As an employer, you owe non-employees certain privacy obligations. Notably, the government revamped Australia’s privacy laws by introducing the Australian Privacy Principles (APPs). These principles outline the mandatory requirements of certain businesses and how the Privacy Act functions in practice. As a result, many companies ask whether they owe any privacy obligations to non-employees, including applicants and contractors. This article explains your privacy obligations to non-employees.

As an employer, understand your essential employment obligations with this free LegalVision factsheet.
Who Do the APPs Apply To?
The APP applies to certain APP entities that must comply with it principles. APP entities can be sole traders, partnerships, trusts, companies, or unincorporated associations.
To be an APP entity, you must have an upwards annual turnover of $3 million. However, some businesses are considered APP entities with less than $3 million annual turnover. Some of these businesses include:
- health service providers;
- businesses that trade in personal information;
- credit reporting bodies;
- employee associations; and
- reporting entities for money laundering and terrorism.
When Do APPs Apply to a Non-Employee’s Personal Information?
Understanding your privacy obligations towards non-employees is very important since the exemption that applies to ‘employee records’ will not cover the personal information of such persons. However, this exemption may apply when you are managing the records of a current or former employee.
Regarding the personal information of non-employees, the APP requires you to do certain things. Notably, you must examine the following three areas.
1. Your Business’ Privacy Policy
A privacy policy details your business’ protocol for dealing with the personal information it directly or indirectly collects. Under APP 1, your organisation must:
- take reasonable steps to implement practices, procedures and systems to:
- make sure you are compliant with the APPs and any registered APP code, such as any principles that the Privacy Commissioner approves for a particular organisation;
- handle injuries and complaints relating to breach of privacy;
- clearly communicate how you will use the personal information; and
- ensure the privacy policy is freely accessible, found online (if appropriate), and available on demand.
To ensure your privacy policy is compliant with APP guidelines, your policy should detail:
- the types of personal information that your business collects and holds;
- how your company holds this information;
- why you collect, store, use and disclose this information; and
- how an individual can access and correct personal information.
2. Responding to Job Applications
Suppose your business receives information from applicants or other persons which your business did not invite a response from. In that case, your business must take specific steps to prove that you did not actively ‘collect’ this information (APP 4).
For instance, someone may apply for a job that does not exist. For example, you may have never put an advertisement online for that position and received applications. If you believe the information is essential for the business functions and activities, it may be permissible to retain it.
However, if the information is mainly irrelevant and carries no real significance to your business functions or activities, you must:
- destroy the paper, text message or email that contains the information; or
- take steps to ensure that you cannot possibly ascertain the person’s identity.
3. Privacy Obligations When Sending Personal Information Overseas
If you disclose an individual’s personal information to a related corporation or other third parties outside of Australia, you must do so under certain conditions (APP 8.1).
These conditions require you to:
- disclose the information for the same reason it was collected unless some exception exists or the person has given permission; and
- be reasonably sure that the third party will not breach the APPs by misusing the person’s personal information.
For example, imagine you run a recruitment service and provide an overseas organisation with the personal data of potential candidates to do all of the reference checks. In this instance, you would need to take steps to ensure that this external, overseas organisation is compliant with the APP.
Continue reading this article below the formKey Takeaways
The APP requires you to examine specific areas when dealing with the personal information of non-employees. These areas include a privacy policy, job applications, and information disclosed overseas.
If you need to update your privacy policy to comply with the APPs, our experienced employment lawyers can assist as part of our LegalVision membership. You will have unlimited access to lawyers to answer your questions and draft and review your documents for a low monthly fee. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
The APPs are guidelines regarding the mandatory requirements that APP entities must comply with.
The APP requires you to examine specific areas when dealing with the personal information of non-employees. These areas include a privacy policy, job applications, and information disclosed overseas.
We appreciate your feedback – your submission has been successfully received.