Skip to content

Custom LLM for Recruitment Agencies That Keeps Candidate Data Onshore

Recruitment runs on personal information: resumes, visa and work-rights evidence, police checks, salary history, off-the-record reference notes. Every one of those is protected under the Privacy Act 1988, and pasting them into a public chatbot is a disclosure most agencies cannot justify if asked. A private LLM gives your consultants the same screening, matching and summarisation speed, running on infrastructure you control in an Australian region or your own server room, where candidate PII never leaves your jurisdiction and is never used to train someone else's model.

100%
candidate PII stays on Australian sovereign infrastructure
0
candidate records sent to public AI providers or used to train third-party models
13
Australian Privacy Principles a recruitment AI deployment has to satisfy
30 days
to assess a suspected eligible data breach under the OAIC notification scheme

Why Recruiters Cannot Paste Candidate Data Into Public AI Tools

Most agency directors already sense that dropping a candidate's resume into a consumer chatbot is a bad idea, but the reason matters, because it determines what a compliant alternative has to look like. The specific problem for recruitment is that three separate exemptions other industries lean on do not apply to you.

The Employee Records Exemption Does Not Cover Candidates

The Privacy Act's employee records exemption applies to records about your own current and former employees. A job applicant is neither. Every resume, cover letter, reference note and interview transcript your agency holds about a candidate is personal information carrying the full weight of the Australian Privacy Principles. The small business exemption is unreliable here too: an organisation that discloses personal information about individuals to others for a benefit or service generally sits outside it, and that describes the core business model of almost every recruitment agency in the country, regardless of turnover.

Public Chatbots Are a Cross-Border Disclosure

Under APP 8, when you send personal information to an overseas recipient you remain accountable for how that recipient handles it, and you must first take reasonable steps to ensure they comply with the APPs. Pasting a candidate's file into an offshore consumer AI tool is a disclosure, not a private note to yourself. APP 1 compounds the problem: your privacy policy must state that you disclose information overseas and name the likely countries. Most agency privacy policies say nothing of the kind, which quietly turns a productivity shortcut into a documented gap.

Sensitive Information Raises the Bar Again

Recruitment files routinely contain what the Privacy Act defines as sensitive information: criminal history from an ACIC nationally coordinated check, health information from a pre-employment medical, and sometimes race, religion or political opinion inferred from visa status or reference material. Sensitive information generally cannot be collected without consent, and its use is far more tightly constrained than ordinary personal information. Feeding a file containing a candidate's criminal history into a public model is a materially different act from asking it to tidy up a job ad, and it is exactly the distinction a regulator notices after the fact.

What a Private LLM Actually Does Inside a Recruitment Agency

The value is not a novelty chatbot in the corner. It is the four or five tasks consultants repeat dozens of times a day, done in seconds, over your own candidate database, without any of that data leaving your control.

Resume Screening and Shortlisting

The model reads the full resume against the actual role brief rather than keyword-matching, explains why each candidate was ranked where they were, and surfaces the gaps a consultant should probe in a screening call.

  • Structured extraction from PDF, DOCX and scanned resumes including tables
  • Ranking against the brief with a written rationale for every placement
  • Explicit flagging of gaps, tenure patterns and unexplained employment breaks
  • Configurable exclusion of protected attributes and their common proxies

Candidate Matching Across Your Existing Database

Most agencies are sitting on a decade of candidate records they cannot search properly. Semantic retrieval over your own database finds the people you already know, before you pay Seek or LinkedIn to find them again.

  • Natural-language search across historical resumes, notes and placements
  • Re-engagement lists built from prior candidates matching a new brief
  • Skills-adjacent matching that surfaces transferable rather than literal experience
  • Availability, location and work-rights filters applied at retrieval time

Job Ad and Client Brief Drafting

Drafting in your agency's voice from the intake call, with language screened for the discrimination risk that sits in seemingly harmless phrasing like "young and energetic" or "recent graduate".

  • Ad drafts generated from intake notes in your house tone and format
  • Inclusive-language checks against age, sex, disability and race discrimination risk
  • Role-brief summaries written back to the client for confirmation
  • Consistent formatting across Seek, LinkedIn and your own careers site

Interview and Reference Summarisation

Screening call and reference-check notes turned into structured, comparable summaries, so the consultant is listening to the candidate instead of typing, and the client submission writes itself.

  • Structured summaries mapped to the specific criteria in the brief
  • Client-ready submission drafts assembled from interview and reference notes
  • Consistent candidate comparison tables across a shortlist
  • Reference-check notes kept in your system, never in a public tool's history

ATS and CRM Integration

The model works where your consultants already work. We integrate with the recruitment platforms used across the Australian market rather than asking your team to adopt yet another screen.

  • Agency ATS and CRM integration: JobAdder, Bullhorn, Vincere, Recruit Wizard
  • In-house talent platforms: PageUp, LiveHire, Workday, SuccessFactors
  • Read and write via documented APIs, respecting existing user permissions
  • Back-office and payroll handoff to systems such as FastTrack360 or Astute Payroll

Compliance Guardrails and Audit Trail

Because the deployment is yours, you can prove what the system did. That evidence is what turns an AI screening process from a liability into a defensible one under both privacy and anti-discrimination law.

  • Full query and retrieval logging for every candidate assessment
  • Role-based access control mirroring your ATS permissions
  • Deletion and correction workflows that reach the vector index, not just the ATS
  • Retention rules applied per record so candidate data expires when it should

How We Deploy a Private LLM for a Recruitment Agency

A recruitment deployment starts with your candidate database and your compliance obligations, not with a model. The sequence below is the engagement, typically running eight to fourteen weeks end to end.

1

Data and Obligation Mapping

We inventory where candidate data actually lives, classify what is sensitive information, review your existing privacy collection notice and policy, and identify which APPs bite hardest for your specific agency model.

2

Architecture and Sovereignty Decision

Based on your data classification, client contracts and volumes, we select Australian-region cloud or on-premises, choose the model and embedding stack, and design retrieval over your ATS so answers cite the underlying record.

3

Build, Integrate and Evaluate

We index your candidate corpus, wire the ATS integration, and benchmark screening output against a test set of roles your consultants have already filled, so you can see accuracy on your own placements before go-live.

4

Rollout, Audit and Review

The system goes live with logging, access controls and a human-in-the-loop requirement for adverse decisions. We review outcomes for drift and disparate impact, and update your privacy documentation to match what the system actually does.

Sovereignty Choices, and When Private Deployment Is the Wrong Call

Two decisions determine whether this works for your agency: where the model runs, and whether the numbers justify building anything at all. We would rather tell you no than sell you a deployment you will regret.

Australian-Region Cloud vs On-Premises

Both keep candidate data in Australia. The difference is who holds the keys, what you can prove contractually, and how the cost curve behaves as volume grows.

  • Australian-region cloud (AWS Sydney or Melbourne, Azure Australia East, Google australia-southeast1) suits most agencies and needs no capital outlay
  • On-premises suits agencies handling government, defence or cleared candidates where contracts mandate physical control
  • Cloud gives faster deployment and elastic capacity; on-premises removes the residual third-party processor from the disclosure chain entirely
  • Hybrid is common: on-premises inference for sensitive files, Australian-region cloud for job ads and public-facing content
  • Whichever you choose, the model weights are yours and no candidate record is used to train an external provider's model

When a Private LLM Is Not the Right Fit

Private deployment is a real investment. For some agencies, the honest answer is a managed enterprise subscription with a proper data processing agreement, or nothing at all yet.

  • A boutique agency of three to five consultants rarely generates the volume to justify the build
  • If your candidate data is scattered across inboxes and spreadsheets, fix the data foundation before adding AI on top
  • If your ATS has no usable API, integration cost can exceed the value of the model itself
  • If nobody in the business will own the human review of adverse screening decisions, do not automate screening
  • If your genuine bottleneck is client development rather than candidate throughput, AI screening solves the wrong problem

Related Private AI Resources

LLM Security and Data Privacy

The security architecture underneath a sovereign deployment: encryption, access control, audit logging and the controls that make candidate PII defensible.

Review the security model

On-Premises LLM Deployment

Hardware, sizing and operational detail for agencies whose client contracts require the model to run inside their own network.

Explore on-premises deployment

Private LLM Cost Australia

The full cost structure: implementation, infrastructure and ongoing operation, with the break-even analysis against public API spend.

See the cost breakdown

Custom LLM for Professional Services

The adjacent build for consultancies and advisory firms, where the confidential data is client engagement material rather than candidate files.

Compare the professional services build

How to Choose an LLM Provider in Australia

The evaluation framework for comparing providers on data residency, training rights, contractual terms and exit risk before you commit.

Read the evaluation framework

Open Source LLM for Business

Why open-weight models are the foundation of a genuinely private deployment, and how they compare with proprietary alternatives on quality.

Understand open-source options

Frequently Asked Questions

Give Your Consultants AI Speed Without Handing Over Your Candidate Database

Talk to us about a scoping engagement for your agency: we map where your candidate data lives, size the deployment against your consultant headcount and volumes, and give you an honest answer on whether a private LLM is worth building for you. Call +61 3 9999 7398 or send us the brief.