June 15th, 2017 | Sterling

Privacy Laws and Background Checks: How to Stay Compliant

Privacy Laws and Background Checks: How to Stay Compliant

The information you collect, use and retain regarding candidates and employees – including background checks – may be subject to privacy law. While we have tried to design systems and services that will help you comply with privacy laws, we cannot comply on your behalf, so it is vital that you take privacy considerations into account when creating your background screening policy.

First, you must determine which law, if any, applies to your employees’ or candidates’ information. While the following gives a general overview of the different laws that may apply, please be sure to check with your legal counsel or privacy office to understand your situation.

If your organization is in the public sector, your jurisdiction’s public-sector privacy law may apply (for example, the federal Privacy Act or the provincial Freedom of Information and Protection of Privacy Act in many provinces).

In the private sector, employee information is not always subject to privacy law. If your industry is federally regulated, such as banking, air transport, or telecommunications, the Personal Information Protection and Electronic Documents Act (PIPEDA) likely applies. If your industry is provincially regulated, employee information may be subject to provincial privacy law, but this is generally only the case in B.C., Alberta (each has its own Personal Information Protection Act), Quebec (Act respecting the protection of personal information in the private sector), and eventually Manitoba once its Personal Information Protection and Identity Theft Prevention Act is in force (it was passed in 2013 but has not yet been proclaimed).

Fortunately, many concepts in Canadian privacy laws are similar, so establishing a compliant nationwide background screening program is possible. Among other things, you must take into account these concepts:

Notification and consent

Employees or candidates usually must be notified about, and may be required to consent to, the collection, use and disclosure of their personal information. Even when consent is not legally required, it is always a good practice to ensure that you only handle personal information with the consent of the individual. SterlingBackcheck’s consent forms provide notification and collect consent, either on paper or online using eConsent. They can be customized to meet your organization’s needs.

Reasonable collection, use and disclosure

You must be reasonable in your practices around collection, use and disclosure of personal information. This means that you should only collect information that is reasonably necessary to establish or maintain the employment relationship in accordance with your business requirements, not simply information that would be interesting to have. The information should then only be used for the purposes for which it was collected. Also, access must be restricted; personal information under your control should only be accessible to individuals who need it.

Security, individual access and retention

  • You are responsible for keeping personal information safe. For information stored on SterlingBackcheck systems, you can count on our information security program to keep your data secure.
  • You may be required to provide background check results and other employee personal information to the employee or candidate on request, and the individual may then contest the accuracy of the information. SterlingBackcheck will assist with access requests or disputes concerning information in our systems.
  • You must limit retention of personal data. While you should keep information for a certain period to allow candidates or employees to exercise their legal rights, once you no longer need the information it should be deleted.

Please be sure to consult with your privacy office or legal counsel to ensure your practices are compliant. You are also welcome to contact your SterlingBackcheck representative for further guidance on how our systems and services can help you comply with privacy laws and best practices; we have dedicated privacy professionals on staff who can help explain these concepts further and discuss your organization’s situation. However, SterlingBackcheck is not a law firm; the materials presented in this article and by our staff are for information and best practice purposes only and do not constitute legal advice.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.

Revealing the Data: Hiring Reimagined Report