So you are hiring. What do you need to do to meet your privacy obligations? Here’s an easy checklist of do’s and don’ts. They all relate back to the 12 privacy principles that guide the collection, use, storage and disposal of personal information.   

Applications

When calling for applications, the key thing to remember is to only ask for information that is relevant to the applicant’s suitability for the particular role. For example, an airline might need to know certain medical information about a candidate because a flight attendant might not be able to work safely if they had certain health conditions. But if it's not relevant to the role, don't ask for it.

Other considerations:

• It’s important to keep the identities of applicants and their personal information confidential.
• Disclose the information only to those who are directly involved in the recruitment. It is not okay to share the applications around your workplace or talk about them with anyone else.
• Make sure you store the information safely and securely from unauthorised access.

Interviews

It is also important at the interview stage to take reasonable steps to protect the identity of your applicants including, and perhaps especially, for internal candidates. 

You might want to consider holding the interviews away from the office if you think it might be more appropriate, especially if candidates will be easily recognised. You have a duty not to breach an applicant’s privacy by doing anything that might reveal they have applied for the role.  

Reference and other checks

You can only contact the referees that an applicant nominates. This includes for internal applicants. If the applicant has not agreed to the employer approaching a person, the employer should not approach that person for information.

If there is someone other than an applicant's nominated referees whom you would like to get a reference from, you must first get the applicant’s express consent.

If the applicant doesn’t consent:

• You can’t go ahead and speak to that other person anyway;
• But you can draw your own conclusions on what this might say, or might not say, about an applicant’s suitability. 

Remember to always check with the referee if their comments are provided in confidence to you. Otherwise, you may be obliged to disclose their comments if the applicant asks for them.

Get the applicant’s prior consent to any vetting you are going to do. This includes checking for qualifications, criminal convictions, police vetting (which is necessary for particular types of jobs), and credit checks. But only undertake credit checks if the role carries a significant financial risk. Even asking for consent to do a credit check requires justification.

You can use publicly available information to help inform your assessment of an applicant’s suitability. Some employers might carry out a Google search to find out what is out there about an applicant. 

But it is not okay to:

• ask applicants for their social media login details
• ask them to befriend you online so you can check them out
• ask an existing online friend to check them out for you.

After the recruitment

Check with your successful applicant what they are happy for you to disclose about them when you announce their appointment, and when. The personal information they provided you in their application is not necessarily information they are happy to share more widely.

Take care with the way information you have gathered is handled:

• You cannot use the information you obtained in a recruitment process for any other purpose, except with the applicant’s express consent. 
• Securely destroy the applications of unsuccessful candidates, unless you have received their prior consent to keep their personal information on file in case another suitable opportunity should arise. 
• If you used a recruitment agency, make sure they do the same. As they were working for you, you are responsible for ensuring that they meet your privacy obligations to applicants.

Further references

See our case notes on this subject, including these relevant cases:

• Manager gave unauthorised reference for woman applying for internal transfer
• Ability to withhold evaluative material from job applicant
• Collection of credit information when not relevant to the role
• Employer responsible for actions of recruitment agency
• Asking applicants about pending criminal charges

 Image credit: Clint Tierney (2008) via Digital NZ.

employment