Australia’s privacy laws were revamped with the introduction of the Australian Privacy Principles (APPs). As a result, many businesses are asking about whether they owe any privacy obligations to non-employees, including applicants and contractors.

Under what circumstances will the APPs apply to the personal information of non-employees?

Understanding your privacy obligations to non-employees is very important, as the personal information of such persons will not be covered by the exemption that applies to ‘employee records’. This exemption may, however, apply when you are managing the records of a current/former employee.

In regards to the personal information of non-employees, you are required by the APP to do certain things. The following areas ought to be examined:

  1. The terms of your business’ privacy policy;
  2. How you respond to job applications that are sent through; and
  3. How, and in what circumstances, you will send personal information overseas.

The terms of your business’ privacy policy

A privacy policy details your business’ protocol for dealing with the personal information it directly or indirectly collects. Under the APP 1, an organisation is required to:

  • Take reasonable steps to implement practices, procedures and systems to:
  • Make sure you are compliant with the APPs and any registered APP code, such as any principles that are pre-approved by the Privacy Commissioner for a particular organisation;
  • Handle injuries and complaints relating to breach of privacy;
  • Clearly communicate in the privacy policy how the personal information will be used, disclosed, and generally handled; and
  • Ensure that the privacy policy is freely accessible, can be found online (if appropriate) and is available on demand.

Make sure that your privacy policy is compliant with APP 1 by speaking with a small business lawyer. Your lawyer will help to make sure that your privacy policy contains the requisite content and is available and accessible to all non-employees.

Responding to job applications that are sent through

If your business receives any information from job applicants or other persons that is unsolicited, i.e. not invited, there are certain steps your business must take in proving that you did not actively ‘collect’ this information (APP 4).

For instance, someone may apply for a job that doesn’t exist, i.e. you never put an advertisement online for any available position at the business and received applications regardless. This is a common situation that Australian SMEs deal with all the time; we here at LegalVision encounter it almost daily! What should they do with these applications? Where should they be kept, if at all? If you believe that the information is reasonably important for the business’ functions and other activities, it may be permissible to retain the information.

If, however, the information is largely irrelevant and carries no real significance to your business’ functions or activities, you are required by law to do any of the following:

  • Destroy whatever materials that you have which carry the information (paper, text messages, email, etc.); or
  • Take steps to ensure that the identity of the person cannot possibly be ascertained.

If you find that the information is reasonably necessary to your business’ functions or activities and you are not required to destroy it, you must still safeguard the information and only use it for the purposes for which you are allowed under the APPs to use it.

Your privacy obligations when sending personal information overseas

There are certain conditions placed on the lawful disclosure of an individual’s personal information when it is sent to a related body corporate or other third party that is outside of Australia (APP 8.1).

Two conditions apply, including that the business must disclose the information for the same reason it was collected, unless some exception exists or the person has given permission. And secondly, you must be reasonably sure that the third party will not breach the APPs by misusing the person’s personal information.

For example, imagine you run recruitment service and provide an overseas organisation with the personal data of potential candidates so that they can then do all of the reference checks. In this instance, you would need to take steps to ensure that this external, overseas organisation is complaint with the APP.

Don’t forget to provide adequate training to HR and others in managerial positions about handling the personal information of potential employees, volunteers and contractors to avoid breaching the APPs.

Conclusion

If you need to update your Privacy Policy to be in accordance with the APPs, or wish to modify your employment contracts so that your employees are made liable for any personal breaches of the APPs, contact LegalVision on 1300 544 755.

Emma Jervis

Ask Emma a Question

If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.