Public service recruitment and Information Privacy

Intended audience

This Guideline is intended only for Queensland government departments and for those agencies which have, under section 21 of the Public Service Act 2008 (Qld) (PS Act), and section 4 and schedule 1, column 1 of the Public Service Regulation 2008 (Qld) (PS Regulation) been declared 'public service offices'. These will be collectively referred to as departments throughout this Guideline.

This Guideline does not apply to local governments, Queensland universities, or public authorities not listed in the PS Regulation.

Purpose of this guideline

This Guideline is intended to assist those involved in recruitment under the PS Act and the PS Regulation in dealing with personal information collected, stored, used and disclosed in public service recruitment and selection.

Limitations of this guideline

This Guideline contains general information only, and may not cover all situations. It does not address department or sector-specific legislation, which may impose additional requirements or obligations on the recruitment process. Nor does the Guideline deal with other employment-screening processes such as the 'working with children checks' conducted by the Commission for Children, Young People and Child Guardian.

The Information Privacy Act 2009

The objects of the Information Privacy Act 2009 (Qld) (IP Act) are:

  • to allow individuals to access and amend their personal information where it is held by government; and
  • to ensure the fair collection and handling of personal information by Queensland government agencies.

The IP Act ensures that personal information is managed appropriately by requiring all Queensland government agencies to comply with the privacy principles1 when handling personal information.

Personal information

Personal information is defined2 as any information or an opinion, whether true or not and whether recorded in material form or not, about an individual whose identity is apparent, or can be ascertained, from the information or opinion.

The privacy principles

There are four sets of privacy principles in the IP Act:

  • the Information Privacy Principles (IPPs)3
  • the National Privacy Principles (NPPs)4 which apply only to health agencies
  • the 'transfer out of Australia principles',5 which apply to all departments; and
  • the 'bound contracted service provider principles',6 which apply to all departments.

This Guideline deals with the application of the privacy principles to the public service recruitment process.

If departments contract out their recruitment to the private sector, or transfer personal information out of the country as part of the recruitment process, they should consult the OIC Guidelines Agency obligations when entering into contracts and other arrangements and Sending personal information out of Australia for further guidance.

The IPPs and the NPPs substantially cover the same issues and may be loosely grouped into five categories: collection; storage and management; access and amendment; use; and disclosure. While individuals are able to apply for access to and amendment of recruitment process documents, this Guideline will not cover these categories. See OIC Information Sheet : Accessing information following a government recruitment process for further guidance.

Collection

The privacy principles relevant to collection are:

  • IPPs 1-3; or
  • NPP 1, 3, 9.

They set out that agencies must:

  • only collect personal information if it is necessary to fulfil a lawful purpose directly related to the functions of the agency
  • only collect as much information as they need
  • give a collection notice if they collect personal information from the individual
  • not use unlawful, unfair or unreasonably intrusive means to collect personal information; and
  • take steps to ensure the personal information collected is accurate, up to date, complete and not misleading.

Storage and management

The storage and management of personal information includes storage, security and ensuring correctness. The relevant privacy principles are:

  • IPPs 4-5; or
  • NPPs 3-4.

Agencies must:

  • ensure personal information is protected against loss, unauthorised access, use, modification or disclosure or any other misuse
  • use appropriate security safeguards to protect personal information; and
  • take steps to ensure the public is able to ascertain what sort of personal information the agency holds and for what purposes, and how it may be accessed.

Use

Use is defined in section 23 of the IP Act. The privacy principles relevant to use of personal information are:

  • IPPs 8-10; or
  • NPP 2.

An agency must only use personal information for the purpose for which it was collected, unless one of the exceptions listed in IPP 10 or NPP 2 applies.

Disclosure

Disclosure is also defined in section 23 of the IP Act. The privacy principles relevant to disclosure of personal information are:

  • IPP 11; or
  • NPP 2.

An agency must only disclose personal information to the individual it is about, unless one of the exceptions listed in IPP 11 or NPP 2 applies, for example where the individual was advised at collection that the disclosure would occur.7

Public Service Act 2008

One of the main purposes of the PS Act is to "establish a high performing apolitical public service".8 To achieve this purpose, the PS Act sets out principles relating to public service employment.

Chapter 5 of the PS Act deals with staffing the public service, and sets out principles and rules to be followed when recruiting public service officers for employment. Of particular relevance is chapter 5, part 6 of the PS Act, which sets out how and when a department may undertake employment screening.

Public Service Regulation 2008

The PS Regulation deals with a number of matters relevant to public service officers and their employment. Part 2 sets out the agencies which have been declared to be public service offices. Part 3 deals with general employment matters, including dealing with employee records and an employee's access to their own employment records.

Public Service Directives

The PS Act allows the Public Service Commission's (PSC) Chief Executive and/or the Industrial Relations Minister9 to make Directives and Guidelines concerning the remuneration and conditions of employment of non-executive employees and other permitted matters. Directives are binding on the persons to whom they apply and a disclosure of personal information in accordance with a Directive is authorised under law and accordingly would not be a breach of the privacy principles.10

The recruitment process

A diagram of the recruitment process appears at Appendix A (PDF, 149.02 KB) to this Guideline. This Guideline uses the process outlined in that diagram as its structure, and explains how the privacy principles apply to the steps in the process.

Recruitment material

Preparing recruitment material – key criteria, role descriptions, application forms and application guides

The privacy principles relating to collection make it clear that only relevant personal information may be collected. Before preparing recruitment material, the drafter must ensure they understand what qualifications, experiences, skills and capacities the position will require. This will ensure that the recruitment material will not request irrelevant information from applicants.

Applicants often include material in their application, such as their hobbies, interests, or previous experience which is not relevant to the position sought. As long as the department has not requested the irrelevant information, the applicant’s supply of it is not a breach of the privacy principles.

Some departments may request information about a person's 'reasonable adjustment requirements' at the written application stage. For example, this information may be relevant for the arrangement of interviews and/or aptitude tests. This information is not needed for the process of shortlisting and should not be taken into account at this stage. To avoid the perception that this information has been collected for the purpose of informing the interview shortlist, departments should consider requesting this type of information at a later stage of the recruitment process.

Collection notices

IPP 2 and NPP 1 require that, when a department is collecting personal information from the individual, it provides them with specific information.

The individual must be told:

  • for what purpose the personal information is being collected
  • if the collection is authorised or required under legislation, details of the authority
  • any entity to which the personal information may be disclosed; and
  • if known, anyone to whom the entity may pass the information on to.

Example

When collecting personal information via a recruitment process, a department may include a notice which states that the personal information is being collected to assess the applicant's suitability for the position under chapter 5 of the PS Act.

Mandatory qualifications

If a position requires mandatory qualifications or requirements, such as an Engineering degree or a class 2 driver licence, the recruitment material should make this clear. If a qualification or requirement is not required but is desirable, this distinction should also be made clear.

However, if a particular qualification or requirement is irrelevant to a position, for example, possession of a driver licence, then the recruitment material should not ask for the information to be supplied to the department. To do so would place the department in the position of collecting irrelevant personal information, which could be a breach of the privacy principles.

It is important that generic or template recruitment material is reviewed carefully to ensure it is not asking for information irrelevant to the specific position being recruited.

Employment screening

If the position will require employment screening of criminal or disciplinary histories, this must be made clear in the recruitment material. It should also set out that the successful applicant's consent must be obtained before any screening takes place.

Equal Employment Opportunity material

Departments are obligated to promote Equal Employment Opportunity (EEO) in their employment processes. To effect this obligation, departments may ask applicants about EEO personal information such as their gender or national origin.

The applicant is not obligated to provide the department with EEO information and it must be made clear that providing that information is voluntary.

Dealing with application material

Receipt and storage

Applications and supporting documentation contain extensive amounts of personal information, such as education details, referee details and contact details. Information concerning a person's current employment and employment history is also their personal information.

Privacy principles require personal information to be adequately secured and protected from unauthorised and unnecessary access. As such, access to applications should be limited only to those who need to be involved in the process and applications must be stored securely and protected, whether they are hard copy or electronic copy.

Ideally, documents containing personal information (ie. applications, statements of suitability, supporting documentation) should not be taken out of the workplace. If they are taken out of the office by those involved in the process, great care must be taken to ensure they are securely protected in transit, in storage and use off-site. Failure to do so could lead to both a breach of the obligation to protect personal information, and the obligation not to disclose personal information.

Examples

  1. Failure to protect and safeguard the office's electronic data storage devices when travelling to and from the office.
  2. Failure to keep documents containing personal information secure, such as reviewing job applications on the train or not locking your computer when you leave your desk.
  3. Failure to protect personal information from unauthorised access, such as sending work documents to a multi-user home email inbox.

Distribution to panel members

Where the recruitment process is conducted wholly within the recruiting department, distribution of applications among panel members will be part of the use for which the personal information was collected.

Where the recruitment process involves persons outside of the recruiting department—for example, if panel members are drawn from other departments or an external organisation is contracted for the recruitment process—the distribution of applications will be a disclosure of personal information. The disclosure will be permitted under IPP 11(1) or NPP 2(1), but these privacy principles require that reasonable steps be taken to ensure the person to whom it is disclosed does not use it for any other purpose or disclose it to anyone else.

All panel members should be advised that they must ensure the applications are stored securely and not discussed with anyone outside the panel. Those from other departments or agencies should be advised that the applications and supporting documentation must be returned to the panel chair or securely destroyed at the end of the recruitment process.

Assessment and shortlisting

Care must be taken to ensure that only relevant information is used in the shortlisting process and at all phases of the recruitment process. What constitutes relevancy should be decided against the skill sets required in the advertised position.

If an applicant provides information which is not directly relevant to the advertised position's relevant skills, panel members are permitted to assess it.

Example

The selection documentation clearly states that responses to each of  the selection criteria should not be more than 300 words and informs applicants that this word count limit will be strictly enforced. Applicant A consistently provides over 10 pages of prose for each selection criteria, providing a great deal of personal information in the process. The selection panel is able to assess the applicant’s provision of this material as a failure to comply with a recruitment process requirement.

Interviews and selection

Arranging interviews

The fact that an individual has applied for a position is their personal information and must be taken into consideration when arranging interviews. If a panel member calls an applicant and the applicant is not available, care must be taken when leaving a message. In some cases the applicant may have provided a current work telephone contact but they have not informed persons at that workplace that they are applying for a new position.

No assumption should be made that the person answering the phone knows about the applicant's application, even when the person is a close family member.

Conducting the interview

Care should be taken in the interview not to ask questions concerning personal information not relevant to the position being applied for, even where the panel is making casual conversation with the applicant. The applicant may not understand it is only casual conversation, or may feel compelled to answer and perceive that the answer they give will be taken into consideration in the panel’s assessment. The department could be collecting irrelevant personal information in breach of the privacy principles.

Examples

  1. An applicant has an unusual surname. It may not be appropriate for the panel to ask the applicant questions about where the name originated or the applicant's ethnic, cultural or family background. The applicant may feel they have to answer, and may fear that this information will be considered adversely by the panel when making the decision.
  2. The applicant is known to one of the panel members who engages him in a conversation about the difficulties in juggling the responsibilities of a career and that of a solo parent. The panel member mentions this in the conversation to put the applicant at ease but it has the opposite effect, as it reveals unnecessary information about his private life and raises a concern for him that, in comparison to other applicants, his domestic circumstances will be seen as a detrimental factor.

Referee reports

As part of the application material, applicants are generally required to provide details of at least one referee. Applicants are required to obtain a referee's agreement to being consulted in a selection process, so the panel's subsequent contact of the referee will not inappropriately disclose the information that the applicant has applied for the position.11 However, this only applies to the applicant's nominated referees. Disclosure of the information to anyone else could be a breach of the privacy principles.

If the panel is unable to contact the referee, or if the referee is not able to provide meaningful comment on the applicant's skills and experiences relevant to the position, the panel must contact the applicant and ask them to nominate another referee. The applicant remains obligated to obtain the new referee's acceptance before providing their contact details to the panel.

Collection notices and referees

The definition of 'personal information' includes information or an opinion, whether true or false and whether provided through written or verbal communication. The obligation to provide a collection notice12 arises when the panel obtains a referee report from a referee. The referee report is the referee's opinion of the applicant and the department is collecting it.

Where adverse comments made by a referee may affect the selection outcome, the applicant must be given an opportunity to respond to the adverse material. The applicant's response must be documented and the panel is required to take the response into its consideration when assessing the merits of their application.13

The collection notice need not be complex, but it must advise the referee that if they provide adverse comments concerning the applicant, the panel is obligated to disclose those comments to the applicant for the purposes of enabling the applicant to respond.14

Panel recommendation

In most cases, the panel members are not authorised officers or delegates with the authority to appoint the preferred applicant. They will generally be limited to preparing a statement on the shortlisted applicants, identifying the preferred applicant and providing the reasons to support the recommendation of the preferred applicant for the position. The authorised officer or delegate will then review the recommendations and decide whether to approve the appointment.

The panel's report should include only the personal information about the applicants which is relevant to the decision to appoint an applicant to the position. What is considered relevant information will depend on the facts and circumstances of each matter.

Example

While information about an applicant's love of the ballet is unlikely to be relevant to requirements of the position, the fact that the applicant took the opportunity to talk about ballet instead of responding to the questions asked of them by the panel may be relevant to the panel concluding that the applicant did not address the core requirements of the position.

Identification and Qualifications

An agency may require the preferred applicant to provide evidence of:

  • the applicant's identity
  • the applicant's citizenship or permanent resident status, as set out in section 127 of the PS Act; or
  • the applicant's claimed qualifications.

The purpose for the provision of identity and/or qualification documentation is to verify that the person is who they present to be and/or they hold the required qualifications for the position. This purpose can be fulfilled by the sighting of the identity and qualification documents. The purpose is not enhanced by the retention of a copy of the documents and, accordingly, the taking and retention of a copy of these documents may be a breach of IPP 1. Best practice would be for a statement that the relevant document has been sighted by an authorised officer to be made and added to the preferred applicant's file.

Employment screening

There are specific positions which require a level of assessment beyond the application shortlisting and interview process. There is also a provision requiring the full disclosure of information about previous serious disciplinary action.

These extra checks should only be conducted on the preferred applicant after their appointment has been conditionally approved by the authorised officer.

Criminal history checks for Relevant Duties and child related duties

Chapter 5 of the PS Act sets out the circumstances in which a department's chief executive can seek an applicant's written consent to conduct a criminal history check.15 It may only be sought if the applicant is to undertake 'relevant duties'16as determined by the chief executive.

Once the chief executive has decided that the position involves relevant duties, the written consent of the applicant must be sought in order to conduct the criminal history check. To conduct a criminal history check without the applicant's consent would be a breach of the PS Act and also the privacy principles relating to collection and disclosure of personal information. If the applicant refuses to provide written consent, the agency must not conduct a criminal history check and the applicant must be informed that they will no longer be considered for that position.

The criminal history check must be subject to the highest levels of protection and security, and made available only to those with a genuine need to know. Ideally, the criminal history check will be provided only to the chief executive, or officer with the delegated authority to appoint the applicant to the position.

Once the assessment has been conducted, and all appeal and review timeframes have expired, the records relating to the criminal history check should be securely destroyed. This will ensure compliance with the privacy principles. The checks must be conducted in accordance with chapter 5 of the PS Act and Employment Screening directive.17

Disciplinary disclosures

The PSC Post-separation Discipline Directive18 gives the chief executive of a department the discretionary power to require an applicant, who is or has been a public service officer, to disclose any previous serious disciplinary action in writing within seven days of the request of disclosure. This requirement must be included in the role description.

The requesting chief executive may also ask another chief executive to supply disciplinary information about the applicant if the information is reasonably necessary for the requesting chief executive to make a decision about appointing the applicant (information exchange). If satisfied that the disciplinary information is reasonably necessary, the other chief executive must supply it.

If both chief executives are reasonably satisfied that the requesting chief executive has a reasonable need for the disciplinary information, neither chief executive will be in breach of the privacy principles to collect or disclose it.

Ideally, disciplinary information would only be made available to the relevant chief executive, or officer with the delegated authority to appoint, and to no one else. It can only be used in accordance with the relevant PSC Directive; to use it for another purpose could be a breach of the privacy principles.

Appointment

Offer and Gazette notification

When the successful applicant is offered the position, they should be advised that their appointment may be announced in the Government Gazette.

Section 119(2) of the PS Act provides for appointments as a public service officer to be notified in the Government Gazette. This disclosure is required by law and so is a permitted disclosure under the privacy principles.

Records transfer

If the appointed applicant was a public service officer in a department prior to the appointment, and their employee record is in the possession of another chief executive, the record must be transferred to the chief executive of the department to which the applicant has now been appointed. This collection and disclosure of personal information is authorised under section 13 of the PS Regulation, and so is permitted under the privacy principles. The department is not obligated to inform the employee that their employee records will follow them to their new department.

Declaration of interests

The PS Act obligates a public service employee to disclose to the chief executive of the department an 'interest that conflicts or may conflict with the discharge of the employee's duties'.19

Examples

Conflicts of interests may include

- membership of a community or advocacy group involved with an area that falls within the employee's department's responsibilities, or secondary employment.

- an employee working for different employers; or

- ownership of shares in a company.20

The chief executive of the department can also direct an employee to provide them with a statement about the employee's interests. Information about the employee's interests will be kept on the employee's personnel record. Information about an employee's interests constitutes their 'personal information'.

Requests for, and management and use of this personal information is authorised under law. Applicants can be informed in the recruitment documentation that, if appointed, information on their interests can be sought for the purposes of resolving potential conflicts.

Tips

- The information about conflicts of interest can only be requested from an employee; and

- It is not appropriate to require applicants for a position to provide information on their interests during the recruitment process.

Relevant documents

The following documents are relevant to the recruitment process:

  • The Public Service Act 2008 (Qld)
  • The Public Service Regulation 2008 (Qld)
  • PSC Employment Screening Directive No. 7/11
  • PSC Recruitment and Selection Directive No. 1/10
  • PSC Transfer and Appointment Expenses Directive No. 11/11
  • PSC Post-Separation Discipline Directive No. 23/10
  • PSC Declaration of Interests – Public Service Employees (other than chief executives) Directive No. 3/10
  • General retention and Disposal Schedule, Queensland State Archives

For further information about Guidelines and Directives relevant to recruitment, please visit the Public Service Commission website.21

  • 1 'Privacy principles' is defined in Schedule 5 of the IP Act as "the requirements applying to an entity under chapter 2"
  • 2 Section 12 of the IP Act.
  • 3 Schedule 3 of the IP Act.
  • 4 Schedule 4 of the IP Act.
  • 5 Section 33 of the IP Act.
  • 6 Chapter 2, part 4 of the IP Act.
  • 7 See IPP 11(1)(a).
  • 8 Section 3(1)(a) of the PS Act.
  • 9 The Minister responsible for administering the Industrial Relations Act 1999 (Qld).
  • 10 See IPP 11(1)(d) and NPP 2(1)(f).
  • 11 The definition of disclosure in section 23 of the IP Act does not include information that is known by the person to whom the personal information is disclosed.
  • 12 IPP 2 and NPP 1.
  • 13 See 7.10(f) Referee Checking in PSC Recruitment and Selection Directive 01/10.
  • 14 Ibid.
  • 15 See section 152 of the PS Act.
  • 16 See section 151 of the PS Act for the definition of 'relevant duties'.
  • 17 Refer to the PSC Employment Screening Directive No. 07/11 for further information
  • 18 See 7.5 of the PSC Post-separation Discipline Directive No. 23/10
  • 19 Section 186 of the PS Act.
  • 20 For more examples of potential conflicts of interest for public service employees (other than departmental Chief Executive), see PSC Declaration of Interests: Public Service Employees (other than departmental Chief Executive) Directive No. 3/10.
  • 21 Public Service Commission website located at www.psc.qld.gov.au.

Current as at: October 9, 2013