Employee Privacy: New Rules Affecting Disposal of Background Check Information
By: ANNE M. RADOLINSKI
July 2005
For some years now, the federal Fair Credit Reporting Act (FCRA) and parallel state laws, have restricted when and how an employer may conduct background checks on applicants and employees and how such information may be used. Generally, restrictions apply when the employer conducts background checks through an outside entity. Restrictions do not generally apply when an employer obtains information directly, such as by calling a school or university to verify that the applicant or employee did in fact attend and graduate. Notice and consent requirements must be followed when an employer decides not to hire an applicant or takes action against an employee based on the results of a background check.
The FCRA was amended in December 2003 to impose new requirements on employers and others when they seek to destroy or dispose of the background check information obtained through an outside entity. The Federal Trade Commission issued disposal requirements effective June 1, 2005, to “prevent sensitive financial and personal information from falling into the hands of identity thieves or others who might use the information to victimize” subjects. See 16 C.F.R. Part 682.
The new rules do not require employers to destroy or dispose of background check information at any particular time They simply impose safeguards for proper destruction or disposal of such information when an employer chooses to do so. The rules also come into play when an employer sells, donates, transfers or disposes of any computer equipment upon which such information is stored.
The new regulations require employers to take “reasonable measures” when disposing of background check information to protect against unauthorized access and use. While the regulations do not define “reasonable measures,” they do provide as examples burning, pulverizing or shredding of documents and information either internally or through an outside service. A computer system must be professionally wiped clean or destroyed, as applicable. The regulations also indicate that employers need internal policies and procedures regarding the disposal of the documents and information.
When using an outside service, the employer must ensure that the outside entity complies with disposal requirements. The regulations refer to a number of ways for the employer to meet its “due diligence” obligations to ensure compliance. Examples include conducting an independent audit of the entity's disposal operations; obtaining references about the disposal company from reliable resources; requiring that the entity be certified by a recognized trade association, and other measures. The employer should enter into a written contract with the outside entity memorializing the requirements for compliance.
These regulations underscore the need to maintain the confidentiality of personnel file information in general, including background check information. Employers should keep documents relating to employees and applicants in locked cabinets or areas and ensure that only a select number of authorized individuals may gain access. Supervisors and other management should be given access to only the specific information that is needed to conduct performance reviews or similar tasks.
As an example, background check information, medical information, I-9 and other sensitive employee information should, as a general rule, not be shared with supervisors and management, even if the information relates to a supervisee, because access to such information is typically not necessary to the performance of supervisory or management duties and responsibilities. We encourage you to contact any member of our employment and labor group with questions regarding the new regulations or assistance in reviewing contracts or developing policies relating to the disposal of background check information.