随着涵盖背景筛查和消费者信息的联邦和州法规的重叠，保持合规性已成为一项重大挑战。对数据隐私和安全性、新立法以及合规举措的持续激增的日益关注没有减弱的迹象。
最近的立法使组织更重要的是维护一个记录在案的隐私计划，该计划清楚地确定了保护求职者和员工个人身份信息的政策、程序和控制措施。

以下是制定隐私计划时要考虑的一些基本建议：

定义公司文化：公司文化设定了组织的基调，是内部控制和结构所有组成部分的基础。公司文化包括实体员工的诚信、道德价值观和能力；管理理念；以及，操作风格。通过更好地了解组织的文化，人们可以更好地建立衡量公司风险的框架。在风险容忍度方面统一公司文化很重要，因为它与合规性相关，并确定流程改进的优先级。

进行风险评估：风险评估可以定义为识别和分析与实现目标相关的风险。所有组织都面临来自外部和内部来源的一定程度的风险，必须对其进行评估。评估风险的前提是建立经营目标。这构成了如何管理风险的基础。组织内的部门需要就他们将使用什么标准来评估风险和确定流程改进的优先级达成一致。

文件政策和程序：必须以一种使人们能够履行其职责的形式识别、捕获和传达相关信息。组织制定、记录和实施与其背景调查活动相关的政策和程序非常重要。监管机构越来越关注公司既定的书面政策和程序，以及它们是否得到实际执行。

沟通和培训：必须传达相关政策和程序并对人员进行培训，以使人们能够履行其职责。

监控和识别违规行为：需要持续监控以确保遵守内部流程。监测的范围和频率主要取决于风险评估和持续监测程序的有效性。内部违规应报告给适当的运营层级，并应立即采取行动纠正任何政策违规行为。

隐私问题将继续成为就业背景调查实践中的一个重要因素。由于违反隐私法会受到严厉处罚，那些没有关注这个问题或没有进行必要投资以保持合规性的组织，这样做的风险很大。

background screening and consumer information, maintaining compliance has become a significant challenge. The growing concerns about data privacy and security, new legislation and the continuing surge in compliance initiatives show no signs of abating.
Recent legislation has made it even more important for organizations to maintain a documented privacy program that clearly identifies the policies, procedures and controls that are in place to protect personal identifiable information of job applicants and employees.

Following are some basic recommendations to consider when developing a privacy program:

Define Company Culture: Company culture sets the tone of an organization and is the foundation for all components of internal control and structure. Company culture includes the integrity, ethical values, and competence of the entity's people; management philosophy; and, operating style. By better understanding the culture of an organization, one can better establish the framework within which risk to the company should be measured. It is important to unify the company culture in terms of risk tolerance as it relates to compliance and identify priorities for process improvements.

Conduct Risk Assessments: Risk assessment can be defined as the identification and analysis of risks relevant to the achievement of objectives. All organizations face a certain degree of risk from external and internal sources that must be assessed. A precondition of assessing risk is the establishment of operating objectives. This forms a basis for how risks should be managed. Departments within an organization need to agree on what standards they will use to assess risk and to identify priorities for process improvement.

Document Policies and Procedures: Pertinent information must be identified, captured, and communicated in a form that enables people to carry out their responsibilities. It is important that organizations develop, document and implement polices and procedures related to their background checking activities. Regulators are increasingly focusing on a company's established written policies and procedures and whether or not they are actually being enforced.

Communicate and Train: Pertinent policies and procedures must be communicated and personnel trained in order to enable people to carry out their responsibilities.

Monitor and Identify Breaches: Ongoing monitoring is required to ensure internal processes are being adhered to. The scope and frequency of monitoring depends primarily on an assessment of risk and the effectiveness of ongoing monitoring procedures. Internal breaches should be reported to the appropriate operational hierarchy and prompt action should be taken to rectify any policy breach.

Privacy issues will continue to emerge as an important factor in employment background checking practices. Because of the heavy penalties imposed for violation of privacy laws, those organizations that are not focused on the issue or do not make the investment required to stay compliant, do so at great risk.