Australia’s privacy laws were revamped with the introduction of the Australian Privacy Principles (APPs). As a result, many businesses are asking about whether they owe any privacy obligations to non-employees, including applicants and contractors.
Under what circumstances will the APPs apply to the personal information of non-employees?
Understanding your privacy obligations to non-employees is very important, as the personal information of such persons will not be covered by the exemption that applies to ‘employee records’. This exemption may, however, apply when you are managing the records of a current/former employee.
In regards to the personal information of non-employees, you are required by the APP to do certain things. The following areas ought to be examined:
- How you respond to job applications that are sent through; and
- How, and in what circumstances, you will send personal information overseas.
- Take reasonable steps to implement practices, procedures and systems to:
- Make sure you are compliant with the APPs and any registered APP code, such as any principles that are pre-approved by the Privacy Commissioner for a particular organisation;
- Handle injuries and complaints relating to breach of privacy;
Responding to job applications that are sent through
If your business receives any information from job applicants or other persons that is unsolicited, i.e. not invited, there are certain steps your business must take in proving that you did not actively ‘collect’ this information (APP 4).
For instance, someone may apply for a job that doesn’t exist, i.e. you never put an advertisement online for any available position at the business and received applications regardless. This is a common situation that Australian SMEs deal with all the time; we here at LegalVision encounter it almost daily! What should they do with these applications? Where should they be kept, if at all? If you believe that the information is reasonably important for the business’ functions and other activities, it may be permissible to retain the information.
If, however, the information is largely irrelevant and carries no real significance to your business’ functions or activities, you are required by law to do any of the following:
- Destroy whatever materials that you have which carry the information (paper, text messages, email, etc.); or
- Take steps to ensure that the identity of the person cannot possibly be ascertained.
If you find that the information is reasonably necessary to your business’ functions or activities and you are not required to destroy it, you must still safeguard the information and only use it for the purposes for which you are allowed under the APPs to use it.
Your privacy obligations when sending personal information overseas
There are certain conditions placed on the lawful disclosure of an individual’s personal information when it is sent to a related body corporate or other third party that is outside of Australia (APP 8.1).
Two conditions apply, including that the business must disclose the information for the same reason it was collected, unless some exception exists or the person has given permission. And secondly, you must be reasonably sure that the third party will not breach the APPs by misusing the person’s personal information.
For example, imagine you run recruitment service and provide an overseas organisation with the personal data of potential candidates so that they can then do all of the reference checks. In this instance, you would need to take steps to ensure that this external, overseas organisation is complaint with the APP.
Don’t forget to provide adequate training to HR and others in managerial positions about handling the personal information of potential employees, volunteers and contractors to avoid breaching the APPs.