a GEAP includes personal information will depend on several factors including:

• The size of the organisation – the smaller the organisation, the higher the likelihood that the results of the audit which are published through the GEAP may include personal information. For example, in an organisation with 20 or less employees, it may be possible to easily identify specific individuals based on the amount and type of information collected about them.
• The number of employees with particular characteristics – regardless of the size of the defined entity, there may be a cohort of employees who are easily identifiable based on the type of personal information collected about them.
• The context in which the information will be used – information may appear de-identified in one context however, when combined with other available information, may constitute personal information in another context. All de-identified data carries the inherent risk that it may be matched with other available auxiliary information and re-identified.

De-identification is one way of protecting the privacy of personal information. It involves removing or altering information that is likely to identify an individual, or achieving a state in which individuals cannot be ‘reasonably identified’ from the information. It is important to note that it is often difficult to completely de-identify information.

For detailed guidance on de-identification and its limitation, see OVIC’s resource.¹⁸

1. Under section 5 of the GE Act, an entity is a ‘defined entity’ if it has 50 or more employees and is a public service body, a public entity, a special body, a Council, Court Services Victoria, a university within the meaning of the Education and Training Reform Act 2006, the Office of the Public Prosecutions, or a prescribed entity.
2. Section 10 of the GE Act.
3. Section 11 of the GE Act.
4. Section 10(1)(a) and 12 of the GE Act
5. Section 3 of the PDP Act lists public sector organisations that must comply with the Information Privacy Principles. 
6. Section 10 of the HR Act lists public sector organisations that must comply with the Health Privacy Principles.
7. Section 3 of the PDP Act.
8. Schedule 1 of the PDP Act.
9. Section 3 of the HR Act.
10. Section 11(2)(a). Further information on the workplace gender equality indicators is available on the Commission’s website here: https://www.genderequalitycommission.vic.gov.au/workplace-gender-equality-indicators.
11. Section 11(2)(c) of the GE Act.
12. Section 11(3) of the GE Act.
13. See OVIC’s resource on collection notices available here: https://ovic.vic.gov.au/privacy/collection-notices/
14. Section 51(1) of the GE Act.
15. Section 51(2) of the GE Act.
16. Section 14(2) of the GE Act.
17. Section 51(3) of the GE Act.
18. Also see OVIC’s Introduction to De-identification guidance available here: https://ovic.vic.gov.au/privacy/an-introduction-to-de-identification/.