In early June, 2019, a sophisticated cyber attack on the Australian National University (ANU) exposed almost 20 years’ worth of personal data belonging to around 200,000 former and existing staff, and students. Included in the information stolen are bank details, names, addresses, dates of birth, phone numbers, personal email addresses, tax file numbers, passport details and academic records.
While the ANU is currently working with government security agencies to investigate the breach, it is feared the hackers may on-sell the information on the dark web, which means it could be used to steal the identities of those affected.
And the breach could have far more serious consequences from an Australian defence perspective – the ANU has a close association with the Australian government and many students go on to work in Federal Government positions, including in the military and in top parliamentary roles in Canberra.
This is just one story illustrating why data protection is paramount. During the recruitment process in particular, candidates need to feel confident and comfortable their sensitive information is being collected and handled appropriately, then stored securely.
What are your obligations?
Under the Australian Privacy Act 1988, and the New Zealand Privacy Act 1993, government agencies, not-for-profits and businesses with an annual turnover of $3 million or more (as well as some smaller operators, including complementary therapists, gyms and childcare providers) have certain obligations and responsibilities when it comes to the collection and handling of people’s personal information.
The privacy acts in Australia and New Zealand require organisations to take reasonable steps to ensure that personal information they gather is protected from loss, misuse and unauthorised access. Individuals have the right to know why their information is being collected, who it will be disclosed to, and how it will be used. Individuals must also be allowed to access their information and correct it, if necessary.
Top tips for handling candidates’ data
“In light of high-profile data breaches, candidates have been much more concerned about how companies collect and handle their information”, according to Daniel Chilcott, General Manager of Learning and HR Services at Programmed.
“Whereas before candidates didn’t know, or didn’t care, about the swapping and sharing of data, definitely now they are far more aware and more educated,” he says. “If we can demonstrate openness, disclosure and forthrightness, candidates are more likely to feel that we’re trustworthy, which helps build confidence in applying with us.”
Applicant data isn’t simply limited to birth dates and addresses – it can also include bank account details, driver’s licence numbers, work history, credit checks, criminal background information, emergency contact information and more.
So, with that in mind, here are Chilcott’s top tips for remaining compliant and communicating your data-protection policy to applicants.
1. Keep things relevant and upfront
Chilcott says recruiters should ask only for the information necessary for recruitment, and provide notice to candidates about the potential collection, use and disclosure of their personal information.
This will reassure applicants “about the purpose of gathering their information, and that the uses of said information will always be disclosed to them”.
2. Regularly assess the accuracy, completeness, and currency
“I once got a letter from an employer that I’d applied to 10 years ago saying, ‘What do you want us to do with your data?’,” Chilcott says. “Now, 10-year-old data, particularly employment-related, is useless and it’s also tempting fate by sitting there, so it’s fundamentally important to maintain your data.”
He suggests implementing a policy for regularly checking the information you have is up to date and accurate – through consultation with applicants via email, SMS, calls or bots – and destroying anything that is no longer needed.
3. Keep personal information secure through effective data protection
This includes appropriate physical and/or electronic security technology, settings and applications (for example, passwords and firewalls).
If you’re concerned about security and compliance when handling and sharing potentially sensitive information, you can help to navigate these issues by only conducting background checks and screening via an accredited third party that has industry-standard protection measures in place.
4. Provide applicants with access to their personal data
“I know if I requested my personal file and I was denied, I’d be straight away thinking, ‘What detail are they maintaining, what are they doing with that?’,” Chilcott says. “Whereas a preparedness from the company to say, ‘Here’s your file, please check through, modify, etc.’ builds that trust and that confidence.”