Developing a Privacy Program for Background Screening

With the mosaic of overlapping federal and state regulations covering background screening and consumer information, maintaining compliance has become a significant challenge. The growing concerns about data privacy and security, new legislation and the continuing surge in compliance initiatives show no signs of abating.
Recent legislation has made it even more important for organizations to maintain a documented privacy program that clearly identifies the policies, procedures and controls that are in place to protect personal identifiable information of job applicants and employees.

Following are some basic recommendations to consider when developing a privacy program:

Define Company Culture: Company culture sets the tone of an organization and is the foundation for all components of internal control and structure. Company culture includes the integrity, ethical values, and competence of the entity's people; management philosophy; and, operating style. By better understanding the culture of an organization, one can better establish the framework within which risk to the company should be measured. It is important to unify the company culture in terms of risk tolerance as it relates to compliance and identify priorities for process improvements.

Conduct Risk Assessments: Risk assessment can be defined as the identification and analysis of risks relevant to the achievement of objectives. All organizations face a certain degree of risk from external and internal sources that must be assessed. A precondition of assessing risk is the establishment of operating objectives. This forms a basis for how risks should be managed. Departments within an organization need to agree on what standards they will use to assess risk and to identify priorities for process improvement.

Document Policies and Procedures: Pertinent information must be identified, captured, and communicated in a form that enables people to carry out their responsibilities. It is important that organizations develop, document and implement polices and procedures related to their background checking activities. Regulators are increasingly focusing on a company's established written policies and procedures and whether or not they are actually being enforced.

Communicate and Train: Pertinent policies and procedures must be communicated and personnel trained in order to enable people to carry out their responsibilities.

Monitor and Identify Breaches: Ongoing monitoring is required to ensure internal processes are being adhered to. The scope and frequency of monitoring depends primarily on an assessment of risk and the effectiveness of ongoing monitoring procedures. Internal breaches should be reported to the appropriate operational hierarchy and prompt action should be taken to rectify any policy breach.

Privacy issues will continue to emerge as an important factor in employment background checking practices. Because of the heavy penalties imposed for violation of privacy laws, those organizations that are not focused on the issue or do not make the investment required to stay compliant, do so at great risk.

The HireRight Blog is provided for informational purposes only and should not be construed as legal advice. Any statutes or laws cited in this article should be read in their entirety. If you or your customers have questions concerning compliance and obligations under United States or International laws or regulations, we suggest that you address these directly with your legal department or outside counsel.

No related posts.