HiveRef

11 April 2026 · HiveRef

Reference checks and Australian privacy: practical basics for SMBs

A plain-language overview of why consent, minimisation, and secure handling matter when you collect referee responses about candidates in Australia.

This article is general information, not legal advice. If you are unsure about your duties, speak to a qualified lawyer or privacy adviser.

When you run employment reference checks, you are usually handling personal information about candidates, and often sensitive information if referees mention health, union membership, or other protected attributes. Australian privacy law (including the Privacy Act 1988 and the Australian Privacy Principles) expects you to handle that material with care.

Start with purpose and consent

Before you contact referees, spell out:

  • Why you collect information (to judge fit for a specific role).
  • What you collect (performance and conduct questions tied to the role, not fishing expeditions).
  • Who sees the answers (hiring manager, HR, and so on).

Candidates need to understand the steps and to have a practical way to take part or step back where that fits your process. Consent should reflect what you actually do, not a generic tick-box.

Minimise what you collect

The APPs cover collection minimisation and use limitation. On the ground:

  • Ask referees questions that line up with job needs, not every curiosity you can think of.
  • Skip “nice to know” prompts that push people toward special category-style detail you do not need.
  • If sensitive detail still appears, plan for segregation, tight access, and retention, not “leave it in an inbox forever.”

Security and access still matter at SMB scale

You do not need enterprise procurement to cover the basics:

  • Use role-based access so only people on the hire can read referee material.
  • Prefer systems with audit trails over long email forwards.
  • Set retention: how long you keep reference material, and when you delete or archive it.

Where HiveRef sits

HiveRef is built for structured, documented reference checks: flows for candidates and referees, compliance checks on question wording, and reporting that is simpler to review than loose notes.

For more GDPR-style detail that still maps to sensible practice in Australia, read our Data Protection Guide.

Takeaway

Treat reference checks as regulated data handling, not casual gossip collection. Tighter questions, clearer consent, and firmer storage rules cut risk; they also tend to speed decisions because the signal is cleaner.