Could Your Recruitment Process Be Breaching the Privacy Act?

Most employers understand their obligations when collecting information directly from employees. However, a recent change to the Privacy Act introduces additional requirements when personal information is obtained from someone else.

From 1 May 2026, Information Privacy Principle 3A (IPP3A) came into force. The new principle applies when an organisation collects personal information indirectly, rather than directly from the individual concerned.

For employers, this includes situations such as:

· Receiving information about a job applicant from a recruitment agency

· Obtaining references from a previous employer

· Collecting information from a family member or emergency contact

· Receiving information from another employee

Under the new rules, employers are generally required to notify the individual that their personal information has been collected, even if it was obtained from a third party.

The notification should include:

· The fact that information has been collected;

· Why it has been collected;

· Who may receive the information; and

· The individual's right to access and correct their information.

There are limited exceptions to this requirement. Notification is not required where the information is publicly available, where providing notice is not reasonably practicable, or where doing so would prejudice the purpose for which the information was collected.

For many employers, these requirements are already addressed through recruitment processes, employment agreements, privacy statements, or onboarding documentation. However, this change provides a clear prompt to review your current practices and ensure they remain compliant.

While the change may appear minor, privacy complaints often arise from process failures rather than intentional wrongdoing. An employer may have a legitimate reason for collecting information, but still face issues if the individual was not appropriately informed about how that information was obtained.

Now is also a good time to review recruitment questionnaires, reference-checking procedures, privacy statements, and onboarding documentation. Ensuring these documents clearly explain how personal information may be collected and used can help reduce risk and demonstrate good privacy practices.

As businesses continue to place greater emphasis on employee records, recruitment processes, and workplace wellbeing, maintaining strong privacy practices is increasingly important.

If you are unsure whether your employment or recruitment processes meet the new requirements, seek advice before a privacy issue arises.

 

Contact Ethan

Payroll Lead