Legal Requirements for Background Checks in Australia

The Privacy Act 1988 (Cth) is the primary federal legislation governing how organisations collect, use, store, and disclose personal information in Australia. It applies to all Australian Government agencies, private sector organisations with an annual turnover of more than $3 million, and certain other organisations regardless of turnover (including health service providers, organisations that trade in personal information, and those related to organisations covered by the Act).

For pre-employment screening, the Privacy Act is the most important piece of legislation because background checks inherently involve the collection and handling of personal—and often sensitive—information. Sensitive information, as defined in section 6 of the Act, includes criminal record information, health information, biometric data, and information about racial or ethnic origin. The Act imposes stricter requirements on the handling of sensitive information compared to other personal information.

The Privacy Act is administered by the Office of the Australian Information Commissioner (OAIC), which has the power to investigate complaints, conduct audits, issue determinations, and seek civil penalties of up to $50 million for serious or repeated interferences with privacy. In practice, most enforcement action begins with a complaint from an individual, but the OAIC can also initiate investigations on its own motion.

Even if your organisation falls below the $3 million turnover threshold, opting in to the Privacy Act (or voluntarily complying with the APPs) is strongly recommended. Many state and territory privacy and health records laws impose similar obligations, and courts and tribunals will consider industry best practice when assessing whether an employer acted reasonably. Treating the APPs as your baseline is the safest approach.

The 13 Australian Privacy Principles (APPs) are contained in Schedule 1 of the Privacy Act and set the standards for handling personal information. Several APPs are directly relevant to pre-employment screening:

APP 3 — Collection of Personal Information

APP 5 — Notification of Collection

APP 6 — Use and Disclosure

APP 11 — Security of Personal Information

In addition to the federal Privacy Act, each Australian state and territory has its own legislation that may affect pre-employment screening. Employers operating across multiple jurisdictions must comply with all applicable laws.

New South Wales: The Health Records and Information Privacy Act 2002 (HRIPA) governs health information, relevant for drug and alcohol screening and medical assessments. The Privacy and Personal Information Protection Act 1998 (PPIPA) applies to NSW public sector employers. The Child Protection (Working with Children) Act 2012 governs WWCC requirements.

Victoria: The Health Records Act 2001 governs health information. The Privacy and Data Protection Act 2014 applies to the Victorian public sector. The Worker Screening Act 2020 governs Working With Children Checks and NDIS worker screening, replacing the earlier Working with Children Act 2005 framework. Victoria’s spent convictions scheme is contained in the Spent Convictions Act 2021, which has some differences from the federal scheme.

Queensland: The Information Privacy Act 2009 applies to Queensland Government agencies. The Criminal Law (Rehabilitation of Offenders) Act 1986 governs spent convictions with a rehabilitation period of 10 years (5 years for juvenile offences). The Working with Children (Risk Management and Screening) Act 2000 governs Blue Card requirements.

Western Australia: The Spent Convictions Act 1988 was one of the earliest spent convictions schemes in Australia. The Working with Children (Criminal Record Checking) Act 2004 governs WWCC requirements. WA does not have general private-sector privacy legislation, but the federal Privacy Act applies to organisations meeting the coverage criteria.

South Australia: The Spent Convictions Act 2009 governs spent convictions. The Child Safety (Prohibited Persons) Act 2016 governs working with children screening. SA also has the Information Privacy Principles that apply to government agencies by administrative instruction rather than legislation.

Tasmania, ACT, and Northern Territory: Each has its own working with children legislation, spent convictions provisions, and public sector privacy frameworks. The ACT’s Spent Convictions Act 2000 has been recently amended. Tasmania’s Registration to Work with Vulnerable People Act 2013 covers both children and other vulnerable people.

The key takeaway for employers is that a “one size fits all” approach does not work in Australia. Your screening policy must account for the jurisdiction in which the worker will be employed, the jurisdiction in which the checks are conducted, and any sector-specific regulatory requirements.

Consent is the cornerstone of lawful pre-employment screening in Australia. Without valid consent, a background check may breach the Privacy Act, give rise to a complaint to the OAIC, and expose the employer to legal liability. Here is what constitutes valid consent for screening purposes:

Informed consent: The individual must understand what they are consenting to. Your consent form should clearly specify each check that will be conducted (e.g., national police check, reference checks, qualification verification), explain what personal information will be collected and from whom, describe how the information will be used in the hiring decision, and identify any third parties who may receive the information (e.g., screening providers, ACIC-accredited bodies).

Voluntary consent: Consent must be freely given, not coerced. While it is reasonable to make a job offer conditional on satisfactory screening, the candidate must have a genuine choice to consent or decline. If a candidate declines, the consequence (that the offer cannot proceed) should be clearly stated, but the candidate should not be pressured into consenting. For existing employees subject to periodic re-screening, the requirement should be established in the employment contract or policy.

Written consent: While the Privacy Act does not strictly require written consent, it is strongly recommended (and required by ACIC-accredited bodies for police checks). Written consent provides clear evidence that consent was obtained and what it covered. Electronic consent (e.g., a digital signature or a checkbox on a secure web form) is acceptable and increasingly standard.

Specific consent: A broad, blanket consent to “any background checks the employer deems necessary” is unlikely to satisfy the APPs. Consent should be specific to the checks being conducted. If you later decide to conduct additional checks not covered by the original consent, you must obtain fresh consent before proceeding.

Consent for sensitive information: Under APP 3.3, collecting sensitive information (including criminal record information and health information) requires the individual’s consent and the information must be reasonably necessary for your functions. This dual requirement means that even with consent, you cannot collect sensitive information that is not relevant to the role.

Refchecks uses a secure digital consent workflow that presents candidates with a clear, plain-language explanation of each check being conducted, collects electronic consent with a date and time stamp, and stores the consent record as part of the screening audit trail. This ensures compliance with the APPs and provides robust evidence of valid consent.

Australian anti-discrimination legislation at both federal and state levels prohibits making employment decisions based on protected attributes. When using screening results in hiring decisions, employers must be careful not to discriminate unlawfully.

Federal anti-discrimination laws:

• Age Discrimination Act 2004 — Prohibits discrimination based on age
• Disability Discrimination Act 1992 — Prohibits discrimination based on disability, including medical conditions and mental health conditions that may appear in health screening results
• Racial Discrimination Act 1975 — Prohibits discrimination based on race, colour, descent, or national or ethnic origin
• Sex Discrimination Act 1984 — Prohibits discrimination based on sex, sexual orientation, gender identity, intersex status, marital or relationship status, pregnancy, and family responsibilities
• Australian Human Rights Commission Act 1986 — Provides the AHRC with power to investigate complaints of discrimination

The Fair Work Act 2009: Section 351 prohibits an employer from taking adverse action against a person (including refusing to employ them) because of a protected attribute. Protected attributes include race, colour, sex, sexual orientation, age, disability, marital status, family responsibilities, pregnancy, religion, political opinion, national extraction, and social origin. Adverse action based on a criminal record is not explicitly prohibited under the Fair Work Act, but may be caught by state anti-discrimination laws or the general protections provisions if the record relates to a protected attribute.

Practical implications for screening: When a background check reveals adverse information, the employer must assess whether the information is genuinely relevant to the inherent requirements of the role. A criminal conviction for fraud is clearly relevant to a financial controller role, but a decades-old minor offence unrelated to the job duties is unlikely to justify rejecting a candidate. Similarly, a medical assessment that reveals a disability must be assessed in terms of the person’s ability to perform the inherent requirements of the role, with reasonable adjustments considered.

The key principle is proportionality. Every adverse finding must be assessed individually, in the context of the specific role, with documented reasoning. Blanket policies (e.g., “no one with a criminal record”) are almost certainly discriminatory and will not withstand legal scrutiny. Employers should train hiring managers on how to assess screening results lawfully and consistently.

Spent convictions legislation exists at both federal and state levels in Australia. The purpose of these schemes is to allow individuals who have been convicted of relatively minor offences to move on with their lives after a period of good behaviour, without the conviction continuing to affect their employment prospects.

Federal scheme (Part VIIC, Crimes Act 1914): A conviction becomes “spent” if the person was not sentenced to imprisonment for more than 30 months and a waiting period has elapsed without further offending. The waiting period is 10 years for adults and 5 years for juveniles from the date of conviction (not the date of sentence completion). Once spent, the conviction must not be disclosed on a police check and must not be taken into account by an employer. It is unlawful for an employer to require a person to disclose a spent conviction or to discriminate against a person because of a spent conviction.

Exemptions: The spent convictions scheme does not apply in all circumstances. Exemptions exist for certain prescribed occupations and positions, including:

• Roles involving working with children or vulnerable people
• Law enforcement and judicial appointments
• Positions requiring a security clearance
• Certain roles in aged care, disability services, and healthcare
• Roles in the financial services sector where a fit-and-proper-person assessment is required by ASIC or APRA

When an exemption applies, the police check will include all disclosable court outcomes regardless of whether they are spent. Even in these cases, however, the employer must still assess the relevance of the conviction to the role and cannot apply a blanket rejection policy.

State and territory variations: Each state and territory has its own spent convictions legislation, and the details vary. Victoria’s Spent Convictions Act 2021 has different waiting periods and thresholds. Queensland’s Criminal Law (Rehabilitation of Offenders) Act 1986 uses a different qualifying period. Western Australia’s Spent Convictions Act 1988 was one of the first such schemes in Australia. The applicable scheme depends on the jurisdiction in which the conviction was recorded and the jurisdiction in which the check is being conducted.

For employers, the practical guidance is straightforward: never ask candidates whether they have spent convictions (unless an exemption applies), and never rely on self-disclosure as a substitute for a formal police check. Use an ACIC-accredited provider that applies the correct spent convictions filters, and assess all disclosable outcomes on their merits.

Screening results contain sensitive personal information, and the Privacy Act imposes clear obligations on how long you can retain this information and when you must destroy it.

APP 11.2 requires organisations to take reasonable steps to destroy or de-identify personal information when it is no longer needed for any purpose for which it may be used or disclosed under the APPs. In the screening context, this means you must not retain screening results indefinitely “just in case.” You need a clear retention policy linked to a legitimate business or legal purpose.

Recommended retention periods:

• Successful candidates (hired): Retain screening results for the duration of employment plus 7 years (to cover potential future claims under the Fair Work Act, which has a 6-year limitation period for some claims). Store as part of the employee’s HR file with appropriate access controls.
• Unsuccessful candidates: Retain for 12–24 months after the hiring decision. This covers the period in which a candidate might lodge an anti-discrimination complaint or adverse action claim. After this period, destroy or de-identify the records.
• Police check results: ACIC guidelines recommend retaining police check results only for as long as necessary for the purpose for which they were obtained. Many organisations treat 12 months as the maximum retention period for unsuccessful candidates’ police checks.

Secure destruction: When the retention period expires, records must be securely destroyed—not simply deleted from active systems. Digital records should be permanently deleted from all systems including backups (or flagged for deletion at the next backup cycle). Physical records should be cross-shredded. Your screening provider should have its own data retention and destruction policies that align with these requirements.

Data breach obligations: Under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act, organisations must notify the OAIC and affected individuals if a data breach involving personal information is likely to result in serious harm. Given the sensitivity of screening records (criminal history, financial background, identity documents), a breach of screening data would almost certainly meet the serious harm threshold. This makes robust security and access controls not just good practice, but essential to avoiding mandatory breach notification.

Refchecks handles data retention and destruction automatically according to configurable retention policies, ensuring compliance with both the APPs and ACIC guidelines. All data is stored on Australian servers with encryption at rest and in transit, and access is restricted by role-based permissions.

Non-compliance with Australian privacy and anti-discrimination laws in the context of background screening can result in significant financial penalties, legal liability, and reputational harm. Understanding the enforcement landscape helps employers appreciate the importance of getting screening right.

Privacy Act enforcement (OAIC):

• The OAIC can investigate complaints from individuals and conduct Commissioner-initiated investigations
• Determinations can require the organisation to compensate the individual for loss or damage, change its practices, publish an apology, or take other remedial action
• Civil penalties for serious or repeated interferences with privacy: up to $50 million, three times the benefit obtained from the breach, or 30% of adjusted turnover during the breach period—whichever is greatest (as amended by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022)
• The OAIC has increasingly focused on organisations’ compliance with collection, notification, and security obligations

Anti-discrimination enforcement:

• Complaints to the Australian Human Rights Commission (AHRC) under federal anti-discrimination legislation. The AHRC facilitates conciliation; if conciliation fails, the complainant can take the matter to the Federal Court or Federal Circuit and Family Court
• Complaints under state and territory anti-discrimination legislation are handled by the relevant state body (e.g., Anti-Discrimination NSW, Victorian Equal Opportunity and Human Rights Commission, Queensland Human Rights Commission)
• Remedies include compensation for economic loss and hurt/humiliation, reinstatement, and orders requiring the employer to change its practices
• Under the Fair Work Act, civil penalties for adverse action can reach 60 penalty units for an individual ($19,800) or 300 penalty units for a body corporate ($99,000) per contravention, plus compensation for the affected person

Case law examples: Australian courts and tribunals have found against employers who rejected candidates based on irrelevant criminal history, conducted checks without adequate consent, retained screening data for excessive periods, or applied screening requirements inconsistently across candidates for the same role. These decisions reinforce that compliance is not optional—it is a legal requirement that courts take seriously.

The most effective protection against enforcement action is a well-documented, consistently applied screening policy that is reviewed regularly, supported by appropriate training for hiring managers, and implemented through a compliant screening platform. Investing in a proper process is far cheaper than defending a privacy complaint or discrimination claim.