Which NZ industries need IPP3A compliance for lookups?

Any sector running credit checks, vehicle history searches, company director lookups, or tenant screening on individuals — including finance, automotive, real estate, recruitment, and insurance — must satisfy IPP3A when collecting from third parties.

Is DEIS a legal adviser?

No. DEIS is a compliance platform that records lookup pathways and evidence. Organisations should confirm legal positions with their counsel or the Office of the Privacy Commissioner where needed.

Recruitment agencies: staying compliant when running candidate background checks

Background checks on job candidates involve multiple third-party data sources. Here is how recruitment agencies can meet their IPP3A obligations.

recruitmentbackground checksHRDEISdeis.nzNew ZealandPrivacy Act 2020IPP3A

Frequently asked questions

What is the main takeaway from "Recruitment agencies: staying compliant when running candidate background checks"?: Background checks on job candidates involve multiple third-party data sources. Here is how recruitment agencies can meet their IPP3A obligations.
Which NZ industries need IPP3A compliance for lookups?: Any sector running credit checks, vehicle history searches, company director lookups, or tenant screening on individuals — including finance, automotive, real estate, recruitment, and insurance — must satisfy IPP3A when collecting from third parties.
Is DEIS a legal adviser?: No. DEIS is a compliance platform that records lookup pathways and evidence. Organisations should confirm legal positions with their counsel or the Office of the Privacy Commissioner where needed.

Recruitment agencies routinely run background checks on candidates — credit checks, identity verification, qualification verification, criminal history checks, and social media screening. Each of these involves collecting personal information from third-party sources.

The consent question

Most recruitment agencies include a background check consent clause in their candidate registration form. However, the Privacy Act requires that the consent or notification is specific to the data sources being accessed and the type of information being collected.

A generic "you consent to background checks" clause may not be sufficient — particularly for more intrusive checks like credit reporting and criminal history.

Best practice for recruiters

Specific consent. List the exact data sources you will access (e.g., Centrix credit check, Ministry of Justice criminal records).

Proportionate checking. Only run checks that are relevant to the role. A credit check for a warehouse position may not be proportionate.

Record the pathway. For each check on each candidate, record whether you relied on written consent, verbal consent, notification, or an exception.

Notify unsuccessful candidates. If you ran checks on candidates who were not placed, they still have a right to know about the data collection.

Using DEIS

DEIS allows recruitment agencies to run multiple checks per candidate and record the IPP3A pathway for each one. The evidence trail covers both successful and unsuccessful candidates, ensuring full compliance.