Background Checks for Employers

How to Balance Background Checks With Data Privacy

Written by Michael Klazema | Jul 16, 2024 8:40:00 AM

Data is a valuable commodity. That value makes it a substantial target for bad actors—and tales of massive data breaches arrive in the headlines with startling regularity. For businesses, protecting data is a significant concern during background screening. However, employers focus primarily on controlling and protecting internal business data—what about the information you have on file about job applicants or active candidates? When it comes to a background check, data privacy also matters.

Most of the rules in this space originate with the federal government. However, some basic best practices businesses can use to protect applicants exist for protecting personal data. Collecting and processing data is necessary to comply with the law and safeguard all your data. To begin, let’s review some of the legal requirements facing employers and their hiring decisions.

Understand the Laws That Apply to Your Business

Many employers have questions about the primary General Data Protection Regulation (GDPR) privacy law, which went into effect across the European Union in 2018. This law stipulates a range of requirements for how businesses should handle personal data. Many companies that operate internationally have discovered a need to adopt new compliance policies. Does the GDPR affect employee background check services?

In most cases, the answer is no. Unless you plan to hire a European individual, you do not need to apply GDPR to your pre-employment background check process. Only US law is relevant when hiring American citizens and others authorized to work in the USA. However, if you have an international branch, you should consult an employment lawyer to better understand potential GDPR impacts on your hiring process.

What About the Fair Credit Reporting Act (FCRA)?

The FCRA is strict about how businesses handle consumer reports like employment background checks, including provisions related to privacy and protecting an individual’s rights. For example, inform the job candidate of your intent to use these reports and always obtain their consent to review their background or to order their credit report. You cannot skip this requirement.

The Equal Employment Opportunity Commission (EEOC) has also created critical guidelines about privacy that employers should know. Remember, background check reports can contain substantial sensitive and personal information. This data includes evidence of criminal records and information that culprits might use to steal identities. Names, birthdays, addresses and Social Security numbers all play a role in some screenings. You must handle this information with care.

You must also store it for some time. The EEOC requires the retention of all records produced in this process for one year from the date of origin or one year from the employment date. Retention requirements exist even if for a potential employee.

That means your business must keep documents with sensitive data. How do you address data privacy concerns and satisfy credit and background check retention requirements? There are a few things to do.

Ensure Secure Storage of Information During Hiring

Don’t use insecure computer systems or communications methods when conducting background checks or reviewing credit reports. Always ensure that you use encryption, especially on the web. You should only keep records in a secure and access-controlled computer system. If you maintain paper records, a locked filing cabinet that you control access to is advisable.

If hackers breach your systems, you want to ensure they can’t break down the digital door that keeps employee and other information safe. Follow other standard best practices, such as regularly using and changing a strong password. Failing to take these steps could be evidence of negligence in the future. Although not strictly required by the FCRA, preventing intrusions and data theft is vital.

Know When to Dispose of Background Check Data

Remember that the EEOC expects you to retain background check- and other employment-related information for one year. This year begins when the credit report or background check is created. Another time is when you make an employment decision whether to hire the applicant or take adverse action based on a background check.

The retention requirement has a whichever is later stipulation. During this period, you must carefully safeguard this information. At the end of the period, discard the information.

Use a Proper Disposal Method

The federal government demands that you thoroughly and securely dispose of background check reports or credit report information. You cannot simply throw reports into the garbage. They must undergo physical or digital destruction. Options include burning or shredding paperwork until it is unrecognizable. Likewise, you must use options to delete data permanently.

If you store employee background check data electronically, remember your backups. When the retention requirement expires, remove this information from all possible storage locations.

Periodically Audit Your Procedures and Policies

Lawmakers consistently create new laws. For example, a California privacy law prohibits using dates of birth to identify and search for criminal records. This rule has created many headaches and problems for employers and background check companies. However, unlike the European GDPR, the FCRA doesn’t relate strictly to employee privacy.

That doesn’t mean there won’t be new regulations about background check privacy in the future. As a result, you should prepare to audit your business occasionally. Determine whether new legislation exists and if it applies to your procedures with prospective employees. Evaluate how well you store, retain, and destroy sensitive documents as required. If you aren’t meeting standards, make a change. Re-train the relevant staff to understand these restrictions better.

Make Applicant Background Check Data Privacy a Priority

Protecting the privacy of job applicants is imperative—even if it’s not always at the top of your to-do list. With precise requirements from the FCRA regarding retention and disposal of background reports, your business should already have a clear policy. If not, now is the time to conduct an internal audit to begin formalizing your processes.

Safeguarding applicant data makes a difference, from recognizing security concerns to establishing best practices. Support from the right partner can help, too. At backgroundchecks.com, we assist our customers with compliance information and services that help you remain within the law. Our help makes running a private background check secure and saving sensitive data easy and accessible. Find out more and perform background checks confidently.