June 28th, 2024 | Sterling

Key Privacy Considerations for Global Background Checks

Top Takeaways:

• Privacy is a key concern when conducting background checks, especially for remote and global workforces.
• Background check policies should be designed with privacy principles and legal requirements in mind.
• Processes and procedures around data are essential components of a background check program that supports privacy compliance.
• Organizations should partner with a reputable and experienced global employee screening provider that can help them navigate the complex and evolving privacy landscape.
• Privacy is not only a legal obligation, but also a way to build trust with candidates and employees.

In an increasingly remote world, connection and automation are also growing, making privacy considerations top of mind for many organizations and consumers. Some business activities have more privacy implications than others, depending on how much personal information is handled and the sensitivity of that information. For many organizations, background screening is among the most privacy-sensitive aspects of their hiring processes, which means there will be a higher level of scrutiny by candidates and internal privacy stakeholders (for example: data protection officer, privacy counsel, compliance officer). The sensitivity is also heightened by the rise in remote and global workforces, which requires screening in every region companies hire in. To ensure your global employee screening program enables compliance with global privacy laws and builds trust among candidates and employees, your organization should take the following recommendations into consideration.

Program Design

When a program for global background checks is first designed, it’s usually documented in the form of a background screening policy, which answers the following questions, among others:

• What are the objectives of the program? For example, what risks are you hoping to mitigate or what obligations are you hoping to meet by conducting background screening? Any collection of personal information must be justified; privacy principles dictate that you should never collect personal information just because it’s “nice to have.”
• How will you meet your stated objectives? Whom will you screen, and what types of information will you collect for that screening? Are there limitations on what you can request in certain jurisdictions, or limitations on what data is available? Screening packages will often differ between countries and roles to ensure that only the data you need (and are allowed to collect in the circumstances) is collected and used in each case. It’s critical to make these determinations upfront in consultation with legal counsel to ensure your program complies with local laws.
• What specific rules must you follow in your screening program? Do you need to establish a “legal basis” for collecting data (as is the case under European privacy laws), and if so, what is that basis? Do candidates have certain rights, like the right to be informed of the screening and dispute results? If so, how do they exercise those rights? Are you processing data which is subject to more stringent rules, like biometric data, criminal history, or credit reports, and if so, how will you comply with those rules?
• How will exceptions and escalations be handled? Background checks do not generally give a “yes/no” result. They may provide information of varying relevance which must be evaluated to identify risks that your organization cannot accept. Who is responsible for that evaluation? And what if a candidate has a reasonable objection to some or all of the background check? Is that a disqualifier, or will certain accommodations be possible? Preparing for exceptional circumstances in advance helps ensure efficiency and fairness in your program.

Provider Contracts

When exchanging personal information with a third party, like a background screening provider, it’s advisable (and may be mandatory) to sign a contract that protects that information. Often, these contracts will:

• Identify what information will be exchanged and for what purposes
• Limit how the parties can use the information
• Define how cross-border data transfers will happen
• Impose detailed security obligations to ensure information is protected and the parties respond properly if there is a data breach

Contracts will frequently also allow for periodic audits of compliance and establish how liability will work in case something goes wrong.

While there are many templates that law firms can provide which set out typical privacy and security terms, it’s important that both parties understand and discuss the terms in detail to ensure they properly reflect the parties’ intent and capabilities, and the nature of the service being performed; after all, a contract isn’t worth the paper it’s written on if the parties are not able or willing to comply with it.

Notice and Authorization

With rare exceptions, candidates must be notified that a background check will be conducted. This can be done at various stages in the recruitment and onboarding process, but many employers provide a specific privacy notice explaining the background screening and the candidate’s rights right before they intend to launch the screening process. In some jurisdictions, this type of standalone notice is required by law.

Depending on local requirements, privacy notices may be quite brief or may go into detail about the types of data collected, who will have access to it, where it will be transferred, how long it will be retained, and other topics. Background screening providers may maintain sample notices, but it’s always critical to have legal counsel or a privacy professional review those notices to ensure they’re relevant and sufficient for your organization, and that they accurately reflect your background screening program.

Automated Decision-making and Artificial Intelligence (AI)

Privacy laws often impose special restrictions and conditions when a decision about an individual is made automatically, particularly if it involves AI (which is defined in various ways around the world). Background screening is often a manual task, meaning data is collected from the source and must be analyzed by a person before a decision can be made. However, there are an increasing number of tasks that are automated and can lead to decisions that affect a candidate’s background check result.

When designing your global employee screening program, it’s critical to understand whether there are any decision points that are fully automated so you can decide how to address any risks arising from that automation. This may include:

• Disclosing the way the decision is made to the candidate
• Offering an opt-out
• Incorporating a human review of every result
• Offering a dispute mechanism

Your screening partner may have already thought of these considerations and may be able to provide insight into how to address these considerations in the context of their product offering.

Cross-border Data Transfers

Multinational companies almost invariably transfer candidate data from one country to another to facilitate the selection and onboarding process. In the background screening process, this can happen for several reasons, including:

1. First, both hiring organizations and their screening partners may have global hubs for data storage and service fulfillment, and those hubs may not be in the same country as every applicant.
2. Second, candidates may have lived in multiple countries, requiring cross-border communications just to verify their background. While many countries have no particular rules affecting how or whether data can cross borders, others — particularly the European Union — have restrictive rules in place which set conditions for data transfers. These legal frameworks may require cross-border transfer assessments, standard clauses between companies engaging in a data transfer, or the opt-in consent of the individual for the transfer of their data.

For any screening program, it’s important to understand where data will come from, where it will go, and what rules will apply to those transfers, so you can work with your screening partner to take the necessary steps to comply with applicable privacy laws.

Candidate Rights

A keystone of privacy laws is the right for individuals to know and control how their data will be used. Of course, candidates cannot direct their own background check, as it would allow them to manipulate the process and potentially hide legitimate findings, but individuals still have considerable rights in most jurisdictions to be involved from end to end.

This means that individuals must first be informed how their data will be handled as described in the privacy notice section above. Where there are choices for how to fulfill a background check, candidates should be offered those choices, which, for example, may include providing different types of documentation to prove their employment or education.

Finally, once background information has been collected, candidates generally have a right to see the information held about them and dispute its accuracy. This is in both the candidate’s and the employer’s interest, as it ensures the candidate has a reasonable opportunity to point out mistakes and protects the employer against losing a good candidate based on inaccurate information.

Candidates may be able to exercise other rights, as well. Some jurisdictions allow individuals the right to object to processing of their personal information, ask for it to be deleted, or have it transferred to a third party, among other things. Screening providers may facilitate the exercise of these rights as part of their service, and in some places, individuals may be able to exercise their rights directly with the screening provider without the employer’s involvement.

Data Retention

Once global background checks are completed, a new question arises: how long to keep the information?

Candidate background information may be quite sensitive and may be subject to retention limitations under local laws. Furthermore, retaining data may increase the risk that the data will go astray or will be misused. For those reasons and others, it’s always advisable to establish a retention schedule for background check information. A retention schedule may be part of your organization’s background screening policy, or it may be part of a centralized retention policy, but either way, it should cover the following:

• How long are background checks retained for successful candidates?
• How long are background checks retained for unsuccessful candidates?
• Are there any legal or contractual obligations that would influence the retention period, like a customer or regulatory audit right?
• Should a record that the check was completed, and whether it was satisfactory or unsatisfactory, be retained longer than the details of the check itself?
• How are records deleted when the retention period expires?
• Are retention requirements (or deletion requirements) passed along to background check providers, and if so, how does that happen?

Your background check provider may also have its own retention obligations, particularly when it’s providing a regulated service, so these requirements may also affect your organization’s decisions about retention and deletion of data.

Final Thoughts

The privacy implications of background screening are significant and worthy of careful thought, either before you launch a screening program or as part of your ongoing process review. Engaging a data protection officer, privacy officer, or specialized lawyer will go a long way to ensuring privacy is properly considered and will help maintain the trust of your candidates as you bring them on board. And when scaling your background screening program everywhere you hire, working with a partner like Sterling, experienced in global background checks, privacy, and compliance, your hiring team can overcome a wide range of challenges more efficiently. Visit Sterling Backcheck’s Global Screening capabilities for more.

For more information about how Sterling thinks about privacy and handles personal information, we encourage you to review our privacy statement at https://privacy.sterlingcheck.com.

About Mark Sward, Vice President and Global Head of Privacy, Sterling

Mark is Sterling’s Vice President and Global Head of Privacy. He leads the global privacy team, which oversees Sterling’s privacy program, supports internal data protection compliance initiatives around the world, provides information and best practice guidance to Sterling’s clients and plays an active role in thought leadership and advocacy around privacy matters in the background screening industry.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.