LiveHire is a cloud-based human resources Platform for sourcing, recruitment, productivity and mobility. The LiveHire Group (LiveHire) is based in Australia with subsidiaries or operations, partners, Clients and Members – located across Australia, New Zealand, the United States and Canada.
LiveHire will continue its global expansion into the United Kingdom and Europe; and will become subject to the operation of the General Data Protection Regulation (the GDPR), as implemented in the United Kingdom by the Data Protection Act 2018 (the UK GDPR); and in each member state of the European Union (EU) and the European Economic Area (EEA) excluding Switzerland (the EU GDPR).
LiveHire respects and complies with all laws that apply to our business in each jurisdiction. This statement describes our approach generally to complying with complex global privacy laws; and provides important information about how we have prepared to meet the challenges of GDPR.
Global Privacy Laws
It’s important to keep ahead of privacy laws reforms. As an Australian headquartered business, publicly listed on the Australian Stock Exchange, LiveHire is subject to the stringent requirements of Australia’s Privacy Act. Our data processing practices and policies are also aligned to key principles of other global privacy laws, including the UK GDPR and EU GDPR, New Zealand’s Privacy Act, Canada’s Personal Information Protection and Electronic Documents Act and the California Consumer Privacy Act.
On 22 October 2020, the Australian Government announced a series of proposed amendments to the Privacy Act, including a ‘data erasure right’ – intended to lead to greater alignment with the GDPR. These reforms may assist Australia in achieving ‘EU adequacy’ status; meaning that LiveHire in Australia, will likely be subject to some of the most stringent privacy laws in the world.
We adopt a strategic compliance approach to meeting our obligations. This means we are committed to continual improvement and aim to ensure our Platform, the Solution and our Services adhere to the highest international standards – while also allowing our Clients to manage their own jurisdiction-specific obligations. We ensure that Members and other individuals can exercise any of their rights under any applicable privacy law.
What is The GDPR?
The GDPR is the UK and Europe’s framework for data protection laws. It’s considered the ‘benchmark’ for global privacy laws and places stringent requirements on organisations to ensure that the processing of Personal Data of UK and EU individuals (or Data Subjects) is consistent with protecting the Data Subject’s rights and freedoms.
The GDPR requires data controllers, who typically collect Personal Data from Data Subjects for a business purpose (e.g. recruiters); and/or their data processors, who typically process Personal Data on the controller’s instructions (e.g. software, SaaS and IT service providers) to:
- obtain informed consent from Data Subjects;
- identify a lawful basis for processing;
- restrict and minimise the collection of Personal Data, in particular, Sensitive Personal Data and the Personal Data of children;
- only transfer Personal Data internationally if appropriate safeguards are established;
- implement measures to keep Personal Data secure from accidental destruction, loss, alteration or unauthorised access and disclosure;
- notify controllers, regulators and Data Subjects if a data breach is likely to result in a high risk for the rights and freedoms of individuals;
- only retain Personal Data for so long as reasonably necessary for the purpose it was collected, unless an exemption applies; and/or
- maintain records of data processing
It also seeks to establish and embed in organisations, a ‘privacy by design’ culture; built around principles of transparency and accountability.
Data Subject Rights
The GDPR also provides Data Subjects with certain rights, including:
- the right to access and rectify their Personal Data;
- the right to erase their Personal Data (or the ‘right to be forgotten’);
- the right to restrict processing;
- the right to data portability; and
- the right to object to automated decision-making including profiling (the Data Subject Rights).
How Will LiveHire Comply with GDPR?
Some aspects of the GDPR will apply to LiveHire directly; and other aspects of the GDPR will apply to, or be responsibility of, our Clients.
Who are LiveHire’s Clients?
LiveHire’s Clients are organisations such as private-sector businesses, universities, schools and government departments, who use our cloud-based human resources Platform for sourcing, recruitment, productivity and internal mobility. Our Client’s use our Platform to track candidates through the recruitment process and to build Talent Communities.
Who are LiveHire’s Members?
LiveHire’s Members are candidates who use our Platform and the Services primarily to apply for employment or work opportunities, and to connect with our Clients through their Talent Communities.
How will LiveHire help our Clients comply with GDPR?
LiveHire is implementing a range of configurations to assist our Clients to more easily manage their own jurisdiction-specific requirements. For example, we will allow Clients with operations in the UK and Europe to define their own data retention periods and provide automated methods to remove expired data; provide additional methods to capture candidate consent and distribute privacy notices; and provide additional self-serve data deletion facilities for Clients and Members.
LiveHire is implementing the tools necessary to assist our Clients to more easily comply with their obligations under the GDPR and complex global privacy laws.
How will LiveHire comply with its obligations to Members?
In addition to developing a range of additional self-serve data deletion facilities for Members, LiveHire already has a number of processes and policies in-place to ensure Data Subjects can exercise their Data Subject Rights under the GDPR. We describe some of these measures in more detail below.
What else has LiveHire done to prepare for GDPR?
In preparation for our expansion into the United Kingdom and Europe, LiveHire has:
- updated our internal processes to respond to Data Subject Requests and to assist our Clients to manage their own obligations to Data Subjects;
- entered into Data Processing Agreements containing the required EU model clauses with our data storage provider and other key vendors;
- provided in-built and clear mechanisms for opting-out of electronic communications and direct marketing;
- implemented a ‘privacy by design’ culture through our internal policies, including by requiring Privacy Impact Assessments for new data processing activities;
- aligned our data breach response planning and preparedness to comply with GDPR requirements;
- appointed an EU Representative to liaise with Data Subjects and supervisory authorities as required; and
- aligned our data security measures with GDPR requirements, as outlined in our Security Statement
International Data Transfers
LiveHire takes steps to ensure that transfers of Personal Data are conducted in accordance with the GDPR and all applicable laws. To protect the privacy rights and interests of Data Subjects, data transfers are limited to jurisdictions with an ‘EU adequacy’ decision, unless alternative arrangements are in place.
Data Processing Agreements
We have entered into Data Processing Agreements containing the EU model clauses prescribed by the GDPR, for data transfers from the UK, EU and EEA, with our data hosting service provider and other key vendors to processes Personal Data of UK and EU individuals.
EU-US Privacy Shield
Other LiveHire vendors have traditionally been certified by the EU-US Privacy Shield, that secured unrestricted EU-US data flows.
However, on 16 July 2020, the European Court of Justice struck down and invalided the EU-US Privacy Shield, in the case known as Schrems II (C-3111/18). While the US Department of Commerce continues to administer the scheme, LiveHire will no longer rely on EU-US Privacy Shield certifications for new vendors and will require all vendors located in jurisdictions without an ‘EU adequacy’ ruling to enter into a Data Processing Agreement containing the EU model clauses.
LiveHire will continue to monitor the response to Scherms II, including the ongoing negotiations between the US Department of Commerce and the European Commission; and we will make changes to our policies and contractual agreements, and publish updates online, as necessary.
The transition period governing the UK’s withdrawal from the EU or ‘Brexit’ – ended on 31 December 2020. From 1 January 2021, a six-month transitional regime will apply between the UK and EU, during which the UK will not be considered a third country for the purpose of complying with the GDPR.
LiveHire has appointed an EU Representative to liaise as necessary with Data Subjects and supervisory authorities in relation to complaints or enquires. The contact details for our EU Representative are available in our EU Data Protection Notice published on our Privacy Page
Until the end of the current six-month transitional regime, our EU Representative will remain the point of contact for complaints and enquires lodged with the UK’s Information Commissioner, Ireland’s Office of the Information Commissioner, or any supervisory authority; in relation to both UK and EU individuals.
If you have any questions about our General Data Protection Regulation Statement you can direct your enquiry to our privacy team at firstname.lastname@example.org
Latest update: 9 February 2021