Information about a job applicant’s criminal history is personal information under the Privacy Act 2020 (PA). Employers should therefore be careful to ensure that they are complying with their obligations under the PA in respect of that information.
For some roles, for example where an individual would be working with children or vulnerable people, criminal background checks and police vetting are a statutory requirement before the individual can commence work.
For all other roles, the starting point is that job applicants are not required to provide previous criminal convictions unprompted. If asked about previous criminal convictions, however, a job applicant should act in good faith and disclose such information, especially if it may affect an employer’s decision to employ them. If a job applicant is covered by the Clean Slate Act 2004, they can legitimately state they have no criminal history.
Some employers prefer to do a criminal record check through the Ministry of Justice or Police to ensure there is nothing of concern. Employers often make an offer of employment conditional on satisfying such checks, which is perfectly acceptable. Where an employer seeks to undertake a criminal record check, the job applicant must give their permission before the employer is able to make an application for the record. The employee’s consent must be current, however, as evidenced by a case taken to the Privacy Commissioner regarding criminal record checks, Case Note 312002 [2021] NZPrivCmer.
This case provides a useful cautionary tale about when it will not be appropriate to request a criminal background check from the Police. The relevant facts are as follows:
- When the Employee applied for the role at the Employer’s care home, they filled in a form consenting for the Employer to carry out a Police criminal record check;
- The criminal record check was not carried out and the Employee was hired;
- Over a year later, during a dispute between the parties, the Employer applied for a copy of the Employee’s criminal record; and
- Upon finding that the Employee had previous convictions, the Employer dismissed the Employee for failing to disclose those convictions, as well as inappropriate conduct relating to the employment dispute.
The individual made a claim to the Office of the Privacy Commissioner, which subsequently found that the Employer’s actions were in breach of Privacy Principle 1 and 2 under the PA.
Privacy Principle 1
This principle sets out that personal information must not be collected unless it is for a lawful purpose connected with the functions or activities of the organization and the collection for information is necessary for that purpose.
The Commissioner recorded that it did not consider that it was necessary for the Employer to request information from the Police in the context of an employment dispute and the employer was therefore in breach of Privacy Principle 1 under the PA.
Privacy Principle 2
Under privacy principle 2, personal information must be collected directly from the individual unless the organization believes, on reasonable grounds, that an exception applies, for example if the person concerned gives the organization permission to seek information from other sources.
Police guidelines set out that vetting requests must be made within 3 months from the date the person gives consent to the vetting taking place. Given that the request was made over a year since the Employee commenced employment with the Employer, her consent to the request was no longer active. The Employer therefore acted in breach of Privacy Principle 2.
As the individual was seeking compensation in relation to their employment, the Privacy Commissioner declined jurisdiction, however. The individual was free to pursue her case in the Human Rights Review Tribunal, however we are not aware of this matter going further. It is entirely possible that the individual brought a personal grievance under the Employment Relations Act 2000 and settled the employment related breaches confidentially.
Overall, the key takeaways for employers from this case are:
- always collect information only when strictly necessary, and for the purpose the collection was designed for; and
- even if legislation gives you the right to override certain privacy principles, check the timeframes and extent of the override.
If you have a question about your organization’s privacy obligations, please don’t hesitate to be in touch with the Employment Team.