The Privacy Commissioner has confirmed credit checks on job applicants may breach privacy principles and the Credit Reporting Privacy Code.

A woman applied for a part-time retail assistant job at a large retail chain. The standard online application required she agree to a credit check. The Commissioner did not agree that a credit check was needed, because the job did not involve “significant financial risk to the employer”.

The Commissioner also criticized the store for being unclear about what personal information would be collected and how it would be used.

Employers who conduct credit checks during recruitment must comply with the law.

Credit reporters may disclose credit information if they believe, on reasonable grounds, that the disclosure is authorised under the Credit Reporting Privacy Code.

For hiring employers, the most relevant authorised disclosure is to a prospective employer or a prospective employer’s agent. This is only allowed if:

• It is authorised by the individual concerned; and
• It is for the purpose of a pre-employment check; and
• The proposed employment is in a position involving significant financial risk.

As a first step, hiring managers should ask applicants to agree to a credit check. Usually this will be fairly easy to implement – have the applicant sign a consent form.

Hiring managers will also need to conduct the check pre-employment. Don’t wait until you’ve hired a person before you apply for a credit check.

The position must also involve “significant financial risk”. This means more than simple cash-handling.

When collecting personal information, employers must also comply with the Privacy Act. Under the Privacy Act there are twelve core privacy principles. When conducting pre-employment credit checks the most relevant principles will be:

• Principle 1 – Personal information must be collected for a lawful purpose, and must be necessary for that purpose.
• Principle 3 – Individuals must be made aware of what information is being collected, how it is being collected, why it is being collected, who will hold the information, where the information will be held, whether provision of the information is voluntary or mandatory, what the consequences are if information is not provided, and information about their right to access and correct their information. All this information must be provided to the individual before the credit check is carried out. We suggest this information be included on consent forms.
• Principle 5 – Any information collected must be kept secure.
• Principle 6 – The individual has a right to access information about them held by the employer. If a credit check is conducted, the individual must be able to access the credit check information held by the employer.
• Principle 9 – Personal information must not be kept longer than is necessary.
• Principle 10 – Personal information obtained for one purpose must not be used for another. For example an employer who is also a creditor would not be able to use credit information obtained during pre-employment screening to decide whether they give the job applicant a line of credit.

Care is necessary when asking for personal information to make sure there is a genuine reason why the information is required and that it is obtained with consent. The information must be kept secure and securely disposed of when no longer required.