Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Recruitment

A woman in a business skirt and matching vest stands against a desk holding an open folder. She is white with dark brown hair that is pulled up. Employers need to comply with the Privacy Act when they’re recruiting. This includes getting consent, being transparent about data collection and use, only collecting necessary information, and protecting candidate data.

Applications

When you’re calling for applications, only ask for information that is relevant to the applicant’s suitability for the particular role. For example, an airline might need to know certain medical information about a candidate because a flight attendant might not be able to work safely if they had certain health conditions. But if it's not relevant to the role, don't ask for it.

Other considerations:

  • It’s important to keep the identities of applicants and their personal information confidential.
  • Only share the information with people who are directly involved in the recruitment of that role. It’s not okay to share the applications around your workplace or talk about them with anyone outside the process.
  • Make sure you store the information safely and securely from unauthorised access. That means limiting access to digital files but also taking care with paper files in the office. 

Interviews

It’s important at the interview stage to take reasonable steps to protect the identity of your applicants including, and perhaps especially, for internal candidates. 

You might want to consider holding the interviews away from the office if you think it might be more appropriate, especially if candidates will be easily recognised. You have a duty not to breach an applicant’s privacy by doing anything that might reveal they have applied for the role.

Reference and other checks

You can only contact the referees that an applicant nominates. This includes for internal applicants. If the applicant has not agreed to the employer approaching a person, the employer should not approach that person for information.

If there is someone other than an applicant's nominated referees that you would like to get a reference from, you must first get the applicant’s express consent.

If the applicant doesn’t consent:

  • You can’t go ahead and speak to that other person anyway,
  • You can draw your own conclusions on what this might say, or might not say, about an applicant’s suitability. 

Remember to always check with the referee if their comments are provided in confidence to you. Otherwise, you may be obliged to disclose their comments if the applicant asks for them.

Get the applicant’s prior consent to any vetting you are going to do. This includes checking for qualifications, criminal convictions, Police vetting (which is necessary for particular types of jobs), and credit checks. Only undertake credit checks if the role carries a significant financial risk. Even asking for consent to do a credit check requires justification.

You can use publicly available information to help inform your assessment of an applicant’s suitability. Some employers might carry out a Google search to find out what’s out there about an applicant. 

It’s not okay to:

  • ask applicants for their social media login details
  • ask them to befriend you online so you can check them out
  • ask an existing online friend to check them out for you.

After the recruitment

Check with your successful applicant what they’re happy for you to disclose about them when you announce their appointment, and when. The personal information they provided you in their application is not necessarily information they are happy to share more widely.

Take care with the way information you have gathered is handled:

  • You cannot use the information you obtained in a recruitment process for any other purpose, except with the applicant’s express consent.
  • Securely destroy the applications of unsuccessful candidates, unless you have received their prior consent to keep their personal information on file in case another suitable opportunity should arise.
  • If you used a recruitment agency, make sure they do the same. Because they were working for you, you are responsible for ensuring that they meet your privacy obligations to applicants.

Read our case notes on this subject, including these relevant cases:

Back to top