Privacy- It’s in the Jam, Not the Icing.


The Privacy Act was first enacted in Australia almost 25 years ago, in 1988. And, over that time, we've familiarised ourselves with the 10 National Privacy Principles and found ourselves cushy, comfortable ways to manage personal information. Recruitment agencies, for example, have recognised that a key feature of the privacy requirements is to inform the candidate that we will hold their personal information and what we'll do with it. So, we staple together a Privacy Collection Notice and ask the candidate to read the terms and conditions and give their consent. On their part, the candidates are eager to impress us: they scan the document, quickly grab the first working pen and signs the notice. Done. We've got their approval. Now we can record, store and use the information as we think fit. Right? Well, not anymore. It used to be that the Privacy Collection Notice/Statement was the principal document- it generally overlayed every issue pertaining to privacy. So, over the past 20-something years, we began to rely on it as our go-to-guy for all things privacy related. As long as the Notice was appropriate then what we did with the personal information didn't matter too much- we stopped monitoring too closely how the information was managed or who had access to it. After all, we had the candidate's consent. This will all change when the new privacy amendments come to force in March next year. The new privacy requirements include 13 Australian Privacy Principles. Whilst the main thrust of the legislation is the same, there are some changes. There are two new principles on cross border disclosure and direct marketing. The powers of the Commissioner of the Office of the Australian Information Commission to impose fines and conduct audits have been substantially increased. In addition, there is a major change to the underlying platform for privacy management. APP 1.2 refers to "practices procedures and systems". This means that the one document which got you by before- the icing- is no longer sufficient. You will need to think about how you really manage privacy in your business, the policies and the procedures, and about how well your staff implement these. We have been working with the recruitment industry for over a decade, and have come across many examples of poorly managed privacy situations. Here are some examples.

Example 1

The recruitment industry generally believes that they "own" a candidate. In actuality, their ownership is on tenuous grounds- it is the candidate who is in control of their information, and consents to the recruiter's temporary access to this information. This consent may be revoked at any time. By not fully comprehending what a candidate's right of control is, recruiters may find themselves in breach of privacy laws.

Example 2

In some parts of the industry there is a growing use of "web crawlers" which collect online candidate information and drops it into a recruitment database. These programs collect resumes from Google search results, Outlook emails and more, and transfer candidate details into a database. By doing so, it builds a time-efficient, comprehensive record of potential employees that is invaluable to many recruiters. Whilst this sounds like a great labour saving device, it is not all good news. The problem returns to this fundamental tenet that we discussed earlier: the right to access information, even in this technological day and age, is held by the candidate. This means you cannot collect and record information about a person without their permission.

Example 3

Sandra is a newly hired junior administrative assistant in a recruitment company for nurses and doctors. She's finding it a bit hard to settle into her new job and make friends with her work colleagues and performs a range of administrative tasks, such as filing paperwork, photocopying documents and editing articles. Through many exchanges of hands (and responsibility), she finds herself collecting and reading through simple police checks of the nurses hired by the company. Suddenly, she jumps up and cries out "XYZ is a prostitute!!" (Who knows, maybe that made XYZ a better nurse!). All the workers beside her are amazed by the revelation and peer over the document themselves and Sandra is pleased to be recognised. It's just idle gossip amongst co-workers, isn't it? In fact it's a gross breach of employee privacy. Every staff member must be fully informed and trained by the company' to understand and respect the privacy of past, present and future co-workers, or vicarious liability can even be extended to the managers of the company for not properly advising a Junior of this. You might be saying "sure, a recruiter can be in breach of laws that are intended to protect the candidate that the recruiter will potentially hire. Seems straightforward enough". But breaches can permeate through many more levels of a corporation.

Example 4

Let's consider offshore service providers, for example. It is not uncommon for busy companies to outsource candidate management to offshore companies in India, Malaysia, the Philippines and others. These offshore organisations essentially take care of basic administrative functions such as the creation of newsletter and candidate databases for the companies back here, and store these databases overseas. So what's the problem here? The problem is that the information being used and disclosed is now outside of Australian control but still within Australian jurisdiction. Simply put, this means that you are liable for any non- conformance of the service provider, regardless of whether you were aware of it. This may be an issue for onshore service providers as well. It's easy to recognise how such breaches can damage a company's reputation and, in turn, impact current or future business opportunities. But what is often forgotten is that a breach of privacy is oftentimes a breach of law, and this can have more far reaching consequences. To put it another way: it's easy to smear icing on top of an over-burned cake and hide the crustiness. Similarly, it's easy to cover up poor recruitment practice by installing a fast, computerised device that glosses over your procedural flaws. But do you really want to risk someone eating the cake and finding out that you deceived them (and that the cake itself is awful)?

Example 5

There was once a prickly situation that arose in relation to an applicant who consented to a medical clearance for the recruiter of a company. The director of the medical board, in spite of personally knowing the applicant, did not discharge his responsibility to another doctor but conducted the tests himself. When communicating the results orally with the recruiting company, the director also included allegations that the applicant had 'abruptly' left his previous job. The recruitment manager noted this unsolicited information and subsequently fired the applicant, who, in turn sued the company for misuse of his confidential information, and corporate negligence. Though the applicant had insufficient evidence to establish his claim, the judge in that case firmly chastised the medical director and refused to allow the recruiting company to claim for any costs suffered during the court process. The reality of it is that even if you are acquitted of any charges, there are still costs associated with court processes, some that simply irreplaceable, like time and reputation. When it comes to privacy, it may seem like you've heard it all and you have it all in hand. But it would not be wise to assume that you have privacy all sorted, and that there is nothing you need to do to comply with the amendments. Privacy is a finely nuanced and multifaceted concept because it is a fundamental human right to have and to protect. It's not the icing you slap on top of the cake and hope for the best, it's the strawberry jam between all the layers that holds it all together. It is important on every level, and takes many hours of time and preparation to get right. It is forgivable to be a caught a little unawares today, before a breach has even occurred, but stringent penalties await those who are complacent or careless in causing a breach. So sit back and ask yourself just how well you understand all these issues, and seek help if you're unsure. Don't get caught out with a burned cake.

Alicja Gibert