Back to Blog

The New Data Privacy Law Your Recruitment Agency Can’t Risk Breaching

by on

The new Privacy Amendment to the Notifiable Data Breaches (NDB) Bill 2016, which comes into effect on the 22nd of February 2018, is a game-changer recruiters “should ignore at their peril”, warned the Association of Professional Staffing Companies in Australia (APSCo Australia).

The purpose of the change is to incentivise entities that hold personal information to secure and dispose of the data properly. This includes particulars such as contact details, credit information, and tax file numbers. The law will require agencies to report a data breach of a single record or more to the Office of the Australian Information Commissioner (OAIC) and to inform any individuals affected. So, what does this mean for your recruitment agency?

Every Recruitment Agency and Recruiter Must Comply

It’s important to note that while the legislation generally only applies to businesses with a turnover of more than $3M, recruitment agencies are the exception to the rule and every single one in Australia must comply because even small firms hold enough valuable private data to be a concern. In fact, many are more vulnerable because they lack the resources to keep the information they do have secure. And while hacking is often seen as the biggest threat, data breaches can also come from consultants being careless with passwords, using unencrypted files, not shredding confidential information, or leaving papers unsecured. Any agency, regardless of size, can be at risk.

The Consequences of a Breach

The OAIC must be informed within 30 days of there being sufficient grounds to believe that an eligible breach has occurred, except for minor ones which can be remediated beforehand. The penalties are significant: for serious or repeated non-compliance, there are fines of up to $360,000 for individuals and $1.8M for organisations. Beyond the fines, agencies could face additional costs such as reputational damage, the costs of business interruption, third-party claims, and the risk of clients and candidates turning to competitors.

The new rules don’t define what exactly constitutes a serious breach, but they do say that as a result of one, “there is a likely risk of serious harm to the affected individuals […] and this can include physical, psychological, emotional, economic and financial harm, and also includes serious harm to reputation” according to the Parliament of Australia.

What Should Agencies Be Doing to Prepare?

Julie Mills, Managing Director of APSCo Australia, warns that, as a minimum, “Organisations should have commenced preparations by reviewing their data risk profile and considering cyber insurance and an incident response plan.” Consider, for example:

  • Is the appointed risk manager completing risk assessments and identifying potential security gaps?
  • What practices are in place to identify a potential or actual data breach?
  • Who is responsible for responding to it once it’s identified?
  • What plan is in place to conduct assessments and notify the OAIC following a serious breach?

These are just a few examples of things to consider. In addition, every agency should have an up-to-date and publicly accessible privacy policy which outlines how it collects and manages personal information. And staff should receive training to ensure that everyone understands the protocols for data use and storage, and records should be kept of this.

With your agency’s reputation on the line as a result of these changes, it’s vital that you’re taking the necessary steps to be prepared. If your agency hasn’t sought proper advice, you may wish to enlist the services of a specialist with an understanding of data integrity, record management, and cybersecurity to help them assess these aspects and what your business will need to do to be prepared.


For information on other upcoming legislative changes that may affect your agency, check out What Do Changes to the 457 Visa Programme Mean for Your Recruitment Agency?