众所周知，美国有无数的联邦、州和地方法律会影响背景筛选过程。平等就业机会委员会（“EEOC”）禁止基于种族、性别、国籍和其他基础的就业歧视。联邦贸易委员会 (“FTC”) 和消费者金融保护局 (“CFPB”) 执行《公平信用报告法》(“FCRA”)，该法律规定了有关雇主在通过以下方式进行背景调查时应遵循的程序的规则：第三方。许多州和地方司法管辖区也有规定雇主何时可以询问犯罪记录、信用和工资信息的法律。
中美洲和南美洲的九个国家拥有类似于加拿大联邦 PIPEDA 的综合隐私法。其中包括重要的贸易伙伴，如墨西哥、秘鲁和哥伦比亚。此外，阿根廷和乌拉圭在跨境数据传输方面采用了类似欧盟的充分性要求。结果是，这些国家/地区中的每一个都对可以用来进行背景筛查的范围和程序有特定的限制。
2016 年 4 月，欧盟成员国和其他 11 个维持跨境数据传输“充分性”法规的国家采用了新的欧盟数据保护框架。通用数据保护条例 (GDPR) 将取代当前的欧洲数据保护指令 95/46/EC，并将直接适用于所有成员国，无需实施额外的国家立法。新法规将于 2018 年 5 月 25 日生效。
有许多一般原则可以一致地应用于背景筛查，最好的做法是确保管理此类流程以符合欧盟 (EU) 的一般隐私法。
欧盟数据隐私法的基石是数据保护原则（“原则”），根据 GDPR 的部分要求，任何个人数据是：
为特定的、明确的和合法的目的收集，并且不会以与这些目的不符的方式进一步处理；根据第 89 条第 1 款，出于公共利益、科学或历史研究目的或统计目的的存档目的的进一步处理不应被视为与最初目的不符；('目的限制');
以允许识别数据主体的形式保存，时间不超过处理个人数据的目的所需的时间；根据第 83 条第 1 款的规定，在实施适当的技术和组织措施的情况下，个人数据可能会被存储更长时间，因为个人数据将仅出于公共利益、科学或历史研究目的或统计目的而被处理本法规要求的保护数据主体权利和自由的措施（“存储限制”）；
每个成员国还制定了管理信用记录和犯罪记录信息的收集和使用的当地法律。这些法律应与当地数据隐私法和 GDPR 一起阅读，但在考虑是否将此类检查纳入任何背景筛查包时应进一步小心，因为当地劳动法也会影响可能收集和使用的数据/信息在任何雇佣决定中。
十四个国家最近实施了数据保护法，包括韩国、马来西亚、菲律宾和新加坡。许多国家已经从欧盟的书中汲取了一页，并决定积极将保护写入其法规。幸运的是，大多数亚洲国家都将同意作为处理合法化的主要依据。然而，一些著名的国家对数据保护采取了比美国模式所考虑的要强得多的立场。韩国拥有被认为是世界上最强大的数据隐私法，最近进一步修订以禁止收集和处理居民登记号码 (RRN) 的形式加强对个人数据的保护。
虽然亚洲的许多国家/地区都有综合隐私法，但许多国家也有像美国这样的部门法律。韩国有 FCRA 式的法律。新加坡和韩国都有法律禁止将犯罪记录用于某些目的。无论如何，在背景筛选过程中有用的许多数据都将被视为敏感数据。这会增加您必须获得的同意类型，并减少您可以使用此类数据的目的。
Finding talent in another country may now be requisite, but it also demands extending background screening to best ensure the hiring not only of top tier talent, but to help to reduce risk and safeguard security as well.
As most know, the United States has a myriad of federal, state, and local laws which impact the process of background screening. The Equal Employment Opportunity Commission (“EEOC”) prohibits employment discrimination based on race, gender, national origin and other bases. The Federal Trade Commission (“FTC”) and Consumer Financial Protection Bureau (“CFPB”) enforce the Fair Credit Reporting Act (“FCRA”), the law which sets forth rules regarding the procedure for employers to follow if it conducts background checks through third parties. Many states and local jurisdictions also have laws governing when employers can ask about criminal history, credit, and salary information.
It’s quite a challenge for American companies to adhere to U.S. laws. But when drawing talent from overseas, understanding and applying the often confusing and conflicting legalities of other nations may present an even more daunting task.
US, Canada, Central & South America
The Americas are heavily influenced by the United States and Canada in terms of how they approach regulatory systems. In the common law countries, the law generally operates to be “prohibitive.” In other words, you can do whatever you want as long as the law doesn’t say you can’t. Consequently, the approach tends to be “opt-out.” While there are a number of countries in the Americas which come from a different jurisprudential background, the US influence still cannot be underestimated.
The most common place we see regulation which impacts the background screening efforts is in credit and criminal history. In general, the US is a consent-based system.
Similar to the US, Canada has a law regulating the development and use of credit history. The Credit Reporting Act sets out what information credit reporting agencies are allowed to collect, who can provide that information to them, who can use credit reports, and what the reports can be used for.
The Act also protects individuals’ privacy by placing limits on the kinds of information that a credit reporting agency can include in a credit report and by limiting who can receive and use that information. Some Canadian Provinces and Territories have enacted laws which place additional restrictions and requirements on employers.
Outside the US, criminal records are often considered sensitive data, and are protected and restricted as such.
Omnibus Privacy Law
Unlike the US, Canada does have an “omnibus” privacy law at both the federal and provincial levels. The federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) protects individuals by setting out what all of the credit reporting agencies operating across provincial borders are allowed to do with information about individuals. PIPEDA imposes notice and consent requirements on anyone who collects and uses personal information. One of those obligations is the requirement that personal information only be used in a way that the data subject (not the business using the data) would consider reasonable.
Nine countries in Central and South America have omnibus privacy law similar to Canada’s federal PIPEDA. These include significant trading partners like Mexico, Peru, and Colombia. In addition Argentina and Uruguay have adopted EU like adequacy requirements concerning cross-border data transfers. The result is that each of these countries will have particular limitations as to the scope and process one can use to perform background screening.
In April, 2016 a new EU data protection framework was adopted by EU Member States and 11 other countries maintaining cross-border data transfer “adequacy” regulations. The General Data Protection Regulation (GDPR) will replace the current European Data Protection Directive 95/46/EC and will be directly applicable in all Member States without the need for implementing additional national legislation. The new Regulation will be enforceable effective May, 25 2018.
There are a number of general principles that can be consistently applied to background screening and it is best practice to ensure that such processes be managed to comply with the general privacy law in the European Union (EU).
Data Protection (Privacy) Law
The cornerstone to data privacy law in the EU are the data protection principles (“Principles”) which under the GDPR require in part, that any personal data is:
processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes; (‘purpose limitation’);
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 83(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
Clearly, background screening is processing personal information so the question is how can the principles described above be achieved?
It is the general view that the most effective way to demonstrate compliance with the Principles is via disclosure and consent, even though some member states including France and Spain, question the validity of consent in an employment context due to the inequality of bargaining position between the candidate and the company. Consent must be freely given, specific and informed and in the context of background screening; the candidate must know why they are being screened and by whom, what type of information will be verified, who will have access to the results, and in which jurisdictions their data may be handled. Further, the candidate must be able to revoke consent at any time.
Credit Reports & Criminal Records
Each member State also has local laws governing the collection and use of credit history and criminal history information. These laws should be read in conjunction with local data privacy laws and the GDPR, but further care should be taken when considering whether to include such checks in any background screening package as local labor laws also impact on what data/information may be gathered and used in any employment decision.
While some nations in Asia including Hong Kong and Japan have established data privacy legislation, as a region Asia is evolving in this area. For many years Asia’s lack of data privacy legislation was attractive to hiring companies but with an increased general awareness of fundamental rights by individuals, employers have been increasingly concerned to ensure that they appear to implement protections.
As the Asia-Pacific Economic Cooperation Forum (“APEC”) has seen, data protection is a threshold issue with regard to economic expansion: the regulatory systems of the region are all trying to get a handle on this and while the law and regulation is still very much in flux, many emerging markets such as Malaysia and Vietnam are implementing data privacy laws with a view to attract investors in setting up operations, while the Philippines have recently issued widespread data protection rules and regulations.
Data Protection (Privacy) Law
Fourteen countries have recently implemented data protection laws, including South Korea, Malaysia, Philippines, and Singapore. Many countries have taken a page out of the EU’s book and decided to be aggressive in writing protections into their statutes. Fortunately, most Asian countries are using consent as a primary basis for legitimizing processing. However, several notable countries have taken a much harder stance to data protection than the US model would consider. South Korea has what is regarded as the strongest data privacy laws in the world and recently made further amendments strengthening the protection of personal data in the form of a prohibition on the collecting and processing of Resident Registration Numbers (RRN).
The other important element in the regulatory systems in Asia is the potential for criminal penalties. South Korea, Philippines and other Asian countries have included direct civil and criminal remedies which can be used against individual persons who violate the data protection laws. This makes having a compliance program for background screening even more immediate as the individual responsible for doing background screening may be subject to civil and criminal sanctions.
Unfortunately, as these are mostly new laws, there isn’t a body of enforcement and interpretation history to help inform businesses who want to develop and manage screening programs. It is therefore critical to have a partner on the ground in these jurisdictions who knows the culture to be able to help navigate the way these laws will get enforced.
Credit Reports & Criminal Records
While a number of countries in Asia have omnibus privacy law, many also have sectorial laws like the US. South Korea has a FCRA-style law. Singapore and South Korea both have laws prohibiting the use of criminal history for certain purposes. In any event, much of the data that would be useful in a background screening process would be considered sensitive. This has the effect of elevating the types of consent you must obtain, and reducing the purposes for which you can use such data.
Background screening processes are necessary for the effective and efficient management of talent in an increasingly global and interconnected workforce. However, there are a number of cultural differences which drive regulatory systems that have very different requirements on how a company can implement a screening process. As a consequence, any company that is setting up, or evolving, their background screening processes will need to have a holistic approach which is flexible and intelligent enough to be able to recognize local differences, and address those differences in an efficient and cost effective way. It isn’t impossible, but it is complicated. It also requires some fairly specific knowledge of local law, customs, and enforcement priorities.