Your Privacy Rights When Your Employer Uses AI: An Australian Employee Guide

Your Privacy Act rights as an employee

The Privacy Act 1988 (Cth) gives Australian employees specific rights when their employer handles their personal information using AI. These rights exist independently of employment law and apply to any APP entity employer — one with annual turnover over $3 million, or certain other categories regardless of turnover.

The right to access your personal information: APP 12

APP 12 gives you the right to access your personal information held by your employer, including information generated by or used in AI systems. You can request: the data used in AI performance assessments; AI-generated productivity scores or rankings; monitoring data collected through AI surveillance tools; and data used in AI hiring decisions about you. Your employer must respond within a reasonable time (30 days is the standard expectation for the private sector). They can charge a reasonable fee for access but cannot charge for the request itself. If they refuse, they must give you written reasons and information about how you can complain to the OAIC.

Access requests are a powerful tool. If an AI performance system generated a score that led to disciplinary action, a subject access request can reveal what data the AI used, how the score was calculated, and whether any errors occurred. This is often the starting point for challenging an AI-influenced employment decision.

The right to correct inaccurate information: APP 13

APP 13 requires your employer to take reasonable steps to correct personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading. This applies to AI-generated data about you. If an AI monitoring system has recorded data that is factually incorrect — for example, attributing activity to you during a period you were on leave, or including performance data that reflects a system error — you can request correction. Your employer must take reasonable steps to correct the information or, if they disagree that correction is warranted, must note your request on the record.

Transparency obligations: what your employer must tell you

Under APP 1 and APP 5, your employer must be open and transparent about how they handle your personal information, and must notify you at or before collection. Practically, this means your employer's privacy policy and your employment contract should disclose what personal information is collected, how it is used, whether it is disclosed to third parties (including AI vendors), and how long it is retained.

From December 2026, a specific new obligation applies: if your employer uses substantially automated processes to make decisions that have a legal or similarly significant effect on you, their privacy policy must include information about this. This directly covers: AI-driven performance management that automatically triggers disciplinary consequences; algorithmic redundancy selection; AI-generated hiring decisions; and automated leave approval systems. If your employer uses AI in these ways but does not disclose it in their privacy policy after December 2026, that is a Privacy Act breach you can report to the OAIC.

AI monitoring and the Australian Privacy Principles

APP 3 limits collection of personal information to what is reasonably necessary for the employer's functions or activities. This has direct implications for AI monitoring. An employer that deploys AI surveillance that monitors every keystroke, application switch, and website visit may be collecting far more information than is reasonably necessary for legitimate workforce management. The OAIC's October 2024 guidance emphasises the proportionality and minimisation principles — collect what you need, not everything you can.

APP 6 restricts your employer to using your personal information for the primary purpose for which it was collected. If your employer collects performance monitoring data for workforce management purposes, they generally cannot use it for different purposes — such as sharing it with a third-party analytics provider or using it to train a general AI model — without your consent or another APP 6 basis.

Sensitive information and biometric data

Biometric information — including facial recognition data, fingerprints, and voice recordings used for identification — is sensitive information under the Privacy Act. Collecting sensitive information generally requires your consent unless a statutory exception applies. The Bunnings Group decision (October 2024) confirmed this: Bunnings' facial recognition system, which collected biometric data from everyone entering its stores, breached the Privacy Act's consent requirements (and APP 1 and APP 5 transparency requirements), even though the intent was legitimate (crime prevention). The principle applies to employee biometric monitoring — if your employer uses facial recognition or biometric identification, they need a proper basis for collecting sensitive information about you.

How to exercise your rights

Make a written access request to your employer's HR department or privacy officer. Specify the information you want — AI-generated assessments, monitoring data, performance scores. Your employer should respond within 30 days. If your employer refuses or does not respond, contact the OAIC at oaic.gov.au — you can make a privacy complaint and the OAIC will investigate. The OAIC has enhanced investigation powers since the Privacy and Other Legislation Amendment Act 2024 (Royal Assent 10 December 2024) and can compel production of information including technical systems data. For employment law aspects of the same issue — if the privacy breach is connected to unfair dismissal or adverse action — you may also have Fair Work Act remedies available simultaneously.