compliance.

Employment-related due diligence/background screening is regularly conducted around the world by both public and private employers. Jurisdictions fall into three broad categories:

1. Countries that use a strict legal framework to classify checks as “consumer reports.”
   • The U.S. and Canada are the two countries that fall into this category.

      

2. Countries that do not have specific laws on employment-related background screening, but do have evolving data privacy laws that impact the ability to conduct such due diligence projects.
   • Most European countries fall into this category.

      

3. Countries that have no applicable laws or regulatory guidance on the subject. In these countries, due diligence is considered an ordinary part of the employment vetting/reference process.
   • This category represents the vast majority of jurisdictions.

      

United States – Fair Credit Reporting Act (FCRA)  

Diligence reports for employment purposes are considered “consumer reports” under the FCRA. Such reports are carried out by a consumer reporting agency (CRA), like Decipher, and include information “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living.”

U.S. law is very clear on the responsibilities of employers and CRAs under the FCRA. Broadly, the FCRA requires that:

• The CRA follow reasonable procedures to assure accuracy.
• The potential employer/firm obtain the applicant’s written permission for the due diligence project to be carried out.
• The employer/firm certifies that is in compliance with the FCRA’s requirements.
  
  

When working with a sophisticated CRA, these compliance requirements are relatively straightforward and will require minimal process modifications. While we are specifically not providing the firm with legal advice, we will provide sample Candidate Disclosure & Authorization forms that are specifically crafted to comply with the FCRA, and work closely with the firm to ensure its awareness of applicable regulations.

Conducting Due Diligence Outside the United States – Conducting Due Diligence

In the United Kingdom, there are no immediate strictures that govern the collection of informal intelligence on prospective employees.

The U.K.’s Data Protection Act of 1998 (DPA) does govern the transfer of such collected data, and for those reasons, to remain in compliance with the DPA, as well as the European Union’s General Data Protection Regulation (GDPR), both of which govern both domestic and cross-border data transfer.

Candidate consent to such activities is considered best practice, as it is the most straightforward means to legally justify the transfer of such data. Such consent also largely ensures compliance with the most substantial tenets of the U.S.-E.U. Data Shield, although this is a purely voluntary program for U.S. businesses.

Outside the U.S. and Canada, it is broadly accepted that obtaining candidate consent to pre-employment due diligence reports (in the style of the U.K.) is considered best practice. That said, where there are specific requirements for individual jurisdictions, we will highlight those issues with you, as and when they arise.