The recent introduction of new Privacy legislation in Australia has some important lessons for human resource managers, particularly in relation to how information about consultants or job seekers is stored and transferred.

The Privacy Act 1988 (Cth) sets out 13 Australian Privacy Principles (APPs). The APPs guide organisations in their dealings with records of personal information.

In general, the laws apply to organisations with an annual turnover of more than $3,000,000. The APPs only regulate personal information collected for inclusion in a record or generally available publication – they do not apply to information 'carried in a person's head'.

An act or practice of an APP entity that occurs on or after 12 March 2014 and that breaches an APP in relation to personal information about an individual, is 'an interference with the privacy' of the individual. The Privacy Commissioner has powers to investigate possible interferences with privacy, either following a complaint by the individual concerned or on the Commissioner's own initiative. Where an individual makes a complaint, the Commissioner will generally attempt to conciliate the complaint.

The Commissioner also has a range of enforcement powers and other remedies available. The Privacy Commissioner may apply to the courts for an injunction to restrain a person from engaging in conduct that would constitute a breach of the Act. The Privacy Commissioner may also apply to the courts for an order that an entity pay the Commonwealth a civil penalty. A serious and repeated interference with privacy can expose the corporate offender to a civil penalty of up to $1.7 million ($300,000 for individuals).

Privacy breaches committed by an organisation's employees while performing their employment duties are taken to be an act done or practice engaged in by the organisation.

Make your privacy policy available to non-employees

APP 1 requires an organisation to:

  • take reasonable steps to implement practices, procedures and systems ensuring compliance with APPs and any binding registered APP code, and is able to deal with related inquiries and complaints
  • have a clearly expressed and up-to-date APP Privacy Policy about how personal information is managed, and
  • take reasonable steps to make its APP Privacy Policy available free of charge in an appropriate form and, upon request, in a particular form.

The employee records exemption does not apply when an organisation is dealing with personal information relating to the following:

  • prospective employees and job applicants
  • independent contractors, including sole traders and consultants
  • persons working in your workplace who are employed by a third party employer, such as employees seconded or on-hired to your workplace by labour hire agency or a related entity, and
  • volunteers.

When an organisation is collecting personal information relating to a person in any of the above categories it would need to take reasonable steps to make its APP Privacy Policy available to those persons.

Unsolicited job applications

APP 4 outlines the steps an organisation must take if it receives unsolicited personal information. Unsolicited personal information is personal information received by an organisation where it has not taken any active steps to collect the information. An example, in the human resource management area is where an employment application sent to an organisation on an individual's own initiative and not in response to an advertised vacancy.

If an organisation receives unsolicited personal information, it must satisfy itself the information is reasonably necessary for, or directly related to, one or more of its functions or activities.

If not, the information must be destroyed or de-identified as soon as practicable if it is lawful and reasonable to do so.

If an organisation is not required to destroy or de-identify the unsolicited personal information it must keep the information secure and only use it for its functions or activities.

Transfer of personal information about non-employees off shore

Under APP 8.1 if an organisation discloses personal information about an individual to a related body corporate or third party contractor located outside of Australia, it must take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information. The disclosure will need to be for the primary purpose for which the information was collected unless an exception applies or the individual consents.

An example is where an Australian organisation, as part of a recruitment drive, provides the personal information of job applicants to an overseas services provider to perform reference checks on behalf of the Australian entity.

Action points for employers

  • Ensure your privacy policy has the requisite content and is accessible in a manner required by privacy laws
  • develop specific protocols for handling unsolicited information received by job seekers, and
  • train managers and human resources officers to deal with personal information about candidates, volunteers and contractors in a manner consistent with Australian Privacy Principles.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.