RCSA Reference Checking – Part 5 by RCSA

RCSA Reference Checking Manual PART FIVE Privacy

Table of Contents Key Points.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Introduction to Privacy

Privacy as a Human Right.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 RCSA Take on Privacy.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 RCSA Code and Privacy Law.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Examples of breaches.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Arbitration Example.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 History & Development.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Regimes for Protection

Common Law.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Privacy Acts & Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Public/Private Sector.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Other Regimes.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Secrecy & Statutory Confidentiality.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 PEA Legislation.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Spent Convictions/Clean Slate.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Discrimination & Human Rights. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Workplace Protections.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

RCSA Reference Checking: Part 5 – Privacy

Principles & Practical Applications

An Assumption.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Privacy and Recruitment.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Information Lifecycle Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Privacy Transaction.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Definitions.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Personal Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Sensitive Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Publicly Available Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Collection.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Collection – Key Principles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Information may only be collected if it is necessary for the proper (lawful) performance of one or more of the collecting agency’s tasks or functions.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Information should be collected directly from the person whom it concerns.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Information may only be collected by means that are lawful and fair.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 RCSA Code Response.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Tell your candidates (and referees and clients) about your information collection practices.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Ponder Point.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 The Referee is a person too!. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Sometimes you need consent or permission.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 RCSA Code Response.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Some Specific Applications.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Ponder Point.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Use & Disclosure – Key Principle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 You can only use and disclose information for the purpose of its collection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Ponder Point.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Example:.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Finding the Primary Purpose.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Ponder Point.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Data Quality – Getting it right.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Ponder Point.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Data Security – Keeping it safe until you do not have to keep it at all. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Table 4: Data Security Comparison.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 What if the Candidate requests destruction of personal information?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Why might you need to keep information against a candidate’s wishes?.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 RCSA Code Response.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

RCSA Reference Checking: Part 5 – Privacy

Access & Correction – Giving it up for the Candidate. . . . . . . . . . . . . . . . . . . . . . . . . 25 Example:.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Why do you need to give Candidates access to their personal information?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Ponder Point.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Do I have to give access if the information is confidential?.. . . . . . . . . . . . . . 26 Can the Candidate see Interview Notes?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 What about Psychological Test Reports?.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Cross-Border Disclosures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 8.1 Before an APP entity discloses personal information about an individual to a person (the overseas recipient). . . . . . . . . . . . . . . . . . . . . 27 Conclusion.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Key Points • Good privacy is good business! • Privacy law provides a set of principles that may be useful in managing a range of exposures related to the handling of personal information across the whole lifecycle of its management. • The RCSA Code says: Members must take reasonable steps to maintain the confidentiality and privacy of information obtained in the course of their professional practice. AND Members must take reasonable and timely steps to ascertain the extent to which any information they collect may be confidential. • It has been said in an RCSA Ethics Arbitration conducted externally that: »» Information held by a private recruitment agency about a candidate’s suitability for a position is confidential information in respect of which the candidate has an interest. A candidate can reasonably expect that his or her permission should be obtained prior to disclosure. »» A candidate who puts him/herself in the hands of a private recruitment agency can expect the confidentiality of the agency’s assessment of his or her suitability to be respected and not disclosed to the client without the candidate’s consent. »» Obligations which fall upon members by virtue of the Privacy Principles and the Code must be discharged personally by members and may not be delegated away to others (e.g. to a client). • Unlike New Zealand, Australia has not yet widely recognised a common law right of action for invasion of privacy. • In Australia and in New Zealand, privacy law is at its most highly developed form in the Privacy Acts and Codes of the various jurisdictions. • The principal privacy Acts of Australia and New Zealand continue to be under review. • Because you cannot always control the information that you may receive from a referee, you need to be alert to the restrictions that apply and position yourself by obtaining necessary consents.

RCSA Reference Checking: Part 5 – Privacy

• Recruiters will need to remain alert to identify those circumstances and situations when information is being collected in order to ensure that once collected it is managed in accordance with the privacy laws. • Information may only be collected if it is necessary for the proper (lawful) performance of one or more of the collecting agency’s tasks or functions. • Necessity is to be determined on the basis of objective criteria and proved on the basis of admissible evidence. • Information should be collected directly from the person whom it concerns. • Information may only be collected by means that are lawful and fair. • Tell your candidates (and referees and clients) about your information collection practices. • Sometimes you need consent or permission to collect use or disclose personal information. Make sure you get it! • You can only use and disclose information for the purpose of its collection. • There is generally only one primary purpose for collection of candidate information. It is to assess suitability – either for your own purposes, the client’s purposes or both. Anything else is probably not the primary purpose. • Privacy laws in Australia and New Zealand do NOT deal with the question of how long you must keep records. Their focus tends to be on safe keeping until the information is no longer required. • The right of access is usually coupled with a right to correct any errors; or at least to place comparative information on the file where there is a dispute about which of several versions of the facts is correct. • Such a right helps to ensure the quality of the information that is provided by referees. • An agency might need to retain documents against a candidate’s wishes and in the face of a direct demand for destruction.

• Rights of access do not imply any right on the part of a candidate to require the destruction of records.

Four Cardinal Rules

• It has been held in several privacy cases that you do not have to give the candidate access if the information was received subject to an enforceable promise made to the referee that you would keep the information confidential

1. Manage your clients, candidates and referees expectations. Be open with them about your reference checking practices;

• Not every promise of confidentiality that you may make will necessarily be enforceable.

3. Only use and disclose information for the purpose for which it was collected;

• Take care to ensure that any notes to which a candidate may be entitled to access are objective and non-pejorative.

2. Only collect information that is necessary; 4. Make sure that whenever you use or disclose information it is accurate, current, complete, relevant and not misleading.

• In Australia, special measures must be taken to protect information that is being sent out of Australia (including to New Zealand). New Zealand is presently considering the introduction of similar measures. • Executive & Technical Search (Head-hunting) presents a number of additional challenges because it is often a “closed” (non-transparent) practice.

RCSA Reference Checking: Part 5 – Privacy

Introduction to Privacy As many members will have realised privacy is a BIG TOPIC in recruitment. What is more, it is a comparatively recent development and, like anti-discrimination law, is still in that stage of its development where the law runs up hard against entrenched practices and perspectives creating something of a compliance nightmare for many organisations. We did not make Privacy the first part in this Reference Checking Manual because we wanted to introduce some of the other areas of law that affect the way personal information is handled. To a large extent, privacy law operates to draws many of these different areas together. In this part, we will introduce you to the concept of personal privacy and look at some of the different regimes that have been put in place to protect it. However the main focus of this part is on privacy practice in the course of reference checking under the Australian Privacy Principles (APPs) in Australia and under the Information Privacy Principles in New Zealand. To avoid confusion with the now obsolete Australian IPPs (public sector) we have used the abbreviation NZPP when referring to the New Zealand Privacy Principles. Ultimately, we argue that good privacy practice – i.e. practice that complies with the privacy principles provides an effective means of risk management across a number of legal exposures of the type that we have discussed in earlier parts of this manual. Think about it – if you could be confident that any information that you used or disclosed about a candidate was current, complete, accurate, relevant and not misleading you might also feel far more confident that you were discharging your legal obligations to your clients, not acting carelessly, not acting misleadingly, not discriminating against any one and probably positioning yourself to raise a good defence to a defamation claim. Well, that formula current, complete, accurate, relevant and not misleading comes straight out of the privacy principles. You can see what we are saying – and the Privacy Commissions in Australia and New Zealand are saying it too – good privacy is good business!

Privacy as a Human Right ‘...the claim to privacy is a matter of great and increasing importance in our crowded society, with its unbelievable technological resource and inventiveness. A man (sic) without privacy is a man (sic) without dignity...’1 Both Australia and New Zealand recognise privacy as a human right and have responded to their international treaty obligations - specifically, obligations under Article 17 of the International Covenant on Civil and Political Rights (ICCPR).2

RCSA Take on Privacy Given that privacy is widely recognised as a human right, and one to be enjoyed with other rights in connection with work, it ought come as no surprise that an industry association that promotes ethical and professional practice amongst Members, who operate in the employment services sector in which hundreds of thousands of privacy exchanges take place daily, should have a special interest in matters of privacy and confidentiality. This much is implied in the General Principle of the RCSA Code for Professional Conduct which requires that: Members must observe a high standard of ethics, probity and professional conduct which requires not simply compliance with the law; but extends to honesty, equity, integrity, social and corporate responsibility in all dealings and holds up to disclosure and to public scrutiny. RCSA’s Code for Professional Conduct also contains express provisions that require Members to observe the confidentiality and privacy of certain information. Principle 1.1 states: Members must take reasonable steps to maintain the confidentiality and privacy of information obtained in the course of their professional practice. A companion provision in Principle 1.2 states: Members must take reasonable and timely steps to ascertain the extent to which any information they collect may be confidential.

RCSA Reference Checking: Part 5 – Privacy

1. Professor Zelman Cowen, ‘The Private Man’, Boyer Lectures 1969, Australian Broadcasting Commission, p 9. 2. www.privacy.gov.au/aboutprivacy/history accessed 15 April 2010.

RCSA Code and Privacy Law Nothing in the RCSA Code detracts from anything that is contained in the privacy laws of the Commonwealth or the States or those of New Zealand. However, it is worth noting that the RCSA Code provisions have a different operation and are not solely concerned with personal privacy. The first thing to note about Principle 1.1 is that it goes beyond the provisions of the Privacy Act 1988 (C’th) and the Privacy Act 1993 (NZ), which are concerned primarily with preserving the privacy of personal information in relation to individuals. Principle 1.1 recognises that you will also receive a considerable amount of confidential information that might not be covered by the provisions of the Privacy Acts. For example, information about a Corporate Member or client might not necessarily be personal information about an individual. It might not be protected by the Privacy Acts. But if it is confidential, it would be covered by the Code; and a Member may be found to have acted in breach of the Code if the Member had disclosed it without permission. Principle 1.2 is designed to ensure that Members have taken timely steps to find out what information is confidential and if it is confidential what restrictions apply to it. Confidentiality might be breached, for example where a Member:

Examples of breaches • A member sent a candidate resume to a client without permission. The member had tried unsuccessfully to reach the candidate by mobile phone. The client was the candidate’s current employer. • A member sent candidate details via the group send e-mail button and forwarded the candidate’s details to his current employer. • An employment service provider sought to collect unnecessary information about a candidate. • A member sent candidate information to a client without written permission in a State that had legislation requiring permission to be obtained in writing. • A member disclosed personal information about a candidate and the candidate’s relatives. The information had nothing to do with a current or former work relationship and was not based upon any employment record – it was more in the nature of “mere chat”.

This is not an exhaustive list of the circumstances in which the provision would apply. However it may assist to give some idea of the circumstances in which Members breach of confidentiality might be considered to be conduct that is prejudicial to the interests of the RCSA or conduct that is not becoming of a Member, within the meaning of as those expressions as they are used in RCSA’s Constitution.

• wrongly disclosed to a candidate’s current employer that a candidate was looking for work; • wrongly disclosed that an identified client was looking to fill a particular position, which may have had an incumbent whose employment was to be terminated; • being a consultant, wrongly disclosed confidential information about a former employer; • wrongly disclosed confidential information discussed at e.g. an RCSA Committee meeting.

RCSA Reference Checking: Part 5 – Privacy

Arbitration Example Here is a note prepared in relation to one matter that went to independent arbitration in NSW under the RCSA Code.

An arbitration conducted in Sydney recently has cleared a Member of any breach of the RCSA Code in connection with the Member’s handling of candidate information. Having clarified the operation of Members’ privacy and confidentiality obligations arising under the Code, the arbitrator determined that the Member, through use of adequate web-based consent procedures had sufficiently informed the candidate as to its privacy handling practices and had obtained necessary permission to disclose confidential information. Four findings are of particular importance to Members. 1. The Code operates to require members to abide by the National Privacy Principles. The finding, which was consistent with RCSA’s submission, clarifies the relationship between the privacy laws, the RCSA Code for Professional Practice and RCSA’s disciplinary jurisdiction. In short, it means that RCSA does have a disciplinary role to play when a complaint is made to it about a Member’s handling of private information. 2. Information held by a private recruitment agency about a candidate’s suitability for a position is confidential information in respect of which the candidate has an interest; and in respect of which a candidate might reasonably expect that his or her permission should be required prior to disclosure.

RCSA Reference Checking: Part 5 – Privacy

The finding, again consistent with RCSA’s submissions, confirms that a Member’s evaluative material, including its reference check notes and its own notes and assessment about candidate suitability attract the protections of confidentiality which exist for the benefit of the candidate and not just for the agency or the client. 3. A candidate who puts him/herself in the hands of a private recruitment agency can expect the confidentiality of the agency’s assessment of his or her suitability to be respected and not disclosed to the client without the candidate’s consent. 4. Obligations which fall upon members by virtue of the National Privacy Principles and the Code must be discharged personally by members and may not be delegated away to others (e.g. a client). This finding was also consistent with RCSA’s submission and clarifies that it may not be safe to rely upon a client’s directions or assurances as to any manner in which the client might propose to discharge the Member’s privacy obligations – e.g. with respect to obtaining consent. This is particularly important in the case of internal applicants who apply from within the client organisation. Once an agency becomes involved it must discharge any obligations that fall upon it.

History & Development

Regimes for Protection

The law of privacy in Australia at least initially had a stifled development at common law. Statutory modifications – e.g. under Freedom of Information legislation throughout the 1970s and 1980s and credit reform legislation began to have an impact in a limited number of areas.

In this section we describe, briefly, some of the various regimes that may be available to protect personal information and privacy.

In 1988 the Privacy Act was passed by the Commonwealth Government. It dealt mainly with privacy in the public sector.

Common Law protects confidential information by recognising a right of action (entitlement to sue) for damages (compensation) and injunctions (orders restraining disclosure etc) for any one whose confidential information has been used or disclosed without their consent.

In 1993 New Zealand launched a world leading privacy law initiative with the passing of the Privacy Act 1993, which provided a wide range of protections in both public and private sectors. In 2001 and 2002 Australia followed suit with the phased extension into the private sector of privacy protections in the form of the National Privacy Principles. There were, and remain, however a substantial number of organisational and situational exemptions – notable amongst which were: • an exemption for small businesses3 except in some circumstances; • an employee record exemption4 both of which we will consider in more detail later in this chapter. Australian privacy law underwent a major revision in 2014 with the commencement in March of that year of the Australian Privacy Principles and the grant of new powers of enforcement to the privacy regulator. In 2003 Australia passed anti-spam legislation5 with New Zealand passing similar legislation in 2007.6 Various States have passed workplace surveillance laws, New South Wales being a leader in promulgating legislation in this field.7 Privacy topics develop with surprising speed as a range of new technologies and approaches become available to be both used and abused in connection with the monitoring of work performance and recruitment. Surveillance, the use of special networking as a recruitment source and avenue of inquiry, identity fraud and identity theft are just a few of the topics that attract attention in this field.

RCSA Reference Checking: Part 5 – Privacy

Common Law

Common Law protects privacy by recognising a right of action (entitlement to sue) for damages (compensation) and injunctions (orders restraining disclosure etc) for an individual whose privacy has been invaded without their consent. Australia has not yet widely recognised a common law right of action for invasion of privacy although some members of the High Court have acknowledged that such a right may emerge, at least for individuals rather than corporations8; and two intermediate courts at State level have recognised the right.9 New Zealand, on the other hand, has recognised such a right10 where the plaintiff can prove: • the existence of facts in respect of which there is a reasonable expectation of privacy; and • publicity given to those private facts that would be considered highly offensive to an objective reasonable person. In one case11, a person who had been convicted of sexual offences against a child succeeded in recovering NZ$25,000 in damages, when police distributed an identifying leaflet to residents in an area where he lived upon being released from prison.

3. 4. 5. 6. 7. 8.

With annual turnover less than $3million. Section 7B(3) Privacy Act 1988 (Cth). Spam Act 2003 (C’th) Unsolicited Electronic Messages Act 2007. See e.g. the Workplace Surveillance Act 2005 (NSW). Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd [2001] HCA 63; (2001) 208 CLR 199 at [132] per Gummow and Hayne JJ; at [335] per Callinan J

9. Grosse v Purvis [2003] QDC 151; Doe v Australian Broadcasting Commission – County Court Vic 2007 Hampel J 10. Hosking & Hosking v Simon Runting & Anor [2004] NZCA 34 (25 March 2004). 11. Brown v A-G [2006] DCR 630..

Privacy Acts & Codes In Australia and in New Zealand, privacy law is at its most highly developed form in the Privacy Acts and Codes of the various jurisdictions.12

Other Regimes

Public/Private Sector

In addition to the principal privacy Acts, various other statutory regimes which afford privacy rights, or rights akin to privacy, have been established at National, Federal, State and Territory levels.

In New Zealand, no relevant distinction is made between public sector and private sector agencies which hold personal information.

Secrecy & Statutory Confidentiality

In Australia, different privacy regimes presently apply to public and private sectors, though this may be about to change. At federal level, the Privacy Act 1988 establishes the Australian Privacy Principles, which operate in the Commonwealth public sector as well as in the private sector. However, there are some slight differences between their application to public sector agencies and private sector organisations.

Many Acts of Parliament contain secrecy and confidentiality provisions. These are common where the legislation related to the provision of State services such as health, education, family, welfare or employment services. Contracted service providers will often be required to meet statutory secrecy and confidentiality standards.

The States and Territories have passed legislation or introduced administrative arrangements that cover privacy in their respective public sectors. A majority of them have also passed legislation that covers rights of privacy and access health records.

PEA Legislation

Privacy Codes may be approved on a sector-by-sector basis to provide equivalent protection that is more specifically tailored to the requirements of the particular sector of operation. For example, a Code operates in the Queensland club’s sector. In 2001, ITCRA sought, unsuccessfully, to obtain approval for a Recruitment Industry Privacy Code binding on its members. Despite the withdrawal of the application and the fact that it never came into operation, some agencies still claim (14 years later) to be operating under its provisions. Other agencies simply renamed it the RCSA Privacy Code and continue to imagine that RCSA is administering it!

Private Employment Agency legislation may deal with issues of candidate privacy be restricting the purposes for which information may be used – e.g. for job seeking purposes only; or by restricting disclosure without written permission. It is advisable to see what legislation applies in any jurisdiction where you are carrying on business to see what provisions may apply to you.

Spent Convictions/Clean Slate Spent Convictions legislation is operative in Australia in the federal sphere and in each of the States and Territories with the exception of Victoria and South Australia. In Victoria, a police administrative policy operates in lieu of spent convictions legislation. The basic purpose of these schemes is to place certain criminal convictions beyond disclosure if there has been no further offence after a given period of time. The times and circumstances may differ between the jurisdictions and may depend upon the nature of the conviction and the manner in which it was prosecuted. The schemes also operate to prevent a person from being asked about spent convictions and provide statutory justification for the provision of a false answer in the event that a person is asked about a spent conviction in contravention of the protective legislation.

RCSA Reference Checking: Part 5 – Privacy

12.. Privacy Act 1988 (C’th); Privacy Act 1993 (NZ).

In some jurisdictions, the provisions are backed up by anti-discrimination laws that prohibit discrimination on the ground of irrelevant criminal record.

Principles & Practical Applications

A similar scheme operates in New Zealand under Clean Slate legislation introduced in 2004.

Having provided a broad introduction to privacy law and some related fields, we can now look in more detail as some aspects of privacy practice with particular application to reference checking and candidate suitability assessment practice.

Discrimination & Human Rights Rights of privacy are recognised under in various Human Rights documents. The ACT and Victoria have passed Human Rights legislation that recognises privacy as a human right, though the extent of the protection actually afforded is considered to be quite vague and generally inferior to statutory rights of protection under the Privacy Act 1988 (C’th). In New Zealand Article 21 of the New Zealand Bill of Rights Act 1990, which assures the right to be secure against unreasonable search or seizure, whether of the person, property, or correspondence or otherwise, has been interpreted as protecting the right to privacy.

Workplace Protections Sophisticated workplace surveillance legislation exists in New South Wales extending to matters such as surveillance by means of software or other equipment that monitors or records the information input or output, or other use, of a computer (including, but not limited to, the sending and receipt of emails and the accessing of Internet websites).13

An Assumption In this part, we make an important assumption – i.e. that you operate under the Privacy Principles that apply in your jurisdiction to private sector organisations.

We cannot always take that assumption for granted because as you may perhaps have seen already, there could be a number of exceptions. You could be recruiting: • under a “Permitted General Situation”14 • under a Privacy Code; • into a sector that has specific requirements – e.g. health, security etc. • under enhanced arrangements for International Data Transactions; • under contractual modifications that extend public sector, merit protection, record keeping and privacy obligations; • under additional State/ Territory Laws – e.g. Queensland’s Private Employment Agents (Code of Conduct) Regulation 2005, which requires that you must have written permission before disclosing a candidate’s personal information; and that you may only use the candidate’s personal information for the purposes of seeking employment (i.e. no secondary purpose).15

RCSA Reference Checking: Part 5 – Privacy

13. S.3 Workplace Surveillance Act 2005 (NSW). 14. The APPs operate subject to a number of Permitted General Situations, which may have only limited (but some) relevance to recruitment operations. In any case where an exception is to be considered, regard ought be had to the Permitted General Situations.

15. Code Schedule sections 14 and 15.

There may be other exceptions as well.

Privacy and Recruitment Let us look at two key concepts that may assist to unlock some of the uncertainties that surround the question of privacy in recruitment. Information Lifecycle Management We have already stated that privacy is a big topic in recruitment. That is because, unlike other areas where the law impacts upon the handling of personal information, privacy law affects the whole life cycle of personal information – i.e. from its collection through use, disclosure, storage and security, access, correction and eventually destruction or culling. Most other areas that we have looked at cover only liabilities that might arise from wrongful collection (e.g. discrimination); wrongful disclosure (e.g. defamation, breach of confidentiality, misleading conduct etc); wrongful use (e.g. negligence); access (e.g Freedom of Information laws). Privacy law provides a set of principles that may be useful in managing a range of exposures related to the handling of personal information across the whole lifecycle of its management. We therefore tend to think of the privacy principles as being a framework for good information management rather than as simply a set of legal dot points for compliance and a network of traps for the unwary. Privacy Transaction It is helpful to think of an information exchange in transactional terms.

You are primarily responsible for holding up your side of the transaction and it is therefore important to know what privacy regime applies to you. It is especially important if you are transacting information across national, state or sector boundaries where different laws may apply each side of the transaction. Once you begin to focus on your side of the transaction the picture becomes much clearer.

Definitions It is helpful to look at some of the definitions and terminology that we will use in this part. Personal Information The Australian Office of the Privacy Commission has given the following explanation (April, 2012) Personal information is information that identifies you or could identify you. There are some obvious examples of personal information, such as your name or address. Personal information can also include medical records, bank account details, photos, videos, and even information about what you like, your opinions and where you work - basically, any information where you are reasonably identifiable.

The Privacy Act 1993 (NZ) gives the following definition: personal information means information about an identifiable individual; and includes information relating to a death that is maintained by the Registrar-General…

As you can see, personal information is very broad in its scope. It may include fact or opinion that may be either true or false and may or may not be in material form.

Illustration • A candidate tells you something – you make a collection. • You pass that information on to a client – you make a disclosure; the client makes a collection. • You apply certain information you have gathered about a candidate to your short listing decision and tell your client about it– you make a use and disclosure of that information; the client makes a collection. • The client applies that information to its hiring decision – the client now makes a use…and so on.

RCSA Reference Checking: Part 5 – Privacy

Sensitive Information Australian privacy law makes special provision for personal information that is “sensitive”. Sensitive information is defined as meaning: • Personal information or an opinion about an individual’s: »» racial or ethnic origin; »» political opinions; »» membership of a political association; »» religious beliefs or affiliations; »» philosophical beliefs; »» membership of a professional or trade association; »» membership of a trade union; »» sexual orientation or practices; »» criminal record; • health information about an individual; or • genetic information about an individual that is not otherwise health information; or • biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or • biometric templates. You can see that in the course of reference checking you could collect, or a referee might offer, information about some of these things.

Examples “Jo/e Candidate was a good worker but spent a lot of time campaigning for the Labour Party in the last election which left him/her a bit tired for work” (political opinion or membership). “Jo/e Candidate was a good operator for most of the time s/he was with us; but when Jo/e seemed to have some type of nervous breakdown after his/her marriage went sour when it was found out that Jo/e had been having an affair with a one of the clients we had to let him/her go”. (sexual practice; health information). “Jo/e Candidate MRCSA is a good consultant but spends too much time volunteering on RCSA committees!” (professional or trade association).

Sensitive information can only be collected with consent and may not be used or disclosed for any purpose that is not the primary purpose of collection or a directly related secondary purpose that is within the individual’s reasonable expectation. Because you cannot always control the information that you may receive from a referee, you need to be alert to the restrictions that apply and position yourself by obtaining necessary consents.

Publicly Available Information New Zealand New Zealand Privacy Law allows an agency to collect (otherwise than directly from the individual) and disclose personal information if it has a reasonable belief that the source of the information is a publicly available publication.16 Additionally, under New Zealand privacy law, when information is collected from a publicly available source, and not “directly from the individual concerned”, Privacy Principle 3, which requires that certain notifications be given to the subject, would seem to have no application. Publicly available information is defined Section 2 of the Privacy Act 1993 to mean information contained in a book; magazine; newspaper; website; public register; or any other type of publication that is available (or will be available) to members of the public generally. The requirement of general availability is not satisfied merely on the basis that the information might be accessible under FOI or similar legislation.17

RCSA Reference Checking: Part 5 – Privacy

16. Principles 2(2)(a) and 11(b). 17. See e.g. Case Note 100091 [2009] NZPrivCmr 2.

Australia The position is somewhat different in Australia, where the emphasis is not upon the source; but upon the making and subsequent use or disclosure of a record of personal information. In Australia, once even publicly available information is taken into a record (e.g. candidate file or database), it will need to be managed under the provisions of the Privacy Act. The Privacy Commission materials explain this in the context of information sourced from a newspaper: … An APP entity does not collect personal information where that information is acquired but not included in a record or generally available publication. For example, a newspaper article containing personal information will not be ‘collected’ by the entity unless, for example, a clipping of the article is kept and stored with other documents held by the entity or the article is scanned and saved into the entity’s electronic database.

Collection Questions often arise about what amounts to a collection of private information and what does not. Here, as in some other areas the position in Australia differs from that in New Zealand. Australia In Australia, the APP Guidelines explain that: An APP entity collects personal information ‘only if the entity collects the personal information for inclusion in a record or generally available publication’. The concept of ‘collection’ applies broadly, and includes gathering, acquiring or obtaining personal information from any source and by any means, including from: • individuals • other entities • generally available publications • surveillance cameras, where an individual is identifiable or reasonably identifiable • information associated with web browsing, such as personal information collected by cookies • biometric technology, such as voice or facial recognition. Collection may also take place when an APP entity generates personal information from other data it holds, such as the generation of an audit log.

RCSA Reference Checking: Part 5 – Privacy

The expression “gathers, acquires or obtains” is very broad and can result in information been “collected” in some unexpected circumstances. Examples • When information that was previously de-identified is re-identified; • When an inference is drawn from other information – e.g. an inference about a candidate’s age, or gender identity or religion might be drawn from a photograph. This means that recruiters will need to remain alert to identify those circumstances and situations when information is being collected in order to ensure that once collected it is managed in accordance with the privacy laws. It also means that in Australia, unsolicited information – e.g. where a candidate sends an unsolicited resume – will attract the full protection of the Privacy Act; but only if it is collected. If it is not (or cannot lawfully be) collected, then it should be destroyed or deidentified provided that it is lawful to do so. New Zealand “Collect” is defined in section 2(1) of the Privacy Act (NZ) and it does not include the receipt of unsolicited information. The position is very clear: s.2(1) “collect does not include receipt of unsolicited information”

Collection – Key Principles Despite the differences about the circumstances in which information will be regarded as having been collected, Australia and New Zealand do impose a number of common restrictions. Let us look at some of them now. Information may only be collected if it is necessary for the proper (lawful) performance of one or more of the collecting agency’s tasks or functions Necessity is to be determined on the basis of objective criteria and proved on the basis of admissible evidence. Necessity is not satisfied by mere convenience or curiosity. We think that one of the best ways to determine whether information is necessary or not is firstly, to understand the purpose for which the information is required.

Examples Some “necessary” purposes might include:

Example • It might be necessary that the successful job applicant be medically fit to undertake the work. That does not mean that it is necessary to subject every candidate to a medical examination. You will eliminate some of them based upon skills, qualification and work experience. Why make them undergo a medical test as well?

• Validating information provided by the candidate (or by the referee) – but only if the information is necessary and relevant – e.g. there would, in most cases, be no need to “validate” a candidate’s age. There may be circumstances where that is necessary – e.g. where the candidate is to receive an age based rate of payment; or where a candidate must be above a certain age to work in a particular field. Special care needs to be exercised if the only purpose is to undertake validation as a sort of cross-examination about whether the candidate can be believed.

The same can be said of other types of information that you might want to collect. The golden rule is information should usually only be collected if it is presently necessary to enable you to perform one or more of your tasks or functions.

• Matching candidate suitability to the requirements of the job – but only if they are genuine and not unlawfully discriminatory.

Necessity can sometimes be affected by the scope of your contractual obligations to your client.

You will need to exercise some judgment here. Information will not be regarded as being “necessary” merely because the client wants to know about it. Example • A client might say to you: “I don’t want any one who has ever had a criminal conviction”. However, that instruction would not authorise you to collect unlimited information about candidates’ criminal histories. Firstly, the criminal history might not be relevant to the job – is it relevant that the candidate was prosecuted for having caught undersized fish or for not having renewed a dog licence? It might in some cases; but you would probably agree that in the majority of cases it will not. Secondly, the criminal history may be protected by lapsed sentences or clean slate laws. Thirdly, it may be unlawful to discriminate on the basis of the criminal history or even to collect information that might be used as a basis for unlawful discrimination. You can see from this example that purpose needs to be assessed having regard to: • the task that you are performing – e.g validating information; assessing suitability; shortlisting etc; and • the proper requirements of the job. As to the first of these, there is also a question about the timing of the collection. Necessity is to be determined at the time of collection.

RCSA Reference Checking: Part 5 – Privacy

Example • What is the necessity to carry out reference checking on a candidate if your terms of business say that the client is responsible for the ultimate hiring decision and that you do not assume any responsibility regarding the candidate’s suitability? Many recruiters do use terms of this type. How would you explain the necessity to obtain say two references from prior employers? Necessity in a case such as this may have to be determined solely having regard to your need for the information; rather than having regard to your client’s need. The effect of that might be that your reference checking activities would have to take place within a much narrower scope than they would if you had undertaken a responsibility regarding candidate suitability. This aspect of necessity may be especially relevant to the distinction between recruiting on a contingent basis and recruiting on a fee for service or retained basis. Information should be collected directly from the person whom it concerns This requirement for direct collection from the individual concerned means that you should collect information about a candidate from the candidate. The APPs state that information may be collected only from the individual unless it is unreasonable or impracticable to do so. Situations will inevitably arise in the course of reference checking, where it will not be practicable to rely solely upon information sourced from the candidate,

Example

Information may only be collected by means that are lawful and fair

• If you have to collect information from a third party because it is necessary in order to corroborate or validate something that the candidate has told you (e.g. about work history) then clearly it is not practicable to rely solely upon the candidate. • NOTE: the same could be said of information that a referee provides to you because, remember, you have to make certain that the information that you use is current complete, accurate, relevant and not misleading.

The emphasis here is upon the means of collection rather than upon the type of information collected. Circumstances in which the means of collection might be unlawful could include: • where the collection is made by unlawful covert surveillance or video; • where the collection is made by unlawful eavesdropping device; • where the collection is made by unlawful access to information; • where the collection is made by using other information (e.g. identifying information) for a purpose for which it may not be used; or • where the collection is made by procuring a breach of obligations of confidentiality or secrecy.

In both Australia and New Zealand, therefore, there are exceptions to the rule. In Australia, an exception may be made in those circumstances where it is neither reasonable nor practicable to obtain the information directly. What is reasonable and practicable will vary with circumstances; but the test is a high one and direct collection is not made impracticable merely due to additional cost or delay or inconvenience. In New Zealand, the exceptions are stated more specifically.18 Relevantly in the context of reference checking, they include circumstances where: • the information is publicly available information19; or • the individual concerned authorises collection of the information from someone else20; or • compliance with the direct collection requirement would prove impracticable.21 The requirement for collection from the person whom it concerns will mean, in most cases where you do collect information from a third party, such as a referee, that you will have to track back to the candidate in order to cross check its accuracy, completeness and currency. It is important that your referees should understand that the proper performance of your tasks as a recruiter may require you to do this. It will impact upon the extent to which you can treat the information obtained from a referee as being “strictly confidential”. Example • It might be quite OK to preserve source confidentiality and even confidentiality as to what was actually said; but you may have to disclose the substance (even if paraphrased) in order to ensure that you meet your track back and cross check responsibilities. The dangers in not doing so are not only that you may breach privacy laws; but that you cannot rely on the quality of the information that you are using and may be disclosing to others. RCSA Reference Checking: Part 5 – Privacy

Fairness, in this context, is a different requirement. The Privacy Commission in Australia interprets ‘fair’ to mean without intimidation or deception or by means that are unreasonably intrusive. “Fair” can also mean that the process is open in the sense that the “rules of engagement” by which you are going to collect information are fully and clearly explained to the candidate. If you tell your candidates fully and clearly what you intend to do, and manage their expectations about the process, then, in the absence of any coercion, then there can only be very limited grounds for any complaint about unfairness if what you do accords with what you have told them and they have assented to it. Recruiters, however, get into difficulty when there is uncertainty about the process or where, in cases of ambiguity, they collect information in ways that might not have been expected in all fairness. RCSA Code Response For these reasons, the RCSA Code for Professional Conduct not only requires Members to take reasonable steps to maintain the confidentiality and privacy of information obtained in the course of their professional practice; it also requires them to take reasonable steps to ensure the certainty of their engagement by a Candidate – extending to agreement regarding matters relevant to the Member’s representation of the Candidate including the obtaining of all necessary consents and approvals.

18. NZPP-2.2. 19. NZPP-2.2(a).

20. NZPP-2,2(b). 21. NZPP-2.2(f).

Tell your candidates (and referees and clients) about your information collection practices

Any law that requires the particular information to be collected.

Privacy laws in both Australia and New Zealand recognise the need to tell people about whom you collect personal information some basic things about your information handling practices. In Australia this is done through your Privacy Policy and through your Collection Notification. The requirements as to what should be communicated in a Collection Notification differ slightly between Australia and New Zealand; but are broadly similar as can be seen in the comparison shown in the table below. Ponder Point As you look at the table, think about what the differences imply. In New Zealand – what is the difference between collecting and holding? Where does the client fit in? Table 1: Collection Notice Comparison

• the particular law by or under which the collection of the information is so authorised or required; and • whether or not the supply of the information by that individual is voluntary or mandatory. The main consequences (if any) for the individual if all or part of the information is not provided.

The consequences (if any) for the individual if all or any part of the requested information is not provided.

How an individual can make a complaint about a breach of privacy Whether the organisation is likely to disclose any of the information to an overseas recipient; and, if so, the countries where those recipients are likely to be located.

The Referee is a person too!

Australia

New Zealand

The fact that the organisation has collected information from a third party – e.g. referee and the circumstances of that collection.

The fact that the information is being collected.

The identity of the organisation and how to contact it.

The name and address of • the agency that is collecting the information; and • the agency that will hold the information

The fact that he or she is able to gain access to the information and seek correction.

The rights of access to, and correction of, personal information provided by these principles.

The purposes for which the information is collected.

The purpose for which the information is being collected.

The organisations (or the types of organisations) to which the organisation usually discloses information of that kind.

The intended recipients of the information.

RCSA Reference Checking: Part 5 – Privacy

If the collection of the information is authorised or required by or under law -

Do you remember that we defined “personal information” as including information about the opinions, which a person may hold? Your referees will often express their opinions on various matters such as candidate performance, characteristics etc. If you collect those opinions, you are collecting: • Information about the candidate; AND • Information about the referee – i.e. that the referee holds such-and-such an opinion. It is important therefore to remember that your obligations to tell people about your information handling practices extend to your referees as well as to your candidates. Sometimes you need consent or permission Permission (consent) is the means by which a candidate can control personal information. The New Zealand Privacy Commission has made the point that:

[Getting consent] doesn’t cause as many problems as you might think. For example, if an applicant hasn’t given a current employer as a referee, it’s worth asking why not. People do not always want a current employer to know that they are looking for another job. Their job could be jeopardised by an inquiry. If you need to speak to the current employer before appointing a person, then tell the applicant you’ll have to do that, and get their agreement. The rules about obtaining consent and permission come from a variety of sources. In Australia, the APPs require consent (permission) if you are going to collect “sensitive” information – a special class of personal information. Subject to State laws that might provide otherwise, you can collect “ordinary” personal information (i.e. information that is not “sensitive”) without consent if it is necessary for the proper performance of for one or more of your tasks or functions. Again as we have seen, it is important to distinguish between what is really “necessary” and what is merely “convenient”. We also saw that the APPs state that you can only collect personal information by lawful and fair means. It would be “fair” to tell the candidate what you were going to do before you did it and so, for all practical purposes, if the candidate was still prepared to let you collect the information you would at least have the candidate’s implied consent. In New Zealand personal information should be collected directly from the candidate unless the candidate has authorised its collection from someone else. This will mean that you would have to obtain candidate permission to collect information (via reference checks) from other people.

Additionally, some Australian States may have Employment Agency Legislation that requires candidate permission to be obtained whenever an employment agency discloses personal information about a candidate (as must necessarily occur when reference checking). Example: • Queensland has passed the Private Employment Agents (Code of Conduct) Regulation 2005, which prohibits the disclosure of candidate personal information without written permission. Confidential information may not be used or disclosed without the permission of the person who communicated it. This will mean that if the candidate has told you confidentially that he/she is looking for a job you may not use or divulge that information without the candidate’s consent. RCSA Code Response RCSA’s Code requires Members to take steps to protect the confidentiality and privacy of information obtained in the course of their professional practice. It is part and parcel of respecting the integrity of persons and behaving in an ethical and socially responsible manner. Members should use these rules to inform their information handling practices. The rules should inform: • Candidate registration procedures; • The development of collection statements and privacy policies;

Different privacy rules might apply if you are contracted to provide a service to a public sector body; or if you are recruiting for certain types of position where additional security or suitability clearances are required by legislation.

• Documentation practices;

The rules in the privacy principles operate together with laws that protect confidential information – both in Australia and in New Zealand.

• The extent to which Members can (or cannot) represent to clients that they can obtain certain types of information.

• Reference checking practices;

Example:

Some Specific Applications

• A candidate might have told you confidentially that he/she is looking for work and has not yet informed his/her employer. It would be a breach of confidentiality to divulge that fact to the current employer whilst trying to do a reference check.

We will look now at some specific applications of the privacy principles about collection that often give rise to questions in connection with reference checking and recruitment.

RCSA Reference Checking: Part 5 – Privacy

ID Documents Questions often arise about the practice of scanning ID documents. The Australian Privacy Commission provides some good guidance. Here is an extract from material on its website: Is ID scanning legal under the Privacy Act? If a business scans your ID when it doesn’t need to collect that information to perform its functions, the scanning will be illegal. If simply sighting your ID would be sufficient, the business should not scan it.

The guideline implies that scanning of proof of identity documents may be problematic, where there is no genuine necessity to collect information in the form of a scanned photograph. Concerns may be raised in the current environment about the risk of identity fraud and identity theft. The balance in most cases seems to be that whilst you are entitled to validate identity, that can be done by means of sighting the documents. Case Example • In one case, OPC v An Employment Service Provider it was alleged that an employment services company had photocopied applicants’ passports and required them to sign a form consenting to a wide range of uses and disclosures of their personal information. 22

• The case note indicates that it was the practice of the employment services company to photocopy passports, including the passport number, and store that information to later verify the identity of the individual. The Privacy Commissioner was of the view that photocopying and storing a passport number was a use that was not authorised under privacy principles, which prohibit the use of Government identifiers for non-government purposes). It is interesting that the case note did not indicate whether the Privacy Commissioner considered that the collection practice might also have breached the necessity principle.

• NZ 88333 – a manager gave unauthorised reference for woman applying for internal transfer with a different branch of the government department that she worked for. When she spoke to the person who interviewed her, she discovered that he had contacted a former manager for a reference, and the manager had provided information about her. This manager was not one of her nominated referees. In NZ, Principle 2 provides that information must be collected from the person concerned unless one of the exceptions applies. Internal candidates for a job are entitled to the same level of privacy protection as external candidates. • NZ 2686 concerned an unsuccessful complaint that arose when an agency obtained a reference from a person who was not nominated to give it. • NZ 8744 – an attempt was made to collect information from a doctor after an employee faxed a certificate explaining that the employee was too ill to work. • NZ 2418 – a psychometric evaluation might have been necessary in connection with a sales representative job; but the complainant should have been told that it would be evaluated by third-party. • NZ 29987 – information was collected unfairly when the complainant was misled about its confidentiality. • OPC v ESC – an employment services company sought passport photographs, tax file information and other information unnecessarily. • SW v Forests – photographs are personal information- collected unfairly when the complainant was not aware. • NZ 87513 – an employer collected more information than was necessary when it asked about the applicant’s relationship with his wife and children. The employer also asked for references without authorisation. • Own Motion – an Australian Government agency unlawfully asked applicants to advise whether they had ever suffered from a work related injury or illness.

Ponder Point Here are some collection cases taken from Australian and New Zealand Case Notes. How would you have handled the situation differently?

RCSA Reference Checking: Part 5 – Privacy

22. [2005] PrivCmrA 13.

Use & Disclosure – Key Principle

NOTE: In Australia use and disclosure are dealt with together.

In this section we look at the key principles that relates to the use and disclosure of personal information that you collect in the course of reference checking.

(a) that the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained;

You can only use and disclose information for the purpose of its collection23 Australia and New Zealand state the requirements in slightly different terms. The table below sets these out.

[Other exceptions are then set out]

Table 2: Use & Disclosure Comparison Australia

New Zealand

(Use AND Disclosure) If you hold personal information that was collected for a particular purpose (primary purpose) you must not use or disclose it for a purpose (the secondary purpose) other than the primary purpose of collection unless:

(Use) An agency that holds personal information that was obtained in connection with one purpose shall not use the information for any other purpose unless that agency believes, on reasonable grounds, - [a number of exceptions are then set out including:

(a) the individual has consented; or

• t hat the purpose for which the information is used is directly related to the purpose in connection with which the information was obtained;

(b) the purpose is a related secondary purpose for which the individual would reasonably expect its use. In case of sensitive information the secondary purpose must be directly related to the primary purpose.

[a number of additional exceptions are then set out]

RCSA Reference Checking: Part 5 – Privacy

CONSENT (Authorisation) operates as an important exception.

(Disclosure) An agency that holds personal information shall not disclose the information to a person or body or agency unless the agency believes, on reasonable grounds -

CONSENT (Authorisation) operates as an important exception.

You can see that both Australia and New Zealand allow use and disclosure for related purposes. To be related, the additional purpose must be something that arises in the context of the main purpose. In New Zealand the additional purpose must be related directly to main purpose of collection. Australia allows a little more scope in that the requirement of a direct relationship only exists in the case of sensitive information. You can also see that in Australia the reasonable expectations of the individual will be relevant to determining the scope of any additional use. Ponder Point How would you go about managing or shaping the “reasonable expectations” of your candidates in relation to your use or disclosure of their personal information? The range of permitted uses and disclosures will generally be shaped by the scope of your recruitment role. If your client does not require you to check references (or if, in your terms of business, you disclaim any responsibility to do so) the scope might be somewhat limited.

23. Australia APP-6; New Zealand NZPPs 10 and 11.

Example • The primary purpose of reference might be to satisfy yourself that the candidate is suitable to be registered with you and to seek work that might be available through your agency. Unless you operate a very highly selective agency, the “threshold of inquiry” in these circumstances might be set somewhat lower than it would be if you were undertaking a retained recruitment exercise on behalf of a client. That is to say the purpose of collection may be satisfied by the provisions of less detailed information. Finding the Primary Purpose Finding the primary, main or dominant purpose of collection is usually a question of fact and will be decided having regard to the circumstances in which the information is collected. You might attempt to shape the purpose by declaring that certain additional purposes are equally important as the “primary purpose”. However this may be only of limited use because you cannot make something other than what it is simply by declaring it to be so… Let’s have that again! There is generally only one primary purpose for collection of candidate information. It is to assess suitability – either for your own purposes, the client’s purposes or both. Anything else is probably not the primary purpose. Sure, it might be important; but unless you were already collecting information to assess candidate suitability, you probably wouldn’t worry about the other things! So the other things must be secondary. You can’t make them into primary things simply by saying that they are. Hopefully, they will be related closely enough to satisfy the direct relationship test in New Zealand and the related and reasonable expectation test in Australia. If you are in any doubt, you should seek consent from the individual/s concerned – whether it is the candidate, the referee or both.

Ponder Point Here are some use and disclosure case notes taken from Australian and New Zealand Case Notes. How would you have handled the situation differently? • NZ 102741 - A recruitment agency disclosed a candidate’s email address to other email recipients including a number of its clients with each of the clients’ email addresses visible. One of the clients complained to the agency about the disclosure of his email address, and received an apology. He did not consider that the apology was satisfactory in the circumstances. • NZ 7584 – disclosure of a medical report did not breach privacy because the employer had reasonable grounds to believe that it was necessary in the conduct of legal proceedings. • NZ 18420 – an employer breached privacy when it sought information about workplace theft from the wife of an employee. • NZ 16723 – an employer disclosed information about an employee’s epilepsy. The information became widely known in the workplace. Customers began to raise concerns about the employee’s ability to do his job – which included some driving. • C v C’th – a Commonwealth agency breached privacy when it disclosed information about an employee’s sick leave; but not when it disclosed information indicating that the employee suffered from stress in a call centre environment. • NZ 89291 - a university breached privacy by telling a new employer that there were suspicions of dishonesty and that the complainant (its former employee) had left under a cloud. • PN v Ed & Training – an employer disclosed information including references to cultural differences between PN and other staff and information about issues that PN had raised at a union meeting. The disclosure did not fall under any of the grounds of exemption.

RCSA Reference Checking: Part 5 – Privacy

Data Quality – Getting it right You would probably consider yourself to be a “recruitment genius” if, most of the time, you could be reasonably certain that the information that you collected, used or disclosed about your candidates was right! Privacy requirements in Australia and New Zealand cast quite a heavy onus you to achieve that very result. Let’s have a look at how the APPs and NZ Privacy Principles address this requirement24. The comparison is set out in Table 3 below Table 3: Data Quality Comparison New Zealand

An entity must take reasonable steps to make sure that the personal information it:

An agency that holds personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date, complete, relevant, and not misleading.

• uses or discloses, is accurate, up-to-date, complete, and relevant.

Ponder Point What is similar about the Australian and New Zealand requirements? What is different? Which do you think provides the more thorough regime? Could you combine the requirements of both to produce a “gold standard” for personal information used, held or disclosed by your organisation? How might it impact upon the quality of your professional services? The Australian Privacy Commission has offered the following useful information on how to go about complying with the data quality requirements25. As you read it, think about how each of the factors identified might impact upon the quality of the personal information that you hold.

RCSA Reference Checking: Part 5 – Privacy

1. The type of personal information held and how it is going to be used and disclosed; 2. Whether the information was collected directly from the individual or from a third party; 3. Whether certain ‘trigger points’ provide an appropriate opportunity to recheck the accuracy of information; 4. Using internal common sense protocols to audit, identify and correct obvious errors; 5. The age of the information;

Australia

• collects, is accurate, up-to-date, and complete

Organisations should consider the following factors when assessing what are reasonable steps in terms of complying with NPP 3 [the predecessor to APP 10]:

6. Whether it is easy for individuals to correct and update personal information held by the organisation; 7. Whether it would impose an inappropriate intrusion on individuals or an unnecessary burden on the organisation; 8. What adverse impacts individuals could suffer as a result of inaccurate, incomplete or out-of-date information being used for business activities;

Have a look at the case note provided below. Although it turns on a technicality about whether there was any use of the information, we are not certain that the technical point was correctly decided. It seems to us that there must be a strong argument that if the retrieved data is used to inform the design of a set of questions to be put to a candidate at interview then it is used in terms of the privacy principles. What do you think? • NZ 9257 – the jobseeker was enrolled with the New Zealand Employment Service. She was asked whether she was receiving counselling. She asked why this information had been sought and was told that her file indicated that she had a problem with drug and alcohol abuse. The information was incorrect and, at her request, it was deleted. Storage and retrieval does not constitute “use”. In order to show that usage has occurred, retrieval has to be followed by some act. If that had happened the agency would have been under an obligation to have made certain that the information was accurate, up-to-date, complete, relevant, and not misleading (Principle 8 NZ).

24. Australia APP-10; New Zealand NZPP-8. 25. Information Sheet (Private Sector) 28 - 2009: NPP 3 Data Quality accessed 14/4/2010.

Data Security â&#x20AC;&#x201C; Keeping it safe until you do not have to keep it at all. We are constantly asked whether privacy laws prescribe how long an agency must keep records that it collects in the course of its reference checking or candidate evaluation activities. Privacy laws in Australia and New Zealand do NOT deal with this issue. Their focus tends to be on safe keeping until the information is no longer required.

Table 4: Data Security Comparison Australia

New Zealand

An entity must take reasonable steps to protect the personal information it holds from misuse interference and loss and from unauthorised access, modification or disclosure.

An agency that holds personal information shall ensure (a) that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against (i) loss; and

Privacy law in both jurisdictions goes a little further and says that personal information must be no longer kept (destroyed or permanently de-identified (Aust.)) when it is no longer needed for any purpose for which it may be lawfully used (or disclosed (Aust.)).

(ii) access, use, modification, or disclosure, except with the authority of the agency that holds the information; and

Keep in mind, however, that other laws such as laws relating to the regulation of employment agents DO impose requirements to keep information for varying periods of time. We will have a look at this shortly.

(iii) other misuse; and (b) that if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or unauthorised disclosure of the information.

Firstly, letâ&#x20AC;&#x2122;s look at the data security principles as they appear in the APPs and NZPPs. You will see that, although they are expressed differently, they both the need to take reasonable measures for safekeeping of the information.26 An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under the APPs.

An agency that holds personal information shall not keep that information for longer than is required for the purposes for which the information may lawfully be used.

Most privacy breaches seem to come about through inadvertence or sheer carelessness. There is much that you can do ensure the safekeeping of candidate information. The Privacy Commission has provided the following tips for compliance (which would be helpful in New Zealand as well):

RCSA Reference Checking: Part 5 â&#x20AC;&#x201C; Privacy

26. Australia APP-11; New Zealand NZPPs 5 and 9.

• Risk assessment – identifying the security risks to personal information held by the organisation and the consequences of a breach of security; • Security policy – developing a policy that implements measures, practices and procedures to reduce the identified risks to security; • Staff training – training staff and management in security awareness, practices and procedures; • Monitor and review – monitoring compliance with the security policy, periodic assessments of new security risks and the adequacy of existing security measures; • Referencing Australian and international standards as a guide; and • Depending on the size of the organisation and the information it collects, perhaps having an external privacy audit conducted.

The new APP requirements to have in place effective practices, procedures and systems reinforce these suggestions and further guidance can be obtained from the OAIC’s APP Guidelines.

What if the Candidate requests destruction of personal information? Australia APP-12 gives candidates a right of access to their personal information and a right to request corrections. We will deal with this right in more detail later; but for the moment it is important to note that APP-12 does not imply any right on the part of a candidate to require the destruction of records. Destruction of records is dealt with under APP-11.2, which provides that information must be destroyed or permanently de-identified when it is no longer required for any purpose for which they may be used or disclosed under the APPs. New Zealand NZPP-6 gives candidates a right of access to their personal information; and NZPP-7 gives candidates a right to request corrections. Neither NZPP-6 nor NZPP-7 implies any right on the part of a candidate to require the destruction of records. Destruction of records is dealt with under NZPP-9, which provides that information must not be kept for longer than is required for the purposes for which the information may lawfully be used.

RCSA Reference Checking: Part 5 – Privacy

In New Zealand, the courts have also recognised a common law tort (civil wrong) of invasion of privacy. The precise scope of the tort may be difficult to determine as it will be affected by the circumstances of each unique case. Australian courts have been reluctant to extend statutory privacy protections by recognising a tort of invasion of privacy; though there are some exceptions. In the absence of any order by a Court or the Privacy Commission, a candidate does not have a right to require destruction of the candidate’s information. Why might you need to keep information against a candidate’s wishes? An agency might need to retain documents against a candidate’s wishes and in the face of a direct demand for destruction for many reasons, including: • The information is kept for statutory compliance purposes – e.g. it comprises time and wages records, tax records, immigration records, accident and injury records, records maintained on statutory registers that employment agents must keep etc; • The information is kept to comply with contractual obligations – including conditions of insurance; • The information is kept, in the case of some contracted service providers to public sector clients, in accordance with public record keeping obligations; • The information is kept to comply with ongoing duties of care and best practice document keeping standards; • The information is kept in connection with ongoing or potential legal proceedings.

RCSA Code Response RCSA’s Code for Professional Conduct requires Members to comply with all legal requirements. Some of those requirements may impose duties that are owed to persons other than the candidate. Those other persons could be the client or could even be the State due to legal requirements in some States to retain recruitment records.

Here are some tips for compliance: • You should take steps to identify the various laws (and contractual obligations) that may require you to retain information even against a candidate’s wishes. • You should make sure that your collection statements and privacy policies make adequate mention of those requirements and the additional uses for which information may be required to be maintained.

material” (e.g. material collected solely for the purpose of determining employment suitability) and subject to an express or implied promise to the referee to preserve its confidentiality. Other exemptions include: • Access might endanger another person; • Access might prejudice law enforcement activity;

• When you receive a request from a candidate to destroy information, you should review the information to see whether it is still required to be kept.

• Access might disclose a trade secret or commercially sensitive information;

• The guidelines should inform:

• Access would breach the privacy of another person;

• Candidate registration procedures; • The development of collection statements and privacy policies – including collection statements given to referees; • Documentation practices; • Information culling practices and policies.

Access & Correction – Giving it up for the Candidate The privacy laws that relate to access and correction27 operate together with laws that protect confidential information – both in Australia and in New Zealand. Example: • A referee might have told you, confidentially, that the Candidate was not a good fit with the culture of the previous organisation and that the culture of that organisation is under review due to some problems which the candidate, a whistleblower, identified before leaving. The laws of confidentiality might prevent you from allowing the candidate access to some of that information. In Australia the APPs allow a candidate to access information that an agency has collected about them (APP- 12). There are presently exceptions if the agency is also their employer. An important exception applies where granting access would be unlawful – e.g. it would breach an obligation of confidentiality. In New Zealand the NZPPs allow a candidate to access information that an agency has collected about them (NZPP- 6). There are exceptions if the information is “evaluative

RCSA Reference Checking: Part 5 – Privacy

• Access is sought to medical information that should really only be disclosed to or through a medical practitioner; • The Access request is frivolous or vexatious; • The information is not readily retrievable (NZ). Access is usually allowed by permitting a person to take a photocopy, though there may be some exceptions where to do so is not practicable; where it may breach copyright; or where a summary only of the information should be given. There will often be alternative means of giving access. The rules also set out the extent to which any charge may lawfully be imposed to cover the costs of granting access. You might be able to recover some of the costs of granting access; but generally cannot aim to make a profit out of access charges. Why do you need to give Candidates access to their personal information? The right of access is usually coupled with a right to correct any errors; or at least to place comparative information on the file where there is a dispute about which of several versions of the facts is correct (Aust APP-13; NZPP-7). Such a right helps to ensure the quality of the information that is provided by referees. If it is provided openly and transparently, there is perhaps a greater chance that it will withstand scrutiny. If it fails, then there is always the prospect of having it corrected. The right of access assists a candidate to “put the record straight” where that is needed and preserves the candidate’s employment prospects against covert damage. The right of access will sometimes also allow a candidate to identify circumstances in 27. Australia APPs-12 and 13; New Zealand NZPPs-6 and 7.

which the candidate can pursue a legal right to compensation or other remedies in cases of defamation, discrimination or breach of contractual and other legal duties. Agencies should not block or impede candidates’ enjoyment of those rights by creating unlawful barriers to access. RCSA’s Code requires Members to take steps to protect the confidentiality and privacy of information obtained in the course of their professional practice. It is part and parcel of respecting the integrity of persons and behaving in an ethical and socially responsible manner. Ponder Point How could you use these rights to inform your information handling practices? Could they operate as a sort of checklist for when you receive an access request from a candidate? You should also keep these rights in mind when obtaining references because it is important that referees know that the information that they provide might be subject to an access request by a candidate. Promises made to a referee at the time of doing a reference check also need to be kept in mind because they may restrict the extent of candidate access. Do I have to give access if the information is confidential? It has been held in several privacy cases that you do not have to give the candidate access if the information was received subject to an enforceable promise made to the referee that you would keep the information confidential. In Pointu v Employrite Ltd (2003) it was held that an employee-screening company did not have to disclose the name of a referee nominated by the candidate or the adverse information which the referee had provided because the referee gave the information only on the basis that its identity and the information would be kept secret. The Human Rights Review Tribunal stated that the ability to provide confidential information about prospective employees without fear of recrimination or retribution was a matter of public interest. It said that s 29(1)(b) of the Privacy Act 1993 (NZ) was a statutory exception to the general principle and should not be narrowly construed. 28

was refused on the ground that to grant access would breach the condition of confidentiality and that consequently: • providing access would be unlawful (NPP 6.1(g)30); or • denying access was required or authorised by or under law (NPP 6.1(h)). The Commission upheld the refusal and, in doing so, confirmed that the question about what is “lawful” or “unlawful” for the purpose of paragraphs (g) and (h) of NPP 6.1, depends upon common law concepts just as much as upon statutory concepts. In this case, the common law, which recognises an equitable obligation of confidentiality, was sufficient to block the access request. The Commission identified three important conditions: • The information was confidential in nature, consisting of the referee’s opinions, and was not public knowledge; • The car maker had prefaced each conversation with the referees with an assurance that the information would be treaded in confidence; • The Commission was satisfied that it would be an unauthorised use of the information to provide the complainant with access. The decision emphasises the need to ascertain the extent to which information provided by referees is to be treated as confidential; and to do so before the referees communicate any information. Of course not every promise of confidentiality that you may make will necessarily be enforceable. That might be because the information is not really confidential at all; or because a Court might decide that it is not in the public interest to let a malicious referee hide behind the shield of confidentiality.

A similar result was reached by the Australian Privacy Commission recently in O v Automotive Company (2009)29. The referees had each given their reports on condition that the information was to be treated confidentially. When the complainant sought access, it

RCSA Reference Checking: Part 5 – Privacy

28. (2003) 7 NZELC 96,888. 29. [2009] PrivCmrA 18.

30. Predecessor to similar provisions in APP-12.3.

Can the Candidate see Interview Notes?

Cross-Border Disclosures

Unless they are subject to an express promise of confidentiality made to a third party, interview notes are unlikely to be confidential as against the candidate whom they concern and would normally be subject to access.

In Australia, special measures must be taken to protect information that is being sent out of Australia (including to New Zealand). These are set out in APP 8, which states:

To avoid embarrassment, interviewers should take care that their notes are objective and non-pejorative. Some dreadfully embarrassing things have turned up in notes which the writer of them never expected would be revealed! What about Psychological Test Reports? Where tests are administered by professional registered psychologists, granting access should not give rise to any breach of the privacy principles and psychologists are bound by a code of ethics, which largely conforms to those principles. In most cases, the individual concerned will be entitled to see the test results and any professionally prepared reports about them. It is thought that there may be a question on whether they are entitled to make a copy to be taken away and used for another purpose. The reason that there may be some doubt about that is that many tests are done under licence and copyright arrangements so that it may be permissible to refuse a request if providing access in the form of a photocopy would be unlawful.

8.1 Before an APP entity discloses personal information about an individual to a person (the overseas recipient): (a) who is not in Australia or an external Territory; and (b) who is not the entity or the individual; the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information. 8.2 Subclause 8.1 does not apply to the disclosure of personal information about an individual by an APP entity to the overseas recipient if: (a) the entity reasonably believes that: (i) the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and (ii) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or (b) both of the following apply: (i) the entity expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure; (ii) after being so informed, the individual consents to the disclosure; or (c) the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or [Some other exceptions then follow].

RCSA Reference Checking: Part 5 â&#x20AC;&#x201C; Privacy

Given the uncertainties and differences that may arise within different schemes of privacy protection, it may be good practice to obtain candidate consent before sending information out of the country. Of course, consent should be informed regarding any matter reasonably considered relevant to the privacy risk. New Zealand is presently considering the introduction of similar measures.

Conclusion Privacy remains a topic of great interest to the recruitment industry and presents many challenges to the way in which reference checking may have traditionally been carried out. In most of our training on reference checking we emphasise four cardinal rules that are drawn from the privacy principles. They are:

Four Cardinal Rules 1. Manage your clients, candidates and referees expectations. Be open with them about your reference checking practices; 2. Only collect information that is necessary; 3. Only use and disclose information for the purpose for which it was collected; 4. Make sure that whenever you use or disclose information it is accurate, current, complete, relevant and not misleading. If you have been following this manual from the beginning, you will begin to appreciate the sense and simplicity of his approach. It is not a complete protection against everything that can go wrong; but it may just help you to avoid some nasty situations.

RCSA Reference Checking: Part 5 â&#x20AC;&#x201C; Privacy