Managing Concerns About Background Check Data Privacy

When employers plan background checks and compliance, they most often consider obligations created by the Fair Credit Reporting Act (FCRA). These include stipulations for gathering consent and disclosing applicant rights. However, what methods are commonly used to handle and store the reporting documents? What about all the personal information you collect during the vetting process? Employers must consider balancing the need for a background check with data privacy.

Identity theft is a real problem. So, too, is cybercrime. There are many potential ways for unscrupulous individuals to misuse personal information in background screening and job application forms. How should companies approach this challenge? Here, we’ll explore the ethical and legal duties employers have while examining best practices for safe data handling. This information provides a framework for understanding how to improve policies within your business.

The Ethical Importance of Proper Data Handling

As we’ll see, the legislative guidelines for storing and disposing of background check records are more vague than concrete. In the absence of strict compliance and monitoring guidelines, some employers may not place much importance on data security processes. However, it is worth examining this issue from the perspective of a company’s ethics. Every business should strive to uphold high standards.

When an individual submits a job application, they often provide a great deal of information. This includes everything from their address and date of birth to their Social Security number. Now consider all the background information in a resume, including references and contact details. Applicants submit this information knowing that the potential employer will only use it for the appropriate purpose. There is an unspoken trust between the applicant and employer that this information will not fall into the wrong hands.

Add the information in a background report, and you have a distinct responsibility to manage this data carefully. Identity theft is a serious problem that can have life-changing consequences. The misuse of malicious parties acquiring this data could adversely affect your applicants. To uphold high ethical standards in your business, you should have a plan for what to do with this data before and after you complete a pre-employment background check.

What Does the Law Say About Data Retention?

Safeguarding personal information during the background screening is vital, but it’s only one aspect. The real issue arises when you complete the hiring process, either by hiring the individual or declining their job application. How should you retain the records related to your employment decision? The law demands that your documents be maintained for specific periods.

According to the Equal Employment Opportunity Commission (EEOC), employers must maintain records related to their employment decisions. You must keep these records for at least one year following the decision. The purpose of this retention period is to allow for disputes to occur while evidence remains available. If an individual alleges that an employer discriminated against them during hiring, the EEOC may request these records, which could include an employment background check.

The FCRA also impacts record retention practices, requiring a five-year window within which individuals may claim unfair or improper practices. Therefore, many companies may retain all employment decision-related records for five years. In the event of a complaint, the appropriate records could demonstrate good faith due diligence rather than wrongdoing.

You must protect this information during the retention period. There is no privacy vs. security debate here—they go hand in hand at this stage. An employee’s background check and hiring information may be best kept in a separate secure file accessible only to authorized HR team members. Keeping the information in the employee’s regular personnel file presents a security risk. Always use secure digital storage systems that include access controls and strong passwords. Never transmit applicant information via unsecured connections.

Guidelines on the Disposal of Personal Data in Records

Once you reach the end of the retention period for a given applicant or employee's records, what should you do with them? The law prescribes your duty to “properly dispose” of that information. This stipulation arises from the 2003 Fair and Accurate Credit Transactions Act (FACTA). To help reduce the risk of identity theft, the law codified a requirement for employers to destroy consumer information at the appropriate time.

The law does not set specific time limits; instead, it requires employers to follow the periods set by other laws. What does it mean to “properly” dispose of information? Ultimately, the data must not be recoverable or readable in any way. Digital files should undergo secure and permanent deletion. You may burn, shred, or otherwise destroy the documents for paper records as long as they are unusable.

Formulating a Compliant Strategy Aligned With Your Needs

Implementing an effective policy for discarding unnecessary background information begins with knowing your retention periods. For ease of planning, consider calculating the earliest end date for each record using the date of its creation as your starting point. Since the FCRA allows disputes for up to five years, keeping them for that time instead of the one-year EEOC requirement is sensible.

By associating a disposal date with each record, the HR team can periodically audit records to identify those scheduled for deletion or destruction. There should be procedures for the secure removal of records at the appropriate time.

Review Your Data Handling Rules

It is essential to consider privacy when designing and executing pre-employment screening processes. Doing so protects your applicants and employees and safeguards your business from the potential consequences of mishandling. Making a good-faith effort to handle background check information is essential.

What are your internal rules for storing and disposing of background checks and their associated personal information? Before your next background check, make data privacy a priority. Now is the time to re-evaluate your approach to ensure you follow current best practices. Visit our Resource Center for more information on the law, compliance, and more