People Data

Protecting People Data in Hiring

by Angus Jones

Every business that hires, collects and stores personal information. From resumes and identification documents, medical clearances, superannuation and bank details, licences, and reference checks, this data tells the story of the people who make your business run. Managing that People Data securely is a daily responsibility for every employer.

With a few structured, repeatable habits, and by making better use of the tools you already have, you can protect your peopleโ€™s information, meet privacy requirements, and build lasting trust.

1. Identify what you collect, where it lives, and who touches it

Start with visibility. List what personal and sensitive data you gather at each stage of employment:

  • Pre-hire: resumes, ID, licences, qualifications, references.
  • Onboarding: tax and super forms, bank details, emergency contacts, training certificates.
  • During employment: performance notes, medical clearances, leave forms, payroll data.

Next, note where this information is stored – email inboxes, shared drives, laptops, HR systems, even messaging apps – and who can access it. Many businesses find data scattered across personal folders and email attachments. Consolidate where possible and set one โ€œsource of truthโ€ per person.

You likely already have secure storage tools: Microsoft 365 and Google Workspace both include encrypted cloud drives, multi-factor authentication (MFA), and controlled sharing options. Use these features instead of emailing documents or saving them to unsecured desktops.

When an employee leaves, treat their data like a formal project rather than an afterthought. Confirm what information must be retained for legal, tax, or safety purposes (for example, payroll, superannuation, and injury records) and what can be securely deleted such as copies of ID, medical notes, and access credentials. Remove their access to all systems immediately, transfer ownership of any shared files, and reset shared passwords. Archive essential employment records in a restricted folder with a clear retention end date, then schedule a follow-up review (typically after seven years) to confirm deletion. This ensures compliance, prevents unauthorised access, and keeps your records lean and accurate.

2. Build trust and compliance into hiring

Transparency builds confidence. Let candidates know why you collect data, how itโ€™s collected and used, who will see it, and when itโ€™s deleted. A short, plain-English privacy and consent statement attached to your onboarding pack goes a long way.

Other low-cost practices include:

  • Data minimisation: Only collect whatโ€™s needed for each stage. For example, donโ€™t request a driverโ€™s licence until the role requires driving.
  • Role-based access: Give recruiting staff access to candidate data, but limit payroll or medical information to HR only.
  • Audit trail: Keep a simple log (spreadsheet or system note) recording who uploaded or accessed sensitive documents.
  • Breach checklist: Prepare a two-page guide on how to isolate an incident, who to notify, and what to communicate.

These steps reduce administrative risk and the human errors that often lead to data leaks.

3. Delete data methodically, not emotionally

Most breaches occur because data lingers long after itโ€™s useful. Set clear retention rules:

  • Unsuccessful candidates: keep applications and interview notes for 6โ€“12 months, then securely delete.
  • Employees: retain payroll and contractual records as legally required and remove unnecessary supporting documents.
  • Referee contacts: delete once the hiring decision is final unless thereโ€™s a legal or audit need.

Add a โ€œDelete byโ€ date to file names (e.g., Smith_ID_DEL-2026-06) or create quarterly calendar reminders for data clean-ups. For secure destruction:

  • Digital: use your systemโ€™s permanent-delete function; for devices, run a secure-erase before resale or disposal.
  • Physical: use a cross-cut shredder or a certified destruction service, keeping the certificate for your records.

If you use external vendors (for payroll, screening, or training), ask how they handle data expiry, and how a user is able to control the removal of their data.

4. Treat HR data with the same rigour as financial data

Most small businesses protect their bank accounts meticulously but underestimate the sensitivity of HR information. Apply the same controls:

  • Two-person approval for changes to personal or payroll details.
  • Regular reviews of who can access HR folders or systems.
  • Password protection for any file containing personal data.
  • Vendor due diligence – ask where data is hosted and how itโ€™s encrypted.

5. Detecting fraud through smart, practical verification

As recruitment becomes more remote, identity and reference fraud are growing risks. Simple tools can help:

  • Track the IP address or time zone of online referees – if a โ€œSydney managerโ€ submits a reference from an overseas server at midnight, itโ€™s worth a quick verification call.
  • Prefer references from company email domains rather than free accounts.
  • Keep reference links one-time use to prevent spoofing.
  • Confirm referees via a company โ€˜contact usโ€™, not a mobile number provided by the candidate.
  • Conduct an identity check either in person, or, if you use a system, a digital ID check and use a Document Verification Service, combined with a biometric check.

These small steps protect both your business and genuine candidates from fraudulent behaviour.

6. Lessons from ISO 27001:2022 – continuous improvement, not compliance theatre

When WorkPro achieved its ISO 27001:2022 accreditation, the biggest insight wasnโ€™t about technology – it was about rhythm. Data protection isnโ€™t a one-off project; itโ€™s an ongoing cycle of review and refinement.

Even without certification, SMEs can borrow this approach: once a year, review who has access to what, test your breach response plan, check vendor contracts, review your privacy policy and collections notice, and refresh your teamโ€™s awareness via training. A simple online search will help you find practical security training providers. Additionally, the company delivering your technology support may also be able to provide user security training.

Use the annual review as an opportunity to tidy, update, and strengthen. Small, consistent improvements make a business more resilient – and reinforce that protecting peopleโ€™s data is as much about trust as it is about compliance.

โ€”

Contributed by Tania Evans, Founder & CEO of WorkPro

WorkPro is an Australian workforce compliance and job-readiness platform helping businesses implement and deliver a consistent, robust, streamlined screening, onboarding and legal compliance program for their workforce.

Other guides like this

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More