Avoiding Privacy Issues When Recruiting Staff: 10 Practical Tips

Published at 06:10 on 25 Feb 2023

When a potential hire sends you their CV, you will likely collect their personal information. For organisations covered by the Australian Privacy Act (or GDPR or CPRA), this triggers certain legal obligations. For other organisations, it’s still a good practice to have processes and procedures for managing personal information – especially if you want to harness privacy as a competitive advantage 

Australian Privacy Laws: What Employers Should Know 

Australia’s Privacy Act, and the Australian Privacy Principles apply to businesses with an annual turnover of $3 million or more, as well as all private health services providers, certain small businesses, and all Australian Government agencies. These employers must comply with the law – even in the context of collecting personal information from candidates.  

Organisations that aren’t covered by Australia’s federal privacy law may be covered by state or territory surveillance laws.  

It’s also important to be aware of the federal Fair Work Act, which requires all employers to collect and keep certain personal information about their employees.  

A photograph of two women sitting in an office setting for a candidate interview. They are each holding a copy of the applicants CV, which contains their personal information, for the hiring process.

Protect Your Reputation by Implementing Good Privacy Practices  

In 2019, Shell made headlines when it forced job applicants to submit to blood testing and waive privacy rights to be considered. The ABC’s coverage of the story noted that the third-party recruiter required applicants to sign a waiver that allowed them to send their data, medical records, and blood samples overseas – to countries with fewer privacy protections than Australia.  

The ABC itself also faced scrutiny and backlash when it required applicants to disclose their gender, age, ethnicity, and disability status in a job advertisement. This sensitive information was not relevant to the position.   

This kind of coverage is never good for any organisation. Good privacy practices, including training for your team, can go a long way towards avoiding these situations – and the reputational damage that comes with it.  

10 (Quick) Practical Tips for Better Privacy When Hiring Employees 

  1. Obtain informed consent before collecting any information from job applicants. You can do this by requiring candidates to check a box or e-sign a form that states they have read your privacy policy and consent to the collection of their data for the purposes of hiring.  
  2. Let potential employees know about what data will be collected as part of the hiring process at the earliest possible stage – and what happens to that data.  
  3. Don’t collect information you don’t need to make your hiring decision. 
  4. Do not collect sensitive information about your applicants, such as biometrics, unless absolutely necessary.  
  5. Implement appropriate security and processes for managing the data of candidates while you make your hiring decisions. And make sure your processes include deleting the data when you no longer need it.  
  6. Publish details about the personal information collected to make hiring decisions and its lifecycle in your privacy policy. Make sure the information is clear, as concise as possible, and easy to understand.  
  7. Consider your privacy obligations, commitments, or preferences before outsourcing hiring to a third party 
  8. Provide information in advance about any workplace surveillance.  
  9. Assign ‘applicant privacy’ as an accountability to a team member or department to ensure someone takes ownership of it.  
  10. Train your team so they understand privacy risks that arise during the hiring process (and can respond accordingly if any issues crop up in practice).  

Further Resources:  

Better Data Management with Privacy 108

Wherever you are on your data management maturity path, we can provide the advice, support and implementation assistance you need.

Our data management services include:

  •  Creating a data management strategy for your organisation.
  • Identifying data management visions and objectives.
  • Establishing data governance programs including defined roles and responsibilities for ensuring accountability and ownership of data assets.
  • Creating data inventories and data flow maps.
  • Developing of data management policies and procedures.
  • Training and awareness programs.

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.