Do Recruitment Agencies Need a Privacy Policy in New Zealand?

If you run a recruitment agency in New Zealand, chances are you collect a lot of personal information before you even place a candidate. CVs, interview notes, salary expectations, references, right to work details, psychometric results, and client contact details can all pass through your business quickly. A common mistake is assuming a generic website privacy statement is enough. Another is collecting sensitive candidate information without clearly explaining why you need it, who you share it with, and how long you keep it. A third is forgetting that your internal data handling practices need to match what your policy actually says.

For most recruitment agencies, a privacy policy is not just a nice-to-have. It is a practical way to meet transparency obligations under New Zealand privacy law and show candidates, clients, and staff how personal information is handled. This guide explains when a recruitment agency needs a privacy policy, what it should cover, where founders usually get caught out, and what to sort out before you sign client terms, launch a website, or start building a candidate database.

Overview

Recruitment agencies usually need a privacy policy because they collect, use, store, and disclose large volumes of personal information as part of their core service. In New Zealand, the Privacy Act 2020 and the information privacy principles shape what agencies must tell people, how information can be used, and what systems should exist behind the scenes.

  • Whether you collect candidate, client, contractor, referee, or employee information
  • What notices you give people when information is collected
  • How your website, forms, and database describe your data practices
  • Whether you share personal information with clients, software providers, or offshore recipients
  • How long you retain CVs, interview records, and placement files
  • What process you use for access requests, correction requests, and privacy complaints
  • Whether your service agreements and internal procedures line up with your published privacy policy

What Privacy Policy Requirements for Recruitment Agency Means For New Zealand Businesses

A New Zealand recruitment agency will usually need a clear privacy policy if it collects personal information in the ordinary course of business. That is because recruitment is built on gathering, assessing, and disclosing information about identifiable people.

Under the Privacy Act 2020, agencies that collect personal information need to be transparent about what they collect, why they collect it, who will receive it, and the consequences if someone does not provide it. Those obligations do not always require a single document called a privacy policy, but in practice a written policy is the easiest and most credible way to communicate this information consistently.

For a recruitment business, this can cover information about:

  • job applicants and candidates
  • current and former contractors
  • referees and emergency contacts
  • client contacts and hiring managers
  • your own employees and consultants
  • website users and marketing contacts

The main point is simple: if your agency handles personal information, you should have a privacy policy that accurately explains your real practices.

Why recruitment agencies are a higher-risk example

Recruitment businesses often hold more than basic contact details. A candidate file can include employment history, qualifications, visa or work status, salary information, performance notes, medical or accommodation information, criminal history checks in some roles, and opinions given in confidence by referees.

This is where founders often get caught. The agency may collect broad information because a client asks for it, but no one checks whether it is actually necessary, whether the candidate was told about the use, or whether the agency can lawfully keep that information for future roles.

If your privacy policy is vague, copied from another business, or inconsistent with your real workflow, the main risk is not just reputational. You may struggle to respond properly when a candidate asks what information you hold, asks for corrections, or complains that their CV was sent to a client without clear consent.

What a recruitment agency privacy policy should usually cover

A good privacy policy needs to reflect how your business actually works. For a recruitment agency, it will usually include:

  • what personal information you collect
  • how you collect it, such as through online applications, interviews, references, third party platforms, or direct approaches
  • why you collect it, such as candidate assessment, role matching, placement, payroll, compliance, marketing, and business administration
  • who you disclose it to, such as client employers, service providers, payroll providers, IT systems, and background checking providers
  • whether information may be sent overseas or accessed by offshore software providers
  • how individuals can request access to or correction of their information
  • how privacy complaints can be made
  • how you store and protect information
  • how long information is retained, or the basis for deciding retention periods
  • whether cookies or website analytics are used

The policy should also be consistent with the notices you provide when collecting information. If your application form says one thing and your website says another, that inconsistency can create problems.

Privacy policy versus collection notice

A privacy policy is not the only tool you need. Agencies often also need collection notices or wording built into application forms, website submissions, contractor onboarding documents, and referee check processes.

That is because privacy law focuses on what people are told at the point their information is collected. A website policy helps, but it may not be enough on its own if your forms, scripts, or onboarding documents do not tell the full story.

For example, before you ask a candidate to upload a CV and complete a skills assessment, your collection wording should make clear:

  • why the information is being collected
  • whether it will be shared with potential employers
  • whether it may be stored for future opportunities
  • who to contact for access or correction requests
  • what happens if the person chooses not to provide certain information

When This Issue Comes Up

Privacy policy issues usually come up much earlier than founders expect. They do not start only when there is a complaint. They start when the agency first builds a database, launches online, or sends candidate information to a client.

When you start a recruitment business in New Zealand

If you are planning to start a recruitment business in New Zealand, privacy should be on the setup list alongside company setup, business name registration, contracts, and trade mark planning. Recruitment does not have a special licence in the same way some regulated industries do, but that does not reduce your privacy obligations.

Before you spend money on setup, think about:

  • whether you are operating as a company, sole trader, or partnership
  • what your agency terms with clients will say about candidate information
  • what your candidate terms or consent wording will say
  • what software you will use to store and search applicant information
  • whether any software provider hosts data outside New Zealand
  • who in the business will respond to privacy requests or complaints

This is a practical part of recruitment agency legal requirements in New Zealand. You cannot separate privacy from your sales process, onboarding process, and service delivery.

When you launch a website or collect CVs online

If your agency is selling online in the sense of marketing services digitally, collecting leads, and taking applications through a website, your privacy settings and public-facing privacy policy matter straight away. Candidates often upload highly personal information before speaking to anyone.

A common mistake is using a website builder template that refers only to newsletter subscribers or online shoppers. Recruitment websites usually need more detailed wording because they collect employment-related information and often route that information into an applicant tracking system.

When you sign clients and start sending candidate profiles

Privacy questions become concrete when a client asks for a shortlist, wants referee details early, or wants your agency to keep a talent pool for future vacancies. Before you sign a contract with a client, check who is permitted to receive candidate information, what consents or notices are required, and whether your client terms limit misuse of candidate data.

For example, if a hiring manager keeps a rejected candidate's CV for a later role without the candidate knowing, the issue may not sit only with the client. Your agency's collection wording, disclosure practices, and client contract settings all matter.

When you use third party tools and offshore platforms

Many agencies use applicant tracking systems, cloud storage, video interview platforms, payroll software for contractors, and skills testing tools. If those providers can access personal information from outside New Zealand, cross-border disclosure needs attention.

Your privacy policy should not ignore these arrangements. It should describe offshore storage or access where relevant, in plain language, and your business should assess whether the overseas recipient can adequately safeguard the information or whether another permitted basis applies.

When a candidate asks for access, correction, or deletion

A privacy policy becomes very real when someone asks for a copy of interview notes, wants inaccurate information corrected, or objects to future marketing or job alerts. If your business has no clear process, staff often respond inconsistently or too late.

This is why a privacy policy should be paired with internal procedures. The published document sets expectations. Your internal process makes sure the business can actually comply.

Practical Steps And Common Mistakes

The safest approach is to build your privacy policy around your real recruitment workflow, then make sure your forms, contracts, and staff practices match it. A policy copied from a generic HR or marketing business will usually miss key recruitment issues.

Step 1: Map what information you collect

Start with a simple data map. List each point where your agency collects information and what is collected there.

  • website enquiry forms
  • candidate registrations
  • CV uploads
  • interview notes
  • reference checks
  • right to work and identity checks
  • contractor onboarding documents
  • timesheets and payroll records
  • client contact details
  • marketing databases

If you do not know exactly what your business collects, your privacy policy will stay too vague to be useful.

Step 2: Check whether each category is necessary

Recruitment agencies can drift into over-collection. Just because a client asks for information does not always mean your agency should collect it at the first stage.

Ask practical questions:

  • Do we need this information now, or only later in the process?
  • Is this relevant to the role?
  • Have we told the candidate why we need it?
  • Will we use it for future roles, and have we said that clearly?

This matters most with more sensitive information. If your agency handles health information, criminal record information, diversity information, or detailed referee comments, your collection and use should be carefully justified and clearly explained.

Step 3: Write collection notices for the actual touchpoints

Your website privacy policy is one layer. Your collection notices at the point of capture are another. These are often built into forms, checkboxes, email templates, and onboarding documents.

For a recruitment agency, that may include separate wording for:

  • candidate registration forms
  • job application pages
  • referee check scripts or forms
  • contractor onboarding packs
  • client contact forms
  • marketing sign-up forms

A common mistake is relying on implied consent or broad assumptions. Candidates should not be left guessing whether their details will be circulated to multiple employers or stored for later use.

Step 4: Align your client contracts and candidate terms

Privacy compliance is not only a website issue. It should also appear in the contracts that support your services.

Your client agreement may need to address:

  • how candidate information can be used
  • limits on copying or retaining candidate profiles
  • confidentiality obligations
  • who is responsible for background checks
  • what happens if a privacy complaint relates to a disclosure to the client

Your candidate terms or registration wording may need to address:

  • how you assess suitability for roles
  • when you may present a profile to a client
  • whether information is kept for future placements
  • how candidates can update their information
  • how to opt out of marketing or future role communications

This is where contracts and privacy overlap. If the legal documents in your business pull in different directions, operational problems follow.

Step 5: Review your data storage and retention settings

Many agencies keep information longer than necessary because storage is cheap and talent pools feel commercially valuable. That creates risk if records become outdated, irrelevant, or inaccurate.

Your business should decide how long different records are retained and why. Those periods may differ between unsuccessful applicants, placed candidates, contractors, employees, and client contacts.

You should also know:

  • where the data is stored
  • who can access it
  • how former staff access is removed
  • whether backups contain personal information
  • how records are deleted or anonymised when no longer needed

Step 6: Prepare for access and correction requests

People generally have rights to ask for access to their personal information and request corrections. Recruitment agencies should expect these requests, especially where a placement did not proceed or a candidate believes notes are unfair.

Before you sign clients or scale your candidate database, make sure someone in the business knows:

  • how requests are received
  • who verifies identity
  • how records are searched
  • what timeframes apply
  • when information may be withheld under the law
  • how a correction request is noted if the business does not agree to change the record

Common mistakes recruitment agencies make

The most common privacy mistakes are operational, not technical. They usually happen because growth is fast and legal wording gets treated as an afterthought.

  • Using a generic privacy policy that does not mention recruitment-specific data handling
  • Sending CVs or candidate summaries to clients without clear notice or authority
  • Collecting referee or background information too early
  • Keeping candidate files indefinitely without a retention plan
  • Ignoring offshore access through software vendors
  • Failing to train consultants on what the policy actually requires
  • Promising one thing in the privacy policy and doing another in practice
  • Forgetting that client contracts, website forms, and internal procedures need to be consistent

A useful test is this: if a candidate asked today exactly what information you hold, why you collected it, who you shared it with, and when it will be deleted, could your agency answer confidently and consistently? If not, your privacy framework needs work.

FAQs

Does every recruitment agency in New Zealand need a privacy policy?

Most do. If your agency collects personal information about candidates, clients, contractors, or website users, a privacy policy is usually the clearest way to meet transparency obligations and explain your data practices.

Is a website privacy policy enough on its own?

No, not usually. Recruitment agencies often also need collection notices or privacy wording in forms, onboarding documents, email templates, and contracts so people are told what happens to their information when it is collected.

Can a recruitment agency keep CVs for future roles?

Often yes, but only if that practice is properly disclosed and handled fairly. Your agency should tell candidates if their information will be retained for future opportunities and should not keep outdated or unnecessary information indefinitely.

What if our software stores candidate data outside New Zealand?

You should assess the cross-border privacy implications and make sure your privacy policy accurately describes offshore storage or access where relevant. The legal position depends on the arrangement and the safeguards in place.

The answer depends on how the information is collected and what the candidate has been told. In practice, agencies should use clear notices and processes so candidates understand when their profile or personal information may be disclosed to a potential employer.

Key Takeaways

  • Most recruitment agencies in New Zealand should have a privacy policy because personal information is central to how they operate.
  • Your policy should reflect real recruitment workflows, not generic website wording.
  • Collection notices at the point of capture are just as important as the policy itself.
  • Client contracts, candidate terms, database practices, and internal procedures should all line up with your privacy statements.
  • Key risk areas include over-collection, unclear disclosure to clients, indefinite retention, and offshore software access.
  • Before you launch online, sign clients, or scale your candidate database, it is worth checking that your privacy documents and systems are legally and operationally consistent.

If your business is dealing with privacy policy requirements for recruitment agency and wants help with privacy policies, candidate collection notices, client contracts, and data handling processes, you can reach us on 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

Alex Solo
Alex SoloCo-Founder

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Get your customer-facing terms right

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Privacy Notices and Consent for Health Apps in New Zealand

Privacy Notices and Consent for Health Apps in New Zealand

Building a health app in New Zealand means more than adding a generic privacy policy. This guide explains how privacy notices and user consent work, when

11 Jul 2026
Read more
Privacy Notices and Consent Forms for Construction Companies in New Zealand

Privacy Notices and Consent Forms for Construction Companies in New Zealand

Construction companies often collect personal information through quote forms, site inductions, CCTV, subcontractor onboarding, and project software. This

10 Jul 2026
Read more
Group Company Definition: Meaning for Business Structure and Contracts in New Zealand

Group Company Definition: Meaning for Business Structure and Contracts in New Zealand

A group company definition can change who benefits from a contract, who handles data, and who may be liable. This guide explains what the term means for

10 Jul 2026
Read more
When Can NZ Businesses Share Personal Information Without Consent?

When Can NZ Businesses Share Personal Information Without Consent?

Note: This article is general information for New Zealand businesses and isn’t legal advice. The Privacy Act 2020 can apply differently depending on the facts, and you may need tailored advice for...

10 Jul 2026
Read more
Website Terms and Privacy for Brand Strategy Agencies in New Zealand

Website Terms and Privacy for Brand Strategy Agencies in New Zealand

Brand strategy agencies in New Zealand often need more than a generic footer policy. This guide explains how website terms and privacy documents should

9 Jul 2026
Read more
Website Terms and Privacy for Construction Project Management Businesses

Website Terms and Privacy for Construction Project Management Businesses

Construction project management websites can create legal risk long before a client signs. This guide explains how New Zealand businesses should approach

8 Jul 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.