Few topics are as globally misunderstood, misquoted, misapplied, and misused as privacy. In my experience lecturing auditors, accountants, and corporate counsel on how to detect, deter, and investigate corporate fraud committed by “trusted employees,” I am continually reminded how confusing privacy issues are: Whose rights are being protected, by whom and from whom, and what information is, in fact, “private”? The questions get even more complicated if the information is being sought for purposes of “identification” or “verification.” In these cases, when does the informed consent become relevant? More confusing still: How do the privacy rights of job applicants differ from those of existing employees?
Privacy DefinedThe United States tends to focus privacy concerns primarily on the protection of personal information. Americans do not have an express constitutional right to privacy, unlike free speech, the right to a speedy trial, and the right to bear arms expressly granted in the U.S. Constitution. America’s idea of a right to privacy was first expressed by Samuel Warren and Louis Brandeis as a person’s “right to be let alone” in an 1890 article for the Harvard Law Review, written primarily in response to the increase in newspapers and photographs made possible by printing technologies. Warren and Brandeis’ project was not entirely successful, and the renowned tort expert Dean William Prosser argued in a 1960 article for the California Law Review that “privacy” was composed of four separate torts, the only unifying element of which was a (vague) “right to be left alone.” The four torts identified were (1) appropriating the plaintiff’s identity for the defendant’s benefit, (2) placing the plaintiff in a false light in the public eye, (3) publicly disclosing private facts about the plaintiff, and (4) unreasonably intruding on the seclusion or solitude of the plaintiff.The U.S. Supreme Court in 1977 first acknowledged a potential constitutional privacy “interest in avoiding disclosure of personal matters” wherein the Court assumed, without deciding, that the Constitution protects an informational privacy interest (Nixon v. Administrator of General Services, 433 U.S. 425, 457 (1977); Whalen v. Roe, 429 U.S. 589, 599 (1977)). In 2011 the Court in National Aeronautics & Space Administration v. Nelson (131 S. Ct. at 751) maintained that approach and again assumed, without deciding, that a constitutional right to informational privacy exists, but then held that a public employer conducting an employee background check did not violate that right.Ultimately, privacy rights in the United States derive from a disjointed collection of constitutional interpretations, statutes, and common law. Further exacerbating the confusion is the fact that statutory privacy laws continue to develop piecemeal as reactions to social demands (much like the 1890 legal journal article), political events, and even Victoria’s Secret catalogs.Things are quite different in Great Britain and the European Union (EU). Great Britain discusses privacy in its constitution, and the EU views privacy as a human right as outlined in the Convention for the Protection of Human Rights and Fundamental Freedoms. Effective October 1998, the European Union Privacy Directive was an integral part of the EU’s efforts to promote trade liberalization while strengthening data privacy protection within the EU. However, the EU’s Directives become law in member states when ultimately adopted by each state’s legislature or other state administrative institutions, and the Privacy Directive is no exception. The Privacy Directive has been ultimately adopted into law within each member state, albeit in varying formats. This directive, which notably includes exceptions for public security, state security, and criminal law, addresses the processing of all personal data by whatever means and is not limited by business sector or field of use.In the United States, privacy laws are generally broken down into two areas:
- Laws that apply to actions by the federal, state, and local government (the public sector) and governed by constitutional and statutory law; and
- Laws that apply to actions by everyone else (the private sector) and governed by statutory laws.
Job Applicants and Privacy RightsClients, be they individual or corporate, often conclude their conversations with “Can he/she/they do that?” Thus begins the process of determining who he/she/they is/are, and in what capacity and context the actor “did” whatever “that” is. When hiring practices and privacy issues are a part of this conversation, it makes the process even more complex—only the highlights can be outlined within the confines of this article.
Do job applicants have fewer privacy rights than employees?Absolutely. According to the plurality of Supreme Court Justices Lewis F. Powell Jr., Warren E. Burger, William Rehnquist, and Sandra Day O’Connor, “Denial of a future employment opportunity is not as intrusive as loss of an existing job’’ (Wygant et al. v. Jackson Board of Education et al., 476 U.S. 267 (1986)). As Judge Henry J. Friendly (a 27-year veteran of the U.S. Court of Appeals for the Second Circuit) noted in the University of Pennsylvania Law Review in 1975, “there is a human difference between losing what one has and getting what one wants.”Prudent employers should take all legally available means to screen job applicants and verify their character, qualifications, and abilities. Most studies indicate that 53 percent of résumés and job applications contain false information and 78 percent are misleading (tinyurl.com/6lvjc4v). In 2006 RadioShack CEO Dave Edmondson resigned after acknowledging that he lied about academic degrees listed on his résumé and the company’s website. In 2001, after five days on the job, Notre Dame’s football coach George O’Leary resigned when his falsified academic and athletic credentials were discovered. In May 2012 Scott Thompson, the chief executive of Yahoo Inc., stepped down after an activist shareholder flagged a discrepancy on his résumé where he reported a computer science degree he did not have. Indeed, employers’ failure to perform adequate background checks may open the door to costly “negligent hiring” litigation should an employee harm a customer or co-worker when evidence of such behavior could have been discovered prior to the hiring. Therefore, when considering the privacy interests of job applicants and potential employees, as opposed to existing employees, courts more likely defer to employer decisions to collect personal information.
What are the privacy rights of job applicants?Again, this very broad question needs to be distilled even further. First, is it a public employer or a private employer? Is the job applicant a minor, and can the applicant therefore give consent? Precisely what information was accessed, and was it in fact used by the potential employer in the hiring decision? Was the hiring decision made based on race, color, religion, disability, ancestry, sex, age, national origin, sexual orientation, marital status, or familial status? What type of information requires prior express permission from the job applicant in order to be accessed by a potential employer? Did the potential employer or his agent improperly disclose the job applicant’s protected information, and, if so, to whom, in what format, and under what circumstances? Did the potential employer take adverse action or deny employment based on information obtained before extending an offer of employment or after a “conditional offer” of employment? Was the job applicant given all the proper notices and opportunity to explain or dispute erroneous information contained in the prescreening employment check? What information can employers ask on the written job application versus at an employment interview? There is a vast difference between the employer’s accessing job applicant information to be used as a factor in a hiring decision versus unauthorized sharing of or allowing access to the job applicant’s information.
What can private-sector employers consider?The federal rules regarding pre-employment screening or background checks are primarily found within the Fair Credit Reporting Act of 1970 (FCRA), amended effective September 30, 1997, which regulates use of both “consumer reports” and “investigative consumer reports.” At a minimum, employers must conform to these federal rules, as well as state-specific rules where applicable.With respect to job applicants, the FCRA has two primary goals:
- To ensure that job applicants are explicitly notified of and consent to any background checks that are done when credit, education, military service, and/or medical records are obtained; and
- To ensure that job applicants are given the opportunity to correct any misinformation contained therein before any decisions are made by the employer.
Must the employer disclose why the job applicant was not hired?If the employer decides not to hire the applicant based on information received under the FCRA, even if it is only one of several reasons, the employer must, before taking action, give the applicant a “pre-adverse action disclosure” that includes a copy of the credit report and a copy of a document titled “A Summary of Your Rights Under the Fair Credit Reporting Act.”After taking action, the employer must give the applicant notice—orally, in writing, or electronically—that action was taken. The employer must include the name, address, and phone number of the consumer reporting agency (CRA) that supplied the report, a statement that the CRA did not make the decision to take the adverse action, and a notice of the applicant’s right to dispute the information’s accuracy. The job applicant has the right to an additional free consumer report from the agency upon request within 60 days. (For more about an employer’s obligations under the FCRA, see tinyurl.com/29ugfjw.)However, this federal law has two significant and often-used loopholes. First, the employer is not subject to the notice and consent provisions of the FCRA if it conducts the background check itself and does not use a third-party screening company. Second, the employer may opt to tell the rejected job applicant that its adverse decision was not based on the results of the background investigation, but rather that the job applicant pool was so large that its hiring decision was based on the fact that there were individuals far more qualified than the applicant. Either way, the job applicant would not have the ability to obtain a copy of the prescreening report to find out what negative information it contained.It is important to comply with the FCRA requirements as job applicants and employees may bring private actions against employers for negligent violations of the FCRA. If the employer’s violation is willful, a private right of action exists for actual damages, punitive damages, and costs and reasonable attorney fees. (For more information about an employee’s rights under the FCRA, see tinyurl.com/7kyh44l.)
What Information Is Reviewed by Prospective Employers?Depending on the specific job, whether the employer is public or private, and the state in which the job and/or employer is located, pre-employment screening may consider the following categories of information (but note that this is by no means a comprehensive list):
- Bankruptcy records
- Character references
- Court records
- Credit records
- Criminal records
- Driving records
- Drug test records
- Education records
- Incarceration records
- Medical records
- Military records
- Neighbor interviews
- Past employers’ references
- Personal references
- Property ownership records
- Publicly available information including open-source data
- Sex offender lists
- Social Security Number
- State licensing records
- Vehicle registration
- Workers’ compensation records
Criminal Record Background Screening
EEOC guidance.Employers’ policies and procedures regarding criminal background checks should be reviewed as a result of the April 2012 Enforcement Guidance on the Consideration of Arrest and Conviction Records in Employment Decisions under Title VII of the Civil Rights Act of 1964, issued by the Equal Employment Opportunity Commission (EEOC; tinyurl.com/75tb3vg). Employers using pre-employment criminal background screening must now provide a solid business reason (job necessity) for making the inquiry. Simply stating the need to provide a safe workplace with trustworthy and productive employees is not enough and may in fact run afoul of Title VII if criminal history information is evaluated differently for applicants versus employees. This does not mean employers should abandon pre-employment criminal records checks altogether, as employers have an obligation to use reasonable care when hiring employees to ensure a safe workplace environment.The EEOC’s April 2012 position outlines that an employer’s facially neutral policy can have adverse and disparate impact based on prohibited characteristics, such as race and national origin, if the employer rejects an applicant simply because of his/her criminal record. The EEOC states pre-employment screening should be limited to convictions for which the exclusion is “job [or position] related” and is consistent with a “business necessity.”
Arrest vs. conviction records.Note there is an important distinction between arrest records and conviction records—both are included in the vast majority of pre-employment criminal records checks. The EEOC aptly points out that an arrest by itself does not prove that a person engaged in any wrongful conduct, and employers cannot deny employment simply because of an arrest record. Employers must consider the underlying facts and circumstances by providing the applicant the opportunity to explain the conduct in question. Employers are to:
- Notify the applicant that he/she may be excluded because of a criminal conviction or arrest history;
- Provide the applicant an opportunity to explain the underlying facts and circumstances (e.g., the number and type of offenses at issue, age at the time of conviction, evidence that the individual performed the same type of work post-conviction with no known incidents of criminal behavior, rehabilitation efforts, character references, etc.); and
- Consider whether the applicant-provided facts and circumstances warrant an exception to the policy.
- The nature and gravity of the offense or conduct. The employer may look to the specific elements of the crime committed to see if the crime may be associated with the job. In terms of the gravity, an employer would give less weight to misdemeanor crimes.
- The time between the offense or conduct and/or completion of the sentence. Although no specific time frame was given by the EEOC, case law supports the position that length of time between conviction and employment consideration is probative for assessing applicant risk for a given job.
- The nature of the job held or sought, such as specific job duties, essential functions of the job, how much supervision and interaction takes place, and the overall working environment.
“Ban the Box” provisions.The Ban the Box Act of 2012 (HR 6220) is a bill proposed by Rep. Hansen Clarke (Michigan) on July 26, 2012. “Ban the Box” references the “box” on a job application that candidates must check if they’ve ever been convicted, or in some cases arrested, for a crime. The bill prohibits employers from requiring job applicants to disclose criminal offenses on written employment applications prior to an interview. Hawaii and Massachusetts already “ban the box” by statute on all employment applications, while Connecticut, Minnesota, and New Mexico prohibit its use by state employers. A number of major cities also have enacted “ban the box” laws in recent years to reduce barriers for applicants with criminal records seeking work. Currently such bans are in place in Baltimore, Boston, Chicago, Cincinnati, Detroit, New York, Philadelphia, and San Francisco.
Pre-Employment Medical Inquiry and Drug TestingThe Americans with Disabilities Act of 1990 (ADA) has varying requirements for all stages of the hiring process: prescreening, pre-employment offer, and post-employment offer or conditional offer. However, some state and local laws are more restrictive than the ADA concerning pre-employment, post-offer inquiries. For example, under the Rhode Island Fair Employment Practices Act, it is unlawful prior to employment for an employer to elicit or attempt to elicit any information directly or indirectly pertaining to an applicant’s disability.Generally speaking, however, pre-employment offer, employers may not:
- Require medical examinations;
- Ask disability-related questions;
- Ask about an applicant’s workers’ compensation history;
- Ask how many days an applicant was out sick in a previous job; or
- Ask whether an applicant will need reasonable accommodation on the job.