The Office of the Victorian Information Commissioner ('OVIC') published, on 16 November 2021, guidance regarding privacy considerations for defined entities, when complying with their obligations under the Gender Equality Act 2020 ('GE Act'). In particular, the OVIC highlighted that the GE Act requires defined entities to develop a Gender Equality Action Plan ('GEAP') and conduct a workplace gender audit. Furthermore, the OVIC explained that the GEAP must include the results of the audit and must be submitted to the Commission for Gender Equality in the Public Sector ('the Commission'). Additionally, the OVIC noted that, most defined entities have privacy obligations under the Privacy and Data Protection Act 2014 and Health Records Act 2001, requiring them to collect, use, and disclose personal and health information in accordance with the Information Privacy Principles ('IPPs') and Health Privacy Principles.

More specifically, the OVIC clarified that, the audit must be based on gender-disaggregated data and, if available, data about aboriginality, age, disability, ethnicity, gender identity, race, religion, and sexual orientation. Therefore, the OVIC added that, conducting the audit and submitting a GEAP to the Commission requires the collection, use, and disclosure of:

• personal information about an employee’s classification, salary, gender, and employment basis;
• if available, sensitive information about an employee’s aboriginality, ethnicity, race, religion, and sexual orientation; and
• if available, health information about an employee’s disability.

Moreover, the OVIC noted that IPP 2.1(f) permits personal and sensitive information to be used where the use is required or authorised by law. Furthermore, the OVIC stated that, as a defined entity has a legal obligation, under Sections 10 and 11 of the GE Act, to conduct the audit and develop a GEAP, it is permissible for a defined entity to use personal and sensitive information already held about employees to do so. In addition, the OVIC highlighted that, when collecting new health information, personal data, or sensitive data, a defined entity must take reasonable steps to notify its employees of a range of matters related to the collection, including the purpose for which the information is collected, any law requiring the collection, and the organisations or individuals to whom the information is usually disclosed.

You can read the guidance here.