US Businesses Risk Flouting Data Protection Laws Amidst Treacherous Background Screening Terrain

Claims against American employers in the past decade have cost companies about US$200 million in class-action lawsuits that claim violations of the Fair Credit Reporting Act (FCRA).

The cost to employers is set to continue rising as more privacy laws come into force to protect job candidates and employees in background screening procedures when being recruited.

The Fair Credit Reporting Act (FCRA) applies to individuals in the US. Similar laws for British nationals come under the Data Protection Act.

The laws regulate the way organisations, businesses or the government collect and share private information with the aim of preventing discrimination.

Privacy laws are being continually updated and enforced. As time goes by, individual claims and court cases are setting new presidents on what personal data is collected and how it is used in background screening and criminal background checks.

These privacy laws give individuals rights when an organisation uses personal data for automated decision-making processes, including behavioral and social profiling to predict job suitability.

When businesses and organizations do background screening checks or collect personal data they must make sure the information is:

  • Used fairly, lawfully and transparently
  • Used for specified and explicit purposes
  • Used in a way that is limited to only what’s necessary and kept up to date
  • Kept for no longer than is necessary
  • Handled in a secure way which prevents unlawful or unauthorized processing, access, loss, destruction or damage.
  • In recent years these anti-discrimination laws have been extended to bolster legal protection for individuals over more sensitive information, including: race, ethnic background, political opinions, religious beliefs, trade union membership, genetics, bio metrics, health, sex life or orientation.

    As an individual, you also have the right to find out what information the government and other organisations store about you. These include the right to:

  • Be informed about how your data is being used
  • Access your personal data
  • Have incorrect data about you updated
  • Have data about you erased
  • Stop or restrict the processing of your personal data
  • Object to how your personal data is processed in certain circumstances
  • Background Screening Controls

    With increasingly tighter controls over how organizations handle personal information, background screening checks have become a minefield of potential problems.

    If you’re recruiting, here are some rules of thumb to avoid unintentional legal entanglements:

    1. Get written consent from each applicant before doing a background screening check.

    2. Inform applicants that you are going to do a background check in a separate letter or email.

    3. Allow enough time for an applicant to respond to your advice that you plan to do a background check.

    4. Ensure you get permission from applicants before you begin your background screening checks.

    5. Tailor your background screening and application process according to relevant local or state laws.

    Stay Ahead of Background Screening Regulation Trends

    The regulations governing background screening checks are changing all the time. It’s vital for employers to stay up to date with these changes to mitigate the risk of lawsuits and class-action claims for “misusing” private data on individuals.

    The digitisation of background screening has made it easier for employers to gather personal data en masse but at the same time, it’s easier for a candidate or employee to make a claim against an employer on the grounds of discrimination – if a candidate doesn’t get hired or if an employee is relieved of their duties.

    Data protection lawsuits are not exclusive to the US and the UK. Organizations all over the world – across a wide spectrum of industries – spend a lot of money either defending data protection claims or making payouts to claimants. Here are some recent examples in Europe:

    Sweden

    Sweden’s Data Protection Authority (DPA) handed Google a 75-million kronor ($8 million) fine for “failure to comply” with Europe’s General Data Protection Regulation (GDPR) after Google allegedly failed to completely remove search result links under right-to-be-forgotten requests.

    Netherlands

    The Dutch Tennis Association was fined 525,000 euro for selling data to sponsors without consent of data subjects.

    Germany

    The Federal Commissioner for Data Protection in Germany imposed a 10,000 euro fine on Rapidata GmbH because the company had not appointed a data protection officer.

    Norway

    A public school student reported a breach in personal data security by the local government after discovering login credentials for 35,000 students and employees in a public storage area.

    As you can see from this handful of reports, any company or organization, no matter how large or small, can face hugely expensive litigation, if they don’t keep up with legal requirements surrounding data collection.

    A unique challenge for employers and organizations in the US especially is the often conflicting and confusing data protection regulations which apply to different states.

    Thirty five 35 US states and more than 150 cities and counties have passed laws which prohibit employers asking questions about an applicant’s criminal history on job applications.

    The employers have to first make a conditional job offer before they can ask permission to do a criminal background check. The same goes for asking about salary history, which is banned in about  20 states.

    The introduction of various marijuana laws across the United States also puts employers at risk of being hit with lawsuits for discriminating against applicants on the grounds that they may have previously tested positive in drug screening for marijuana use.

    While such laws are made with good intention to protect individual privacy, employers have to be constantly vigilant that they are not inadvertently infringing on human rights laws or leaving themselves vulnerable to litigation.

    Employers have to strike a balance between compliance with the law while trying to make decisions to hire the right person for the right job. Employers also want to the hiring process to be efficient as possible without overspending on recruitment.

    Even a difference between an applicant’s location and the location of the employer is a potential problem when it comes to deciding which state’s laws apply.

    While intelligent software solutions help speed up the screening of applications, there is no replacement for human judgement when it comes to determining the nuances of legalize according to each and every state law. 

    Reduce Risks by Outsourcing Background Screening

    Regardless of the size or financial prowess of an organization, all are prone to litigation from individuals or groups seeking to profit from anti-privacy laws. However, for most recruiters or human resources departments, keeping up with these changes is so time consuming it’s almost impossible to avoid the risk that a disgruntled applicant or ex-employee will find a way to make a claim.

    Even if a claim made by an individual against a corporation is fraudulent or unfair, the organization has to dedicate time, resources and money to defending the accusation in court. The larger an organization, the greater the risk of accusatory fingers being pointed at the employer.

    Benefits of Outsourcing Your Background Screening

    Outsourcing background checks and vetting to a third-party professional screening agency is a worthwhile investment that saves time and potential litigation costs. It also frees up your human resources department and streamlines the application process.

    Background screening companies make it their business to stay ahead of the curve of ever changing data protection laws covering employee-employer communications.

    They can advise employers on safe ways to process private information from applicants and ensure that the information is stored securely and deleted when it should be.