Given the high amount of personally identifiable information contained in background checks employers must have staff that are knowledgeable about privacy and record retention requirements for background check information. The protection and appropriate retention of consumer’s information should be a key imperative for employers. This article specifically focuses on the record retention requirements associated with the background screening process.
In this digital age companies increasingly store background checking records digitally. This data collection and retention requires a data retention policy to guide the process, or the data can become a huge liability. According to Hopkins & Carley, attorney at law, in their article, Data Retention – More than Meets the Eye, “Some companies tend to worry about the risks associated with permanently deleting data rather than those associated with retaining too much data. However, with increasingly stringent privacy laws and the steady increase in background screening related litigation the importance of having a data retention policy cannot be overstated. A data retention policy is critical in helping to ensure that businesses delete data that is no longer warranted while retaining what is required or necessary, but also to manage proper compliance with various legislative requirements.
At a macro level, a data retention policy should:
- Identify the department responsible for implementing the data retention rules and managing the process. With background checks this is generally the HR organization.
- Identify the types of data that are collected and retained. This is the foundation of any privacy program.
- Identify applicable laws and data retention versus minimization mandates. For most companies, this will mean adhering to Fair Credit Report Act (FCRA) and Equal Employment Opportunity Commission (EEOC) at the federal level and possibly across multiple jurisdictions.
- For each type of data, describe the length of time that it should be retained as well as the format and way it should be stored.
- Ensure that responsible staff are trained and understand how data should be collected, retained and stored. Have in place a monitoring system to ensure compliance with the policy and legal requirements.
- Identify the disposal requirements and process for data retained.”1
A recent court decision by the California Court of Appeal in Hebert v. Barnes & Noble illustrates the importance of this point. A pivotal factor in the decision was that an HR professional was aware of erroneous information being contained in a disclosure & authorization form that was given to applicants and by their own admission was not very knowledgeable about the FCRA which governs the practice. The Appeal Court reversed the Trial Courts decisions remanded the case back to the trial court. Primary contributing factors were that the defendant had inadequate training of employees involved in handling FCRA governed processes and lack monitoring systems to ensure violations would not occur.
What are the legal requirements for retaining background check records?
The Fair Credit Reporting Act (FCRA) and the Equal Employment Opportunity Commission (EEOC) are the primary regulators of background checks.
There are no specific requirements in the FCRA to maintain copies of background reports received, but general Equal Employment Opportunity Commission requirements to maintain personnel or employment records apply. Epstein Becker & Green, a leading law firm, recommends retaining records of background checks including consumer reports and investigative consumer reports, authorizations to obtain those reports and notices to applicants/employees regarding intent to obtain reports, intent to take an adverse action based on information in a report, and reliance on the report to take an adverse action for six years from the date of the record in their Federal Employment Record-keeping Report.
The six years recommendation is based on the requirement that a claim under the FCRA must be brought in federal district court not later than “2 years after the date of discovery by the plaintiff of the violation that is the basis for such liability or 5 years from the date on which the cause of action arose, whichever is earlier, (15 U.S.C. § 1681p). Consequently, since an applicant or employee has between 2 and 5 years from the date of the alleged violation to file a claim of FCRA violation records must be retained to match this time period.”
In addition, the EEOC, any personnel or employment records must be kept for at least 1 year after the records were made or personnel action was taken, whichever comes later. This applies whether or not the applicant was hired or not.
The retention of records for six years is considered best practice because if a background check is alleged to have contributed to a violation, the statute of limitations may begin from the date the background check was ordered through the date the background check was completed and/or delivered. Depending on how long an employer takes to make a decision, the statute can extend for several weeks or months after completion/delivery of a consumer report. Consequently, erring on the side of caution dictates a six year period.
According to the article, Best Practices for Retaining Background Check Results, by PrimePay even with the above “employers typically have a couple of choices as it relates to the retention of pre-employment background checks. First, there is no absolute requirement that background checks be retained if the applicant is hired, and some employers will destroy the background checks once the employee is hired for privacy reasons. Other employers choose to retain the background check information, and the best practice recommendation for maintaining pre-employment background checks and authorizations is to keep these records in a separate confidential file apart from the personnel file. 2
Be sure to check your state laws to see if there are any specific requirements your company must follow. It is strongly recommended that a knowledgeable labor attorney is consulted to ensure all appropriate legal requirements are considered.
Additionally, it should be noted that if a background check is alleged to have contributed to a violation, the statute of limitations may begin from the date the background check was ordered through the date the background check was completed and/or delivered. Depending on how long an employer takes to make a decision, the statute can extend for several weeks or months after completion/delivery of a consumer report.
Since FCRA legal claims have continued to grow over the last ten years and show no sign of abating at this time this provision to add some additional time to retention of records process should not be taken lightly. Recently it was reported by Webcon that in March FCRA claims rose +17.3% and were up +3.8% year to date.
Some of the more common claims of FCRA violation include:
- Improper disclosure and authorization form was used to obtain a consumer report.
- Adverse action procedures were followed improperly or not at all.
- A consumer filed a dispute and the reporting agency failed to conduct a reinvestigation in a timely manner or fix the inaccuracy or the reinvestigation was conducted improperly or not at all.
- A consumer report failed to meet accuracy standard.
It should be noted that the above referenced record retention requirements applies even as more companies move to digitally manage the background screening process using applicant tracking systems and other HRIS tools. Many companies are opting for entirely digital background checks. With this digitalization of the process access to online records should be kept strictly private and secure, just as with physical records.
Disposal of Records
The disposal of reports and any information gathered from them must be done securely—burning, pulverizing, and shredding paper documents and disposing of electronic information so that it cannot be read or reconstructed.
What Type of Background Screening Information Must Be Retained?
- Applicant resume
- Application for employment
- Background check forms completed and / or signed by applicant, such as authorization and disclosure (A Background Check Authorization Form is a form a potential employee fills out to authorize a background check. Authorizations may require the candidate’s name, social security number, address, and oftentimes a copy of a photo ID card.)
- Completed background check report
- All communications pertaining to background check and hiring decision
- Adverse action notices
- Communications pertaining to applicant background check dispute
Conclusion
While no specific requirements in the FCRA require the maintenance of background reports received, the EEOC requirements to maintain personnel or employment records apply. Best-in-class recommendations are that background records are retained for six years from the date of the record including:
- consumer and investigative consumer reports,
- authorizations to obtain those reports
- notices to applicants/employees regarding intent to obtain reports,
- notices of intent to take an adverse action based on information in a report.
Employers are wise to adhere to the six-year recommendation while not specifically required by law because background screening claims have continued to rise over the past ten years and not having the records can leave them vulnerable to lawsuits filed.
Finally, appropriate disposal as well as strict confidentiality and access requirements need to be followed in the maintenance of records to ensure privacy requirements are met.
- Hopkins Carley, LLC, Data Retention – More than Meets the Eye, https://www.theprivacyhacker.com/2020/12/data-retention-more-than-meets-the-eye/#page=1.
- Epstein Becker and Green, Federal Employment Recordkeeping, https://www.ebglaw.com/wp-content/uploads/2020/11/2020-Federal-Recordkeeping.pdf.
- Best Practices for Retaining Background Check Results, https://primepay.com/blog/best-practices-retaining-background-check-results.