Today, businesses are becoming international enterprises far earlier in their life-cycle than ever before. Perhaps it’s because it’s now easier and faster to travel overseas and, thanks to technology, easier to collaborate with staff, vendors, consultants, and others around the world (potentially eliminating the need for travel altogether). An employee no longer has to physically be located in a company’s main office to be productive. And recruiting now recognizes that talent may reside across national boundaries.
Finding talent in another country may now be requisite, but it also demands extending background screening to best ensure the hiring not only of top tier talent, but to help to reduce risk and safeguard security as well.
As most know, the United States has a myriad of federal, state, and local laws which impact the process of background screening. The Equal Employment Opportunity Commission (“EEOC”) prohibits employment discrimination based on race, gender, national origin and other bases. The Federal Trade Commission (“FTC”) and Consumer Financial Protection Bureau (“CFPB”) enforce the Fair Credit Reporting Act (“FCRA”), the law which sets forth rules regarding the procedure for employers to follow if it conducts background checks through third parties. Many states and local jurisdictions also have laws governing when employers can ask about criminal history, credit, and salary information.
It’s quite a challenge for American companies to adhere to U.S. laws. But when drawing talent from overseas, understanding and applying the often confusing and conflicting legalities of other nations may present an even more daunting task.
US, Canada, Central & South America
The Americas are heavily influenced by the United States and Canada in terms of how they approach regulatory systems. In the common law countries, the law generally operates to be “prohibitive.” In other words, you can do whatever you want as long as the law doesn’t say you can’t. Consequently, the approach tends to be “opt-out.” While there are a number of countries in the Americas which come from a different jurisprudential background, the US influence still cannot be underestimated.
The most common place we see regulation which impacts the background screening efforts is in credit and criminal history. In general, the US is a consent-based system.
Similar to the US, Canada has a law regulating the development and use of credit history. The Credit Reporting Act sets out what information credit reporting agencies are allowed to collect, who can provide that information to them, who can use credit reports, and what the reports can be used for.
The Act also protects individuals’ privacy by placing limits on the kinds of information that a credit reporting agency can include in a credit report and by limiting who can receive and use that information. Some Canadian Provinces and Territories have enacted laws which place additional restrictions and requirements on employers.
Outside the US, criminal records are often considered sensitive data, and are protected and restricted as such.
Omnibus Privacy Law
Unlike the US, Canada does have an “omnibus” privacy law at both the federal and provincial levels. The federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) protects individuals by setting out what all of the credit reporting agencies operating across provincial borders are allowed to do with information about individuals. PIPEDA imposes notice and consent requirements on anyone who collects and uses personal information. One of those obligations is the requirement that personal information only be used in a way that the data subject (not the business using the data) would consider reasonable.
Nine countries in Central and South America have omnibus privacy law similar to Canada’s federal PIPEDA. These include significant trading partners like Mexico, Peru, and Colombia. In addition Argentina and Uruguay have adopted EU like adequacy requirements concerning cross-border data transfers. The result is that each of these countries will have particular limitations as to the scope and process one can use to perform background screening.
In April, 2016 a new EU data protection framework was adopted by EU Member States and 11 other countries maintaining cross-border data transfer “adequacy” regulations. The General Data Protection Regulation (GDPR) will replace the current European Data Protection Directive 95/46/EC and will be directly applicable in all Member States without the need for implementing additional national legislation. The new Regulation will be enforceable effective May, 25 2018.
There are a number of general principles that can be consistently applied to background screening and it is best practice to ensure that such processes be managed to comply with the general privacy law in the European Union (EU).
Data Protection (Privacy) Law
The cornerstone to data privacy law in the EU are the data protection principles (“Principles”) which under the GDPR require in part, that any personal data is:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes; (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 83(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
Clearly, background screening is processing personal information so the question is how can the principles described above be achieved?
It is the general view that the most effective way to demonstrate compliance with the Principles is via disclosure and consent, even though some member states including France and Spain, question the validity of consent in an employment context due to the inequality of bargaining position between the candidate and the company. Consent must be freely given, specific and informed and in the context of background screening; the candidate must know why they are being screened and by whom, what type of information will be verified, who will have access to the results, and in which jurisdictions their data may be handled. Further, the candidate must be able to revoke consent at any time.
Credit Reports & Criminal Records
Each member State also has local laws governing the collection and use of credit history and criminal history information. These laws should be read in conjunction with local data privacy laws and the GDPR, but further care should be taken when considering whether to include such checks in any background screening package as local labor laws also impact on what data/information may be gathered and used in any employment decision.
While some nations in Asia including Hong Kong and Japan have established data privacy legislation, as a region Asia is evolving in this area. For many years Asia’s lack of data privacy legislation was attractive to hiring companies but with an increased general awareness of fundamental rights by individuals, employers have been increasingly concerned to ensure that they appear to implement protections.
As the Asia-Pacific Economic Cooperation Forum (“APEC”) has seen, data protection is a threshold issue with regard to economic expansion: the regulatory systems of the region are all trying to get a handle on this and while the law and regulation is still very much in flux, many emerging markets such as Malaysia and Vietnam are implementing data privacy laws with a view to attract investors in setting up operations, while the Philippines have recently issued widespread data protection rules and regulations.
Data Protection (Privacy) Law
Fourteen countries have recently implemented data protection laws, including South Korea, Malaysia, Philippines, and Singapore. Many countries have taken a page out of the EU’s book and decided to be aggressive in writing protections into their statutes. Fortunately, most Asian countries are using consent as a primary basis for legitimizing processing. However, several notable countries have taken a much harder stance to data protection than the US model would consider. South Korea has what is regarded as the strongest data privacy laws in the world and recently made further amendments strengthening the protection of personal data in the form of a prohibition on the collecting and processing of Resident Registration Numbers (RRN).
The other important element in the regulatory systems in Asia is the potential for criminal penalties. South Korea, Philippines and other Asian countries have included direct civil and criminal remedies which can be used against individual persons who violate the data protection laws. This makes having a compliance program for background screening even more immediate as the individual responsible for doing background screening may be subject to civil and criminal sanctions.
Unfortunately, as these are mostly new laws, there isn’t a body of enforcement and interpretation history to help inform businesses who want to develop and manage screening programs. It is therefore critical to have a partner on the ground in these jurisdictions who knows the culture to be able to help navigate the way these laws will get enforced.
Credit Reports & Criminal Records
While a number of countries in Asia have omnibus privacy law, many also have sectorial laws like the US. South Korea has a FCRA-style law. Singapore and South Korea both have laws prohibiting the use of criminal history for certain purposes. In any event, much of the data that would be useful in a background screening process would be considered sensitive. This has the effect of elevating the types of consent you must obtain, and reducing the purposes for which you can use such data.
Background screening processes are necessary for the effective and efficient management of talent in an increasingly global and interconnected workforce. However, there are a number of cultural differences which drive regulatory systems that have very different requirements on how a company can implement a screening process. As a consequence, any company that is setting up, or evolving, their background screening processes will need to have a holistic approach which is flexible and intelligent enough to be able to recognize local differences, and address those differences in an efficient and cost effective way. It isn’t impossible, but it is complicated. It also requires some fairly specific knowledge of local law, customs, and enforcement priorities.
This is an excerpt from HireRight’s white paper “Background Screening and the International Workforce” written by John Tomaszewski, Senior Counsel, Seyfarth Shaw LLP.
Case Study: Cisco Rolls Out Global Screening to 93 Countries
Cisco Rolls Out Global Screening to 93 Countries
Download this case study to learn how Cisco successfully implemented their international background screening program with HireRight.