The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (“Privacy Amendment Act”) was introduced to Parliament on 23 May 2012 and comes into effect on 12 March 2014. The Privacy Amendment Act is a part of the privacy law reform process that began in 2004.
The Privacy Amendment Act includes a set of new, harmonised privacy principles that will regulate the handling of personal information by both Australian government agencies and businesses. These new principles are called the Australian Privacy Principles (APPs). They will replace the existing Information Privacy Principles (IPPs) that currently apply to Australian Government agencies and the National Privacy Principles (NPPs) that currently apply to businesses.
There are a significant number of resources publicly available to guide organisations on these changes and assist them with implementation, such as is available at: www.oaic.gov.au.
This UpClose looks at the changes PeopleCheck has adopted, specifically with respect to its background checking service. As a private organisation, PeopleCheck’s background checking service previously fell under the National Privacy Principals. Our commentary uses extracts from resources available through the Office of the Australian Information Commissioner and these notes are shown in italics. The areas identified in grey highlight indicate those where changes have had the greatest impact on PeopleCheck’s background checking processes.
APP 1 – Open and transparent management of personal information
APP 1 introduces more prescriptive requirements for privacy policies than the existing requirements in NPP 5.1.
APP 2 – Anonymity and pseudonymity
APP 2 sets out a new requirement that an organisation provide individuals with the option of dealing with it using a pseudonym. This obligation is in addition to the existing requirement that organisations provide individuals with the option of dealing with them anonymously.
PeopleCheck has always accepted enquiries from individuals wishing to remain anonymous. However, due to the nature of the service we provide, it is not possible for PeopleCheck to undertake background checking on individuals that do not provide certain information as to their identity.
“PeopleCheck has undertaken a complete review of its general consent form and this will be released to all clients ready for 12 March 2014.”
APP 3 – Collection of solicited personal information
APP 3 outlines when and how an organisation may collect personal and sensitive information that it solicits from an individual or another entity.
An organisation must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the organisation’s functions or activities.
PeopleCheck ensures that informed, written consent is obtained from all candidates before proceeding with their background checking. In some cases this may be a specific consent form required by a particular organisation (such a National Police History Check form) and/or a general PeopleCheck consent form. The general PeopleCheck consent form enables us and our clients to collect, use, disclose and store information about a candidate for background checking purposes.
PeopleCheck has undertaken a complete review of its general consent form and this will be released to all clients ready for 12 March 2014. PeopleCheck recommends that all of its clients review PeopleCheck’s general consent form to ensure that it aligns with any internal privacy policies and processes.
APP 4 – Dealing with unsolicited personal information
APP 4 creates new obligations in relation to the receipt of personal information which is not solicited. Where an organisation receives unsolicited personal information, it must determine whether it would have been permitted to collect the information under APP 3. If so, APPs 5 to 13 will apply to that information.
If the information could not have been collected under APP 3, and the information is not contained in a Commonwealth record, the organisation must destroy or de-identify that information as soon as practicable, but only if it is lawful and reasonable to do so.
APP 8.2(b) provides that the entity may seek consent from the individual to cross-border disclosure and PeopleCheck’s amended general consent form specifically addresses the requirements.
APP 5 – Notification of the collection of personal information
APP 5 specifies certain matters about which an organisation must generally make an individual aware, at the time, or as soon as practicable after, the organisation collects their personal information.
In addition to the matters listed in NPP 1.3, APP 5 requires organisations to notify individuals about the access, correction and complaints processes in their APP privacy policies, and also the location of any likely overseas recipients of individuals’ information.
PeopleCheck’s updated general consent form provides candidates with details as to: PeopleCheck’s identity and method of contact; the reason for the collection of their personal information; the involvement of third parties; what could happen if consent is not given; where and how to make a complaint; and, overseas disclosure.
APP 6 – Use and disclosure of personal information
APP 6 generally reflects the NPP 2 use and disclosure obligations. In addition, APP 6 introduces a limited number of new exceptions to the general requirement that an organisation only uses or discloses personal information for the purpose for which the information was collected.
PeopleCheck’s existing processes meet the requirements of APP 6. PeopleCheck collects information from candidates following a request by one of our clients to undertake background checking. Candidates are informed that the reason for the background checks being undertaken is to enable our client to assess suitability for employment or appointment; this may be for new employment, a role change within the existing employer and/or for compliance purposes.
APP 7 – Direct marketing
The use and disclosure of personal information for direct marketing is now addressed in a discrete privacy principle (rather than as an exception in NPP 2).
PeopleCheck never knowingly and deliberately sends unsolicited commercial electronic messages to our candidates or clients that are outside the scope of their background checking requirements.
APP 8 – Cross-border disclosures
APP 8 and a new s 16C introduce an accountability approach to organisations’ cross-border disclosures of personal information.
Before an organisation discloses personal information to an overseas recipient, the organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to that information. In some circumstances an act done, or a practice engaged in, by the overseas recipient that would breach the APPs, is taken to be a breach of the APPs by the organisation. There are a number of exceptions to these requirements.
PeopleCheck operates within Australia and candidate information, in the majority of cases, does not leave Australia. However, with the growing transient workforce, cross-border disclosure of information is becoming increasingly common throughout the background checking process.
In some cases, it may be necessary to collect and release a candidate’s information outside of Australia. For example, if a candidate recently resided, worked and studied in the UK for five years, it is reasonable for our client as a prospective employer of that candidate to undertake enquiries with the appropriate employers and institutes, undertake a criminal record check and/or investigate publicly available sources. Using this example, PeopleCheck’s ability to impose adherence to the APPs is limited. In those circumstances, PeopleCheck will carefully consider the risks to the protection of personal information when releasing information and will use all reasonable means to verify the accuracy and completeness of information, statements and opinions made available to us during our enquiries.
APP 8.2(a)(i) states that the obligation to ensure an overseas recipient does not breach the APPs is met if there is the belief that:The information contained in this paper is the opinion of PeopleCheck Pty Ltd and does not form the basis of legal advice.
Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth)
(i) the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and
(ii) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme.
Further, APP 8.2(b) provides that the entity may seek consent from the individual to cross-border disclosure. PeopleCheck’s recently amended general consent form specifically addresses the requirements of cross-border disclosure. Candidates will have the option to nominate the countries we may disclose information to if required, or elect to withhold consent to such disclosure.
Where a candidate nominates to withhold consent, our team will contact them and outline the specific purpose and regions of the disclosure to enable us to obtain their consent and complete their background checking.
In addition to the above candidate consent requirements, PeopleCheck’s internal processes to address APP 8 also include: specific consent forms for certain international checks that outline locations and details of the disclosure of personal information; contractor terms and conditions that require PeopleCheck’s contractors to adhere to the APPs in their treatment of personal information; and, processes for our team to ensure consent by candidates is obtained prior to releasing their personal information overseas.
APP 9 – Adoption, use or disclosure of government related identifiers
APP 9 prohibits an organisation from adopting, using or disclosing a government related identifier unless an exception applies. APP 9 generally retains the same exceptions as NPP 7, with some additions and amendments.
It is not PeopleCheck’s standard practice to adopt, use or disclose government related identifiers and reference numbers such as tax file numbers etc. PeopleCheck usesits own reference number to identify a candidate and complete their background checking.
As a part of the verification of an individual’s background, we may require the candidate’s government identifier entirely for validation purposes, such as an employee or student number when verifying previous employment or qualifications with an Australian government body or a passport number to verify identity or work rights status.
This information is collected from the candidate directly and is not unnecessarily disclosed.
APP 10 – Quality of personal information
Under APP 10, an organisation must take reasonable steps to ensure the personal information it collects is accurate, up-to-date and complete.
Under existing processes, PeopleCheck will continue to use all reasonable steps to verify the accuracy and completeness of information, statements and opinions made available to us during our enquiries. Further to this, PeopleCheck has established processes in place to deal with situations where a candidate believes that information held about them is inaccurate, out of date, incomplete, irrelevant or misleading.
APP 11 – Security of personal information
APP 11 requires an organisation to take reasonable steps to protect the personal information it holds from interference, in addition to misuse and loss, and unauthorised access, modification and disclosure.
PeopleCheck takes security very seriously and employs appropriate technical, administrative and physical procedures to protect personal information from unauthorised disclosure, loss, misuse, interference or alteration during its collection, use, disclosure and storage. We limit access to personal information to individuals with a business need consistent with the reason the information was provided. Additionally, we retain personal information only for as long as it is required for business purposes or as required by law.
“PeopleCheck has established and documented processes to deal with requests made by candidates to access their personal information.”
APP 12 – Access to personal information
APP 12 requires an organisation to give an individual access to the personal information that it holds about that individual, unless an exception applies.
PeopleCheck has established and documented processes to deal with requests made by candidates to access their personal information. Most requests come from candidates looking to access a copy of their background checking report. Generally, when a candidate makes an application to access their personal information, PeopleCheck will respond to the candidate’s enquiry within five work days, if not sooner. During this initial request, PeopleCheck will alert our client that such a request has been made. If the client has any reason for PeopleCheck to withhold some or all of the information requested by the candidate, our client has the opportunity to alert us as to the specific reason, referencing any relevant exclusion points outlined in APP 12.3. Some exceptions that may apply include:
(a) the entity reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or
(b) giving access would have an unreasonable impact on the privacy of other individuals; or
(j) giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.
PeopleCheck has refined its processes to ensure that, wherever practical, candidates are provided with access to information that has been requested in the manner they requested. Most candidates request this access to be in writing via email. In the event that a candidate requests access and PeopleCheck cannot fulfil this request in the manner requested, we will take steps to provide the individual with access via mutually agreed means.
If PeopleCheck does not permit an individual access, we will provide written reason/s for the refusal as well as the mechanisms available to complain about the refusal.
In most cases, PeopleCheck charges a nominal fee to individuals for accessing copies of background checking reports. PeopleCheck is mindful of the fact that such a fee should not be excessive and will not apply a fee for simply making a request. We merely charge a fee to cover administrative costs to prepare information for its release.
“APP 13 introduces some new obligations in relation to correcting personal information…”
APP 13 – Correction of personal information
APP 13 introduces some new obligations in relation to correcting personal information, which differ from those in NPP 6. The APPs remove the NPP 6 requirement for an individual to establish that their personal information is inaccurate, incomplete or is not up-to-date and should be corrected.
APP 13 now requires an organisation to take reasonable steps to correct personal information to ensure that, having regard to a purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading, if either:
- the organisation is satisfied that it needs to be corrected, or
- an individual requests that their personal information be corrected.
Organisations generally need to notify other APP entities that have been provided with the personal information of any correction, if that notification is requested by the individual.
APP 13 contains similar provisions to NPP 6 in relation to associating a statement with the personal information if the organisation refuses to correct the information and the individual requests a statement to be associated.
PeopleCheck has reviewed its established processes that enable candidates to seek correction of information that has been collected about them and has removed the requirement for candidates to “establish” that information is inaccurate, incomplete, out of date, irrelevant or misleading. Under these circumstances, PeopleCheck will review the request and establish whether any corrections should occur.
PeopleCheck is permitted to refuse a request for correction and, in such cases, will include a statement with the candidate’s personal information or within the background checking report. Any changes to background checking reports will be noted and re-released to our client, along with details of any refusals.PeopleCheck will alert our client to any communication with the candidate surrounding requests for correction and PeopleCheck’s response.
Access to National Police History Checks via CrimTrac
PeopleCheck is an Accredited Agency to provide National Police History Checking services via CrimTrac. As a part of this arrangement, PeopleCheck is required to maintain a current contract of these services with CrimTrac. Similarly, PeopleCheck has engaged in contracts with our clients to mirror the terms of the PeopleCheck/CrimTrac contract.
CrimTrac has notified PeopleCheck that all references to Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) are to be replaced with the Australian Privacy Principles (APPs). All clients that have engaged in a “Customer Contract” with PeopleCheck for the provision of National Police History Checks are to apply the same change to the contract they have previously signed with PeopleCheck.
Changes to credit reporting laws
Part of the changes to the Privacy Amendment Act include: “a new Part IIIA that permits more comprehensive credit reporting, which will allow the reporting of information about an individual’s current credit commitments and their repayment history information over the previous two years. The move to more comprehensive credit reporting is accompanied by enhanced privacy protections for individual’s credit-related information”.
An individual’s consumer credit file is not accessible by third parties such as PeopleCheck for background checking purposes. However, an individual is able to access their own credit file and it is through this means that some of our clients obtain this information and may find further research on the changes to credit reporting laws of interest.