As a provider of third-party background screening services, we receive, store and interpret vast amounts of data belonging to individuals across the globe.
Because of this, privacy is the cornerstone of what we do at CVCheck. Ensuring the protection of our customers’ data is at the heart of our business, and we treat all data with confidentiality in accordance with Australian, New Zealand and international privacy laws.
But what does that actually mean for our customers? When we say we protect your data, how do we do it? How is your data managed and what processes do we have in place to guarantee privacy?
CVCheck’s Chief Strategy Officer, Colin Boyan, explains.
Why does CVCheck take data security so seriously?
“When the company was founded, we were adamant the individual and their ownership of their data must be at the centre of all our processes,” Boyan begins.
“Deeming the user the owner of their data was held to be a core requirement of the system from the outset. I’m thankful for this, because since those early days, user privacy and data security have emerged as massive areas of concern around the world.”
Recent statistics reveal malware attacks jumped by 358% in 2020, with the average cost of a data breach hitting US$3.8 million last year (approx AU$5 million). By 2025, cybercrime is predicted to cost the world US$10.5 trillion (AU$13.8 trillion) annually.
Given the current climate, CVCheck goes above and beyond its regulatory obligations and also complies with international laws and standards. With trust and privacy as its core company values, we are committed to the highest standard of data protection possible.
What external legislation regulates CVCheck’s handling of data?
CVCheck complies with three sets of privacy legislation and one international standard. These are:
- The Australian Privacy Act 1988
- The New Zealand Privacy Act 2020
- The EU’s General Data Protection Regulation (GDPR)
- ISO 27001 – a non-mandatory international standard for information security management
“Both Australian and New Zealand data privacy laws mandate that an individuals’ data should be protected in two ways,” explains Boyan.
“Privacy by default is the first, and means an individual should not have to do anything special to protect their privacy when dealing with an organisation.
“Privacy by design is the second and involves the deliberate design of systems and processes to protect, maintain and preserve the privacy of an individual’s data,” Boyan finishes.
How does CVCheck manage customer data?
“Security is all about layers,” explains Boyan.
“For us, this means looking at where we store, how we protect and when we share user data.”
The layers of customer data security at CVCheck include:
Secure storage
Security starts at the Cloud provider level where the database environment is fully encrypted.
Even if someone were able to walk into the data centre and steal the rack containing CVCheck’s data, they wouldn’t be able to read it. Importantly too, all data is stored on-shore in Australia.
Encrypted data flow
All data held by CVCheck is encrypted from the moment it is collected and throughout its journey to the server, to prevent people from intercepting or impersonating a user on CVCheck’s secure system.
The human element
The most vulnerable part of any organisation’s cybersecurity strategy is its people. CVCheck provides its staff with ongoing targeted training, and has implemented security protocols that establish the identity of a caller by asking them for specific information relating to their data.
Where is customer data stored and for how long?
“We create a secure account for every person who is screened through our system,” says Boyan.
“Importantly, they own and control their own data, and can request for it to be removed at any time. However, most users choose to retain their secure account with CVCheck to use again for future job applications.”
The law mandates that CVCheck must remove data pertaining to Australian National Police Checks (known as Criminal Record History & Traffic Checks in New Zealand) after 12 months. This includes the removal of any identification documents that were collected in association with the check.
“Identification documents are especially valuable to criminals who intend to carry out identity fraud, which is why we treat all personal ID as extremely sensitive,” says Boyan.
“When the need for that information expires, we always remove it.”
How does CVCheck use customer data?
Operating on the principle of data minimisation, CVCheck only collects the data required to conduct screening and verification. Nothing more.
Colin explains that this depends on what is being verified: “If we’re verifying employment history for example, we need to know where you worked, who you reported to, and so on. If it’s a police check, we’ll need five years of address history.”
It’s important to note, CVCheck doesn’t own any of the databases against which the information is checked.
“Typically, we will need to go somewhere else to compare the information and verify it, such as the passports office, a university, a previous employer, or the national police database,” says Boyan.
“But no matter who we’re dealing with, we only share the bare minimum required to verify the information, and always do so with written consent from the data owner.”
What is CVCheck’s customer data deletion policy?
Colin says that CVCheck is completely transparent about the data it holds. “People can see for themselves what data we’re holding on them, and the data is fully under their ownership.”
CVCheck admins will delete customer data upon request.
How GDPR applies to CVCheck
The General Data Protection Regulation (GDPR) is Europe’s core digital privacy legislation and lays out a set of rules designed to give EU citizens more control over their personal data. Those who violate its privacy and security standards can face harsh fines reaching into the tens of millions of Euros.
Why does this matter to CVCheck? Although passed by the European Union (EU), GDPR’s obligations extend to organisations anywhere in the world – including Australian and New-Zealand owned and operated business.
“Even if you’re an Australian company, GDPR applies when you’re dealing with a citizen of the EU,” explains Boyan.
“For example, we may verify the data of an EU citizen who currently resides in Australia. GDPR rules apply based on citizenship.”
What is ISO 27001 and what does being accredited say about CVCheck?
In 2019, CVCheck made the formal decision to pursue and achieve ISO27001 accreditation.
This global information security and privacy standard is a non-mandatory mechanism for managing information. To achieve accreditation, CVCheck had to demonstrate it had policies, processes, and systems to protect data across approximately 144 different controls in an exhaustive process.
The beauty of ISO 27001 is that no matter how good your security is when you start, your systems will inevitably improve throughout the certification process.
“CVCheck’s ISO27001 accreditation provides assurance that our information management is externally audited by a globally recognised standards organisation. From a customer perspective, this provides ultimate confidence.”
