Workplace Privacy: What Every Employers Should Know
Lisa J. Sotto and Elisabeth M. McCarthy*
Employers must juggle a panoply of privacy issues when it comes to the employee relationship. Beginning with pre-employment background screening through the disposal of employee personal information, employers confront a multitude of privacy issues. The widespread use of technology in the workplace and the ease and speed with which information now flows has only served to further confound employers. In the U.S., there is no omnibus employee privacy law. Instead, employers are faced with a patchwork of privacy laws that are varied and complex. This article focuses on two employer privacy issues: background screening and the disposal of consumer report information.
According to a January 2004 survey by the Society for Human Resource Management, 82% of employers investigate potential employees’ backgrounds. Employers conduct background checks not only to verify applicants’ credentials but also to ensure workplace safety and avoid potentially devastating financial and reputational harms associated with negligent hiring, retention and supervision claims. Employers typically ask “consumer reporting agencies” or CRA’s to assemble and evaluate information about a job applicant’s professional and personal life. Certain jobs, such as those in the banking, child care, health care, airline and trucking industries, require criminal background checks.
The Fair Credit Reporting Act (FCRA) was enacted to promote the accuracy, fairness and privacy of personal information assembled by consumer reporting agencies (CRAs). The FCRA allows CRAs to furnish an entity with consumer reports only where the recipient has a permissible purpose to use the reports. Permissible purposes include use for employment purposes or use in connection with credit or insurance transactions. The FCRA defines a “consumer report” as “any written, oral or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living, which is used or collected in whole or in part for . . . employment purposes.”
Many sources of information used in background checks are public records, including criminal, civil court, bankruptcy, tax lien, professional licensing, workers’ compensation and driving records. The FCRA imposes restrictions on the inclusion of certain public records in background screening reports. For example, for positions with an annual salary of less than $75,000, civil judgments and paid tax liens cannot be reported in a background screening report after seven years, and bankruptcy filings cannot be reported after ten years. In addition, records relating to an individual’s arrest cannot be included in a background check report after seven years. A criminal conviction may be reported indefinitely.
An employee background check may also include an employment report for a job applicant from one or all three of the credit reporting agencies (Equifax, Experian and TransUnion). An employment report contains information regarding an individual’s credit payment history and other credit habits, but does not include the individual’s credit score or date of birth.
In addition, employers may seek to obtain education records. This type of information may include dates of attendance at educational institutions and degrees earned. Employers seeking information from education records, however, may be restricted in gaining access to certain records without authorization from an adult-age student or parent due to restrictions set forth in the Family Educational Rights and Privacy Act.
The FCRA requires employers to certify to the CRAs that the employer (i) is requesting the report for a legitimate purpose (i.e., investigation of a job applicant or existing employee), (ii) provided the subject individual with the requisite notice of the background check, (iii) has obtained written permission from the subject individual to request the background report, (iv) will provide the subject individual with a copy of the report and written notice of his or her rights prior to taking an adverse action based in whole or in part on information contained in the background report, and (v) will use the background report only for employment purposes.
The Fair and Accurate Credit Transactions Act (“FACTA”) amended the FCRA to establish standards for “employee misconduct investigations.” An “employee misconduct investigation” is an employee investigation conducted by a third party that the employer hires if the employer suspects workplace misconduct or non-compliance with federal, state or local laws or regulations, pre-existing written policies of the employer, or rules of a self-regulatory organization. Under FACTA, an employer need not obtain an employee’s consent prior to hiring a third party to investigate suspected employee misconduct. If the employer decides to take an adverse action against the employee subject to such an investigation, however, the employer must give the employee an “adverse action” notice after the adverse action has occurred.
In 2004, the FTC issued regulations requiring businesses to properly dispose of consumer report information. The rule, which became effective on June 1, 2005, was designed to help combat identity theft resulting from the improper disposal of information. The Disposal Rule requires companies to take reasonable steps to guard against unauthorized access to or use of consumer report information in connection with its disposal. It applies to any business that maintains or otherwise possesses “consumer information,” which is defined as “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report . . . [or] a compilation of such records.” Because employers frequently rely on consumer reports in connection with employment decisions, employers are affected by the Disposal Rule.
Although there is no overarching U.S. employee privacy law, myriad privacy requirements apply to employers. Employers should exercise caution in collecting, using, disclosing and disposing of employee personal information and should seek to understand all the legal mandates that impact the use of such information.
*Ms. Sotto is a partner in the New York office of Hunton & Williams LLP and heads the firm’s Privacy and Information Management Practice. She also serves as Acting Chair of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee. Ms. McCarthy is counsel in the New York office of Hunton & Williams LLP and advises clients on privacy and information management issues.