PeopleCheck are a supporter of the annually-held Privacy Awareness Week (PAW), run by The Office of the Australian Information Commission (OAIC). PAW 2017 focused on the theme of trust and transparency, which, as stated by the Australian Information and Privacy Commissioner Timothy Pilgrim, speaks to “the consumer and community trust that flows to organisations who handle personal information transparently, and with care, throughout the information life cycle”.
Transparency when dealing with personal information involves ensuring that individuals have clarity in and choice over how their personal information is being used. In addition, trust encompasses the fact that an individual should feel confident that their personal information is being handled responsibly and lawfully.
Motivated by the concept of privacy awareness, this UpClose is all about information privacy and examining some of the key Australian Privacy Principles (APPs) that dictate how PeopleCheck handles personal information. The protection of privacy is important to us at PeopleCheck, and we treat all personal information as confidential.
Transparency – the collection and use of personal information
Consent and the Collection of Personal Information
APP 1 and 3 state both that entities should manage personal information in an “open and transparent way” and that an organisation should only collect personal and sensitive information that is “reasonably necessary for, or directly related to, one or more of the entity’s functions or activities”, and only with the individual’s consent. In accordance with these principles, PeopleCheck only requests, collects, uses, discloses and stores information that is needed in order for us to carry out our services. Furthermore, PeopleCheck do not proceed with background checking without our candidate’s explicit consent.
PeopleCheck ensures that informed, written consent is obtained from all candidates before proceeding with their background checking. In some cases this may be a specific consent form required by a particular organisation (such a National Police History Check form) and/or a general PeopleCheck consent form. The general PeopleCheck consent form enables us and our clients to collect, use, disclose and store information about a candidate for background checking purposes.
Use and Disclosure of Personal Information
APP 6 states that if an organisation holds personal information about an individual that was collected for a particular purpose (the primary purpose), the organisation must not use or disclose the information for another purpose (with some exceptions).
PeopleCheck’s processes meet the requirements of APP 6. PeopleCheck collects information from candidates following a request by one of our clients to undertake background checking. Candidates are informed that the reason for the background checks being undertaken is to enable our client to assess suitability for employment or appointment; this may be for new employment, a role change within the existing employer and/or for compliance purposes. The information that PeopleCheck collects from candidates is not utilised for any reason other than to complete the background checking as requested by our clients.
APP 8 states that before an organisation discloses personal information about an individual to an overseas recipient, the organisation must reasonably ensure that the “overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information”.
PeopleCheck operates within Australia and candidate information, in the majority of cases, does not leave Australia. However, with the growing transient workforce, cross-border disclosure of information is becoming increasingly common throughout the background checking process.
In some cases, it may be necessary to collect and release a candidate’s information outside of Australia. For example, if a candidate recently resided, worked and studied in the UK for five years, it is reasonable for our client as a prospective employer of that candidate to undertake enquiries with the appropriate employers and institutes, undertake a criminal record check and/or investigate publicly available sources. Using this example, PeopleCheck’s ability to impose adherence to the APPs is limited. In those circumstances, PeopleCheck will carefully consider the risks to the protection of personal information when releasing information and will use all reasonable means to verify the accuracy and completeness of information, statements and opinions made available to us during our enquiries.
APP 8.2(a)(i) states that the obligation to ensure an overseas recipient does not breach the APPs is met if there is the belief that:
(i) the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and
(ii) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme.
Further, APP 8.2(b) provides that the organisation may seek consent from the individual to cross-border disclosure. PeopleCheck’s general consent form specifically addresses the requirements of cross-border disclosure. Candidates have the option to nominate the countries we may disclose information to if required, or elect to withhold consent to such disclosure. Where a candidate nominates to withhold consent, our team contacts them and outlines the specific purpose and regions of the disclosure to enable us to obtain their consent and complete their background checking.
In addition to the above candidate consent requirements, PeopleCheck’s internal processes to address APP 8 also include: specific consent forms for certain international checks that outline locations and details of the disclosure of personal information; contractor terms and conditions that require PeopleCheck’s contractors to adhere to the APPs in their treatment of personal information; and, processes for our team to ensure consent by candidates is obtained prior to releasing their personal information overseas.
Trust – the management of personal information
Security of Personal Information
APP 11 requires an organisation to take reasonable steps to protect the personal information it holds from interference, in addition to misuse and loss, and unauthorised access, modification and disclosure.
PeopleCheck takes security very seriously and employs appropriate technical, administrative and physical procedures to protect personal information from unauthorised disclosure, loss, misuse, interference or alteration during its collection, use, disclosure and storage. We limit access to personal information to individuals with a business need consistent with the reason the information was provided. Additionally, we retain personal information only for as long as it is required for business purposes or as required by law.
Access to Personal Information
APP 12 requires an organisation to give an individual access to the personal information that it holds about that individual, unless an exception applies.
PeopleCheck has established and documented processes to deal with requests made by candidates to access their personal information. Most requests come from candidates looking to access a copy of their background checking report. Generally, when a candidate makes an application to access their personal information, PeopleCheck will respond to the candidate’s enquiry as soon as possible and within five work days. During this initial request, PeopleCheck will alert our client that such a request has been made. If the client has any reason for PeopleCheck to withhold some or all of the information requested by the candidate, our client has the opportunity to alert us as to the specific reason, referencing any relevant exclusion points outlined in APP 12.3. Some exceptions that may apply include:
(a) the entity reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or
(b) giving access would have an unreasonable impact on the privacy of other individuals; or
(j) giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.
PeopleCheck’s process ensures that, wherever practical, candidates are provided with access to information that has been requested in the manner they requested. Most candidates request this access to be in writing via email. In the event that a candidate requests access and PeopleCheck cannot fulfil this request in the manner requested, we will take steps to provide the individual with access via mutually agreed means.
If PeopleCheck does not permit an individual access, we will provide written reason/s for the refusal as well as the mechanisms available to complain about the refusal.
In most cases, PeopleCheck charges a nominal fee to individuals for accessing copies of background checking reports. PeopleCheck is mindful of the fact that such a fee should not be excessive and will not apply a fee for simply making a request. We merely charge a fee to cover administrative costs to prepare information for its release.
For more information on the ways in which PeopleCheck adheres to the Australian Privacy Principles, please contact our Privacy Officer via telephone on +612 4023 0603 or email at firstname.lastname@example.org.