GTP Workforce Privacy Policy

Status: v1.0
Tier: Tier 1 – Core Corporate & Platform Policy
Owner: Governance and Compliance Function
Approval Authority: Board of Directors
Effective Date: 5 January 2026
Next Review: 12 months from approval

1. Our commitment to privacy

Global Talent Pathway (GTP) collects and uses personal information to operate a workforce services platform, deliver candidate assessment and workforce assurance services, and support employer recruitment and workforce supply needs. We recognise that we handle high-value personal information and, in some cases, sensitive information. We aim to be transparent about what we collect, why we collect it, how we protect it, and how individuals can exercise their rights.

This policy applies to our websites, portals, applications, products, and services (together, the Platforms) and to our communications with you by phone, email, in person, or otherwise.

2. Who we are

GTP operates a workforce services and recruitment technology platform. Depending on the service, we may:

  • operate a candidate portal and employer portal,

  • provide assessment, verification, and workforce assurance services,

  • facilitate job advertising and applications, and

  • operate marketplace-style search and matching features.

3. Who is responsible for your personal information

3.1 GTP as principal organisation

In most cases, GTP is responsible for how personal information is handled within our Platforms and business operations.

3.2 Joint handling with employers or recruiters

Where a candidate applies to a job or role opportunity managed through our Platforms, GTP and the relevant employer/recruiter may both be responsible for different parts of the process. In those situations:

  • GTP is responsible for the operation of our Platforms and the processing we perform within them, and

  • the employer/recruiter is responsible for how they handle your information in their own systems once shared outside our Platforms.

Where required, we implement contractual controls with employers/recruiters relating to privacy, confidentiality, and lawful handling of applicant information.

3.3 Service providers

We use third-party service providers (for example, hosting, identity verification, analytics, communications, and security services) to support operations. They process personal information on our behalf under contractual and technical safeguards.

4. What personal information we collect

We collect personal information depending on how you engage with us.

4.1 Candidates and applicants

This may include:

  • identity information (name, date of birth, nationality, government-issued identifiers, and identity documents),

  • contact details,

  • employment history, skills, qualifications, licences and certifications,

  • right-to-work and eligibility information (where relevant),

  • assessment and verification outputs,

  • application materials (resume/CV, cover letters, responses to questions, interview or screening notes where used in the Platform),

  • references and referee contact details (where provided),

  • communications with GTP and/or employers through the Platform.

4.2 Employers, clients, and business contacts

This may include:

  • name, role/title, business contact details,

  • employer account information and authorised user details,

  • billing and transaction details (where applicable),

  • communications and service history.

4.3 Referees and related persons

Where you provide details of a referee or another related person, we may collect:

  • name, contact details, workplace details, and relationship to you.

You should ensure you have authority to provide another person’s details to us.

4.4 Usage, device, and online activity data

When you use our Platforms we may collect:

  • IP address, device identifiers, browser type, operating system,

  • log and event data (access times, pages viewed, actions taken),

  • cookies and similar identifiers,

  • approximate location derived from network data (and precise location only if you enable it in device permissions).

5. Sensitive information

We aim to minimise the collection of sensitive information. In some workforce contexts, sensitive information may be necessary or may be voluntarily provided.

We may collect and handle sensitive information where:

  • it is required for verification, eligibility, compliance, worker protection, or role-specific assessment,

  • you provide it as part of an application or profile and it is relevant to the role process, or

  • it is otherwise permitted under applicable privacy laws.

If sensitive information is not required, you should not provide it.

6. How we collect personal information

We collect personal information:

  • directly from you through registration, profiles, applications, forms, and communications,

  • from employers/recruiters when they interact with candidates through our Platforms,

  • from referees and authorised third parties where relevant,

  • from service providers (for example, identity verification providers) where you engage those services through our Platform,

  • from public sources or government/regulatory authorities where lawful and relevant, and

  • from your online activities and device usage through cookies, SDKs, and similar technologies (see section 12).

7. Why we collect and use personal information

We collect and use personal information for the following purposes.

7.1 Providing workforce platform services

To:

  • create and manage accounts,

  • enable candidate profiles, applications, and communications,

  • enable employers to advertise roles, receive applications, and manage recruitment workflows,

  • provide workforce matching and search features.

7.2 Candidate assessment, verification, and workforce assurance

To:

  • assess candidate suitability and alignment against role requirements,

  • verify identity, credentials, licences, and other role-relevant information,

  • detect and prevent misuse, fraud, or integrity risks.

Where we use automated tools (including AI/ML) to support platform features (such as parsing resumes, recommending questions, or generating matching signals), we implement controls to reduce unfairness and misuse and to protect confidentiality. Where profiling materially affects users, we aim to provide transparency and meaningful controls.

7.3 Security, integrity, and platform operations

To:

  • operate, maintain, troubleshoot, and improve our Platforms,

  • detect, prevent, and respond to security incidents and suspicious activity,

  • enforce platform terms and protect users and GTP.

7.4 Compliance and legal obligations

To:

  • meet regulatory obligations that apply to workforce services, privacy, security, and recordkeeping,

  • respond to lawful requests from government, law enforcement, or regulators,

  • manage disputes, complaints, and investigations.

7.5 Marketing, communications, and targeted advertising

To:

  • send product and service updates, platform notices, and service communications,

  • where permitted, send marketing communications about GTP products and services,

  • measure and improve marketing effectiveness,

  • deliver targeted advertising on our Platforms and on third-party sites/apps using cookies, SDKs, and device identifiers (see section 12).

You can control marketing preferences and certain advertising settings as described in section 14.

8. Our basis for handling personal information

GTP does not rely on consent alone as the primary basis for handling personal information in workforce and recruitment contexts.

We handle personal information where it is reasonably necessary to:

  • provide and administer our Platforms and services,

  • facilitate recruitment and workforce supply workflows requested by users,

  • undertake verification, integrity, security, and fraud prevention activities,

  • comply with legal and regulatory obligations, and

  • protect workers, employers, and platform integrity.

Where consent is required (for example, in some direct marketing contexts, certain sensitive information contexts, or where required by law in particular jurisdictions), we obtain it and provide withdrawal options.

9. What happens if we cannot collect personal information

If you do not provide required personal information, we may be unable to:

  • create or maintain an account,

  • process an application,

  • provide verification or assessment services, or

  • meet compliance obligations.

Where possible, we will identify which information is required and which is optional.

10. Who we share personal information with

We may share personal information with:

10.1 Employers and recruiters

If you apply for a role or choose to make your profile visible to employers/recruiters, we share relevant profile and application information with those parties.

Employers/recruiters may store your information in:

  • their own systems,

  • their recruitment software, or

  • other platforms they use.

Once shared outside GTP Platforms, the employer/recruiter’s handling is governed by their own policies and obligations. We take reasonable steps to contractually require lawful handling, but we do not control their internal security practices.

10.2 Service providers and partners

We share information with service providers who support:

  • hosting and infrastructure,

  • identity verification,

  • communications (email/SMS/telephony),

  • analytics and platform measurement,

  • security monitoring,

  • customer support tools.

They are required to protect information and use it only for authorised purposes.

10.3 Government and regulators

We may disclose personal information where required or authorised by law, including to regulators, law enforcement, or other competent authorities.

10.4 Corporate transactions

If there is a merger, acquisition, restructure, or sale of assets, information may be disclosed to advisers and counterparties, subject to confidentiality and lawful handling.

11. Cross-border disclosures

Personal information may be stored or processed outside Australia, including where service providers or platform infrastructure operate offshore and where employers/recruiters access candidate information from outside Australia.

Where cross-border disclosure occurs, GTP takes reasonable steps to ensure:

  • contractual safeguards apply (including confidentiality, restrictions on use, security measures, and breach notification obligations),

  • technical safeguards apply (including access controls and secure transfer),

  • disclosures are limited to what is necessary for the relevant purpose, and

  • accountability is maintained consistent with Australian Privacy Principle 8.

12. Cookies, SDKs, and targeted advertising

We use cookies and similar technologies on our websites and Platforms. Our mobile applications may also use third-party SDKs.

These technologies may collect usage and device data to:

  • keep users signed in where selected,

  • remember preferences and improve user experience,

  • measure and improve platform performance,

  • detect security issues and prevent fraud, and

  • support marketing measurement and targeted advertising.

Targeted advertising

We may work with advertising and measurement partners to show targeted advertisements on:

  • GTP Platforms,

  • related platforms we operate, and

  • third-party websites/apps.

Advertising partners may use cookies, pixels, SDKs, and device identifiers to infer interests and measure ad performance. You can control cookies through browser settings and, where available, through in-platform cookie controls. Mobile users can control advertising identifiers and tracking permissions in device settings.

If you block cookies or tracking, some platform functions may be limited.

13. How we keep information secure

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.

Security measures may include:

  • access controls and role-based permissions,

  • audit logging and monitoring,

  • encryption in transit and, where appropriate, at rest,

  • secure hosting and controlled environments,

  • incident detection and response processes.

No internet transmission is guaranteed to be fully secure. Users also play a role by protecting passwords and account access.

14. Retention and destruction

We retain personal information only as long as necessary for the purposes described in this policy, including service delivery, dispute handling, integrity controls, and compliance obligations.

Retention varies by record type. As a general guide:

  • Candidate account/profile data is retained while the account remains active and for a period after inactivity to support audit and integrity controls.

  • Application and recruitment records may be retained for a defined period to support process integrity, complaints handling, and compliance.

  • Identity verification materials and sensitive records are retained only as long as necessary for verification, compliance, or dispute/investigation purposes, then securely destroyed or de-identified where appropriate.

  • Security and audit logs are retained for operational security and assurance purposes.

  • Financial and transactional records are retained as required to meet legal and accounting obligations.

Backups may retain information for a limited period as part of standard disaster recovery processes. Where information is deleted, some residual copies may remain temporarily in backups until overwritten.

15. Your choices, rights, and controls

15.1 Access and correction

You can request access to personal information we hold about you and request corrections. Candidates and employers may be able to access and update certain information through account settings.

15.2 Deletion and account closure

You can request deletion of personal information where applicable. Some information may need to be retained to meet legal obligations, resolve disputes, enforce platform terms, or manage integrity and fraud risks.

If you applied to a role and your information was provided to an employer/recruiter, you may need to contact that party to delete information from their systems.

15.3 Marketing preferences

You can opt out of marketing communications using unsubscribe links in emails, SMS stop mechanisms, or account preference settings where available. Service and security communications may still be sent where necessary.

15.4 Advertising and cookie controls

You can manage cookies via browser settings and, where available, in-platform cookie controls. You can manage mobile advertising identifiers and tracking permissions in device settings.

16. Complaints

If you have a privacy complaint, contact us using the details below. We will investigate and respond within a reasonable time. If you are not satisfied, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) or your relevant regulator.

17. Notifiable Data Breaches

GTP maintains a data breach response process aligned with Australia’s Notifiable Data Breaches scheme.

Where a data breach is likely to result in serious harm, we will:

  • assess the incident promptly,

  • notify affected individuals and regulators as required, and

  • take corrective actions to reduce the risk of recurrence.

18. Updates to this policy

We may update this policy from time to time. Where changes are material, we will take reasonable steps to provide notice through our Platforms or other appropriate channels.

19. Contact us

For privacy enquiries, requests, or complaints:
Email: privacy@globaltalentpathway.org