Few topics are as globally misunderstood, misquoted, misapplied, and misused as privacy. In my experience lecturing auditors, accountants, and corporate counsel on how to detect, deter, and investigate corporate fraud committed by “trusted employees,” I am continually reminded how confusing privacy issues are: Whose rights are being protected, by whom and from whom, and what information is, in fact, “private”? The questions get even more complicated if the information is being sought for purposes of “identification” or “verification.” In these cases, when does the informed consent become relevant? More confusing still: How do the privacy rights of job applicants differ from those of existing employees?
The United States tends to focus privacy concerns primarily on the protection of personal information. Americans do not have an express constitutional right to privacy, unlike free speech, the right to a speedy trial, and the right to bear arms expressly granted in the U.S. Constitution. America’s idea of a right to privacy was first expressed by Samuel Warren and Louis Brandeis as a person’s “right to be let alone” in an 1890 article for the Harvard Law Review, written primarily in response to the increase in newspapers and photographs made possible by printing technologies. Warren and Brandeis’ project was not entirely successful, and the renowned tort expert Dean William Prosser argued in a 1960 article for the California Law Review that “privacy” was composed of four separate torts, the only unifying element of which was a (vague) “right to be left alone.” The four torts identified were (1) appropriating the plaintiff’s identity for the defendant’s benefit, (2) placing the plaintiff in a false light in the public eye, (3) publicly disclosing private facts about the plaintiff, and (4) unreasonably intruding on the seclusion or solitude of the plaintiff.
The U.S. Supreme Court in 1977 first acknowledged a potential constitutional privacy “interest in avoiding disclosure of personal matters” wherein the Court assumed, without deciding, that the Constitution protects an informational privacy interest (Nixon v. Administrator of General Services, 433 U.S. 425, 457 (1977); Whalen v. Roe, 429 U.S. 589, 599 (1977)). In 2011 the Court in National Aeronautics & Space Administration v. Nelson (131 S. Ct. at 751) maintained that approach and again assumed, without deciding, that a constitutional right to informational privacy exists, but then held that a public employer conducting an employee background check did not violate that right.
Ultimately, privacy rights in the United States derive from a disjointed collection of constitutional interpretations, statutes, and common law. Further exacerbating the confusion is the fact that statutory privacy laws continue to develop piecemeal as reactions to social demands (much like the 1890 legal journal article), political events, and even Victoria’s Secret catalogs.
Things are quite different in Great Britain and the European Union (EU). Great Britain discusses privacy in its constitution, and the EU views privacy as a human right as outlined in the Convention for the Protection of Human Rights and Fundamental Freedoms. Effective October 1998, the European Union Privacy Directive was an integral part of the EU’s efforts to promote trade liberalization while strengthening data privacy protection within the EU. However, the EU’s Directives become law in member states when ultimately adopted by each state’s legislature or other state administrative institutions, and the Privacy Directive is no exception. The Privacy Directive has been ultimately adopted into law within each member state, albeit in varying formats. This directive, which notably includes exceptions for public security, state security, and criminal law, addresses the processing of all personal data by whatever means and is not limited by business sector or field of use.
In the United States, privacy laws are generally broken down into two areas:
- Laws that apply to actions by the federal, state, and local government (the public sector) and governed by constitutional and statutory law; and
- Laws that apply to actions by everyone else (the private sector) and governed by statutory laws.
Both the public sector and the private sector are subject to common law tort privacy rights. The common denominator in all the privacy cases discussed below is the balancing test that the courts use to weigh the individual’s privacy interest against a particular public (i.e., government) interest. The factors that courts consider in the public’s favor are the importance of the public interest and the precautions taken to safeguard the information. On the individual’s side, the courts look to whether there is a reasonable expectation of privacy and the level of the intrusion on the person.
Job Applicants and Privacy Rights
Clients, be they individual or corporate, often conclude their conversations with “Can he/she/they do that?” Thus begins the process of determining who he/she/they is/are, and in what capacity and context the actor “did” whatever “that” is. When hiring practices and privacy issues are a part of this conversation, it makes the process even more complex—only the highlights can be outlined within the confines of this article.
Do job applicants have fewer privacy rights than employees? Absolutely. According to the plurality of Supreme Court Justices Lewis F. Powell Jr., Warren E. Burger, William Rehnquist, and Sandra Day O’Connor, “Denial of a future employment opportunity is not as intrusive as loss of an existing job’’ (Wygant et al. v. Jackson Board of Education et al., 476 U.S. 267 (1986)). As Judge Henry J. Friendly (a 27-year veteran of the U.S. Court of Appeals for the Second Circuit) noted in the University of Pennsylvania Law Review in 1975, “there is a human difference between losing what one has and getting what one wants.”
Prudent employers should take all legally available means to screen job applicants and verify their character, qualifications, and abilities. Most studies indicate that 53 percent of résumés and job applications contain false information and 78 percent are misleading (tinyurl.com/6lvjc4v). In 2006 RadioShack CEO Dave Edmondson resigned after acknowledging that he lied about academic degrees listed on his résumé and the company’s website. In 2001, after five days on the job, Notre Dame’s football coach George O’Leary resigned when his falsified academic and athletic credentials were discovered. In May 2012 Scott Thompson, the chief executive of Yahoo Inc., stepped down after an activist shareholder flagged a discrepancy on his résumé where he reported a computer science degree he did not have. Indeed, employers’ failure to perform adequate background checks may open the door to costly “negligent hiring” litigation should an employee harm a customer or co-worker when evidence of such behavior could have been discovered prior to the hiring. Therefore, when considering the privacy interests of job applicants and potential employees, as opposed to existing employees, courts more likely defer to employer decisions to collect personal information.
What are the privacy rights of job applicants? Again, this very broad question needs to be distilled even further. First, is it a public employer or a private employer? Is the job applicant a minor, and can the applicant therefore give consent? Precisely what information was accessed, and was it in fact used by the potential employer in the hiring decision? Was the hiring decision made based on race, color, religion, disability, ancestry, sex, age, national origin, sexual orientation, marital status, or familial status? What type of information requires prior express permission from the job applicant in order to be accessed by a potential employer? Did the potential employer or his agent improperly disclose the job applicant’s protected information, and, if so, to whom, in what format, and under what circumstances? Did the potential employer take adverse action or deny employment based on information obtained before extending an offer of employment or after a “conditional offer” of employment? Was the job applicant given all the proper notices and opportunity to explain or dispute erroneous information contained in the prescreening employment check? What information can employers ask on the written job application versus at an employment interview? There is a vast difference between the employer’s accessing job applicant information to be used as a factor in a hiring decision versus unauthorized sharing of or allowing access to the job applicant’s information.
What can private-sector employers consider? The federal rules regarding pre-employment screening or background checks are primarily found within the Fair Credit Reporting Act of 1970 (FCRA), amended effective September 30, 1997, which regulates use of both “consumer reports” and “investigative consumer reports.” At a minimum, employers must conform to these federal rules, as well as state-specific rules where applicable.
With respect to job applicants, the FCRA has two primary goals:
- To ensure that job applicants are explicitly notified of and consent to any background checks that are done when credit, education, military service, and/or medical records are obtained; and
- To ensure that job applicants are given the opportunity to correct any misinformation contained therein before any decisions are made by the employer.
Must the employer disclose why the job applicant was not hired? If the employer decides not to hire the applicant based on information received under the FCRA, even if it is only one of several reasons, the employer must, before taking action, give the applicant a “pre-adverse action disclosure” that includes a copy of the credit report and a copy of a document titled “A Summary of Your Rights Under the Fair Credit Reporting Act.”
After taking action, the employer must give the applicant notice—orally, in writing, or electronically—that action was taken. The employer must include the name, address, and phone number of the consumer reporting agency (CRA) that supplied the report, a statement that the CRA did not make the decision to take the adverse action, and a notice of the applicant’s right to dispute the information’s accuracy. The job applicant has the right to an additional free consumer report from the agency upon request within 60 days. (For more about an employer’s obligations under the FCRA, see tinyurl.com/29ugfjw.)
However, this federal law has two significant and often-used loopholes. First, the employer is not subject to the notice and consent provisions of the FCRA if it conducts the background check itself and does not use a third-party screening company. Second, the employer may opt to tell the rejected job applicant that its adverse decision was not based on the results of the background investigation, but rather that the job applicant pool was so large that its hiring decision was based on the fact that there were individuals far more qualified than the applicant. Either way, the job applicant would not have the ability to obtain a copy of the prescreening report to find out what negative information it contained.
It is important to comply with the FCRA requirements as job applicants and employees may bring private actions against employers for negligent violations of the FCRA. If the employer’s violation is willful, a private right of action exists for actual damages, punitive damages, and costs and reasonable attorney fees. (For more information about an employee’s rights under the FCRA, see tinyurl.com/7kyh44l.)
What Information Is Reviewed by Prospective Employers?
Depending on the specific job, whether the employer is public or private, and the state in which the job and/or employer is located, pre-employment screening may consider the following categories of information (but note that this is by no means a comprehensive list):
- Bankruptcy records
- Character references
- Court records
- Credit records
- Criminal records
- Driving records
- Drug test records
- Education records
- Incarceration records
- Medical records
- Military records
- Neighbor interviews
- Past employers’ references
- Personal references
- Property ownership records
- Publicly available information including open-source data
- Sex offender lists
- Social Security Number
- State licensing records
- Vehicle registration
- Workers’ compensation records
Criminal Record Background Screening
EEOC guidance. Employers’ policies and procedures regarding criminal background checks should be reviewed as a result of the April 2012 Enforcement Guidance on the Consideration of Arrest and Conviction Records in Employment Decisions under Title VII of the Civil Rights Act of 1964, issued by the Equal Employment Opportunity Commission (EEOC; tinyurl.com/75tb3vg). Employers using pre-employment criminal background screening must now provide a solid business reason (job necessity) for making the inquiry. Simply stating the need to provide a safe workplace with trustworthy and productive employees is not enough and may in fact run afoul of Title VII if criminal history information is evaluated differently for applicants versus employees. This does not mean employers should abandon pre-employment criminal records checks altogether, as employers have an obligation to use reasonable care when hiring employees to ensure a safe workplace environment.
The EEOC’s April 2012 position outlines that an employer’s facially neutral policy can have adverse and disparate impact based on prohibited characteristics, such as race and national origin, if the employer rejects an applicant simply because of his/her criminal record. The EEOC states pre-employment screening should be limited to convictions for which the exclusion is “job [or position] related” and is consistent with a “business necessity.”
Arrest vs. conviction records. Note there is an important distinction between arrest records and conviction records—both are included in the vast majority of pre-employment criminal records checks. The EEOC aptly points out that an arrest by itself does not prove that a person engaged in any wrongful conduct, and employers cannot deny employment simply because of an arrest record. Employers must consider the underlying facts and circumstances by providing the applicant the opportunity to explain the conduct in question. Employers are to:
- Notify the applicant that he/she may be excluded because of a criminal conviction or arrest history;
- Provide the applicant an opportunity to explain the underlying facts and circumstances (e.g., the number and type of offenses at issue, age at the time of conviction, evidence that the individual performed the same type of work post-conviction with no known incidents of criminal behavior, rehabilitation efforts, character references, etc.); and
- Consider whether the applicant-provided facts and circumstances warrant an exception to the policy.
Employment can then be denied if the underlying conduct leading to the arrest(s)—but not the arrest itself—renders the candidate “unfit” for the position at issue. The employment decision has to be tied to the applicant’s conduct and not the arrest as the EEOC cites justifiable concerns with the accuracy and relevance of the record evidence of an arrest versus a conviction, noting outdated records and whether the conviction was later expunged.
Looking to the guidance provided in Green v. Missouri Pacific Railroad, 523 F.2d 1290 (8th Cir. 1975), an employer’s evaluation or a criminal or arrest record can meet the requirement of being “job related and consistent with business necessity” by focusing on the following three factors:
- The nature and gravity of the offense or conduct. The employer may look to the specific elements of the crime committed to see if the crime may be associated with the job. In terms of the gravity, an employer would give less weight to misdemeanor crimes.
- The time between the offense or conduct and/or completion of the sentence. Although no specific time frame was given by the EEOC, case law supports the position that length of time between conviction and employment consideration is probative for assessing applicant risk for a given job.
- The nature of the job held or sought, such as specific job duties, essential functions of the job, how much supervision and interaction takes place, and the overall working environment.
“Ban the Box” provisions. The Ban the Box Act of 2012 (HR 6220) is a bill proposed by Rep. Hansen Clarke (Michigan) on July 26, 2012. “Ban the Box” references the “box” on a job application that candidates must check if they’ve ever been convicted, or in some cases arrested, for a crime. The bill prohibits employers from requiring job applicants to disclose criminal offenses on written employment applications prior to an interview. Hawaii and Massachusetts already “ban the box” by statute on all employment applications, while Connecticut, Minnesota, and New Mexico prohibit its use by state employers. A number of major cities also have enacted “ban the box” laws in recent years to reduce barriers for applicants with criminal records seeking work. Currently such bans are in place in Baltimore, Boston, Chicago, Cincinnati, Detroit, New York, Philadelphia, and San Francisco.
Pre-Employment Medical Inquiry and Drug Testing
The Americans with Disabilities Act of 1990 (ADA) has varying requirements for all stages of the hiring process: prescreening, pre-employment offer, and post-employment offer or conditional offer. However, some state and local laws are more restrictive than the ADA concerning pre-employment, post-offer inquiries. For example, under the Rhode Island Fair Employment Practices Act, it is unlawful prior to employment for an employer to elicit or attempt to elicit any information directly or indirectly pertaining to an applicant’s disability.
Generally speaking, however, pre-employment offer, employers may not:
- Require medical examinations;
- Ask disability-related questions;
- Ask about an applicant’s workers’ compensation history;
- Ask how many days an applicant was out sick in a previous job; or
- Ask whether an applicant will need reasonable accommodation on the job.
Post-offer or “conditional employment offer”—but before the applicant has employment—the prospective employer may ask all entering employees in the same job classification disability-related questions and may require medical examinations. An employer may ask about workers’ compensation history, prior sick leave usage, physical and mental health, illnesses, diseases, and impairments, and whether they need reasonable accommodation to perform the job.
Although a job offer may be “conditional” pending the results of post-offer questions and medical examinations, if the employer withdraws the job offer after disability-related questions and medical examinations, the reason for the withdrawal must be “job-related and consistent with business necessity.” Similarly, if the applicant is rejected for safety reasons, the employer must demonstrate that the person poses a “direct threat” to the health and safety of self or others, and that there is no reasonable accommodation that would lower the risk to an acceptable level.
Regarding drug testing for illegal drug use, the EEOC states:
Anyone who is currently using drugs illegally is not protected by the ADA and may be denied employment or fired on the basis of such use. The ADA does not prevent employers from testing applicants or employees for current illegal drug use, or from making employment decisions based on verifiable results. A test for the illegal use of drugs is not considered a medical examination under the ADA; therefore, it is not a prohibited pre-employment medical examination and you will not have to show that the administration of the test is job related and consistent with business necessity.
Social Networks and Publicly Available Information
A quick review of employment and career advice websites reveals a common and growing trend: prospective employers routinely “Google” their job applicants. One 2010 study commissioned by Microsoft found that 78 percent of recruiting and human resources personnel use search engines to evaluate job applicants, and a full 63 percent visit social networking sites as a “routine part of the screening process” (tinyurl.com/96w2a64). The same study found that 70 percent of the hiring officials rejected candidates in light of the information they gleaned from Internet searches—publicly available information that, in many cases, the job applicants themselves have prepared and disseminated online.
Is this practice legal? It generally is, so long as the current or potential employer does not use this information to discriminate on protected grounds, such as race, religion, or gender.
When used for pre-employment screening, is social media information covered by the FCRA? According to the Federal Trade Commission (FTC), it is. On June 12, 2012, in the FTC’s first social media enforcement action, the commission ordered online data broker Spokeo, Inc. to pay an $800,000 settlement. The FTC asserted Spokeo violated the FCRA when it sold job-applicant personal data to prospective employers for job applicant pre-screening decisions. Spokeo had aggregated personally identifiable information from the Internet and public records and created profiles that included, inter alia, age, marital status, contact information, hobbies, ethnicity, religion, interests, events attended, participation on social networking sites, and photos.
A year earlier, in its May 2011 letter to Social Intelligence Corporation, which marketed “a background screening service that enables employers to navigate the complicated landscape of social media with clear, consistent and insightful results,” the FTC made clear that the FCRA rules apply when such reports include personally identifiable social media information. Companies selling background reports that include social-media-derived information must take reasonable steps to maximize the accuracy of what is being reported and from which social networks. These social media information aggregators must also comply with the FCRA requirement to provide copies of reports to applicants and employees, and they must have a process in place for dispute resolution when errors or contested information is contained in a report.
Interestingly, a 2010 study by Technisource (tinyurl.com/8ajnxy8) found that 50 percent of job candidates would not modify/delete content on their social media profiles if they knew a prospective employer was going to review their page as part of the hiring process. This is particularly notable in light of a 2011 report by MyMemory.com that 76 percent of British Facebook users had “some connection with alcohol” in their Facebook photos (tinyurl.com/895ufkh).
Several controversies have arisen as governmental agencies and employers have begun requiring both job applicants and current employees to disclose their nonpublic social media information. For example, Illinois and Virginia law enforcement officials required applicants to “friend” them so they can check private social media sites. These actions prompted Congress and 12 state legislatures to propose legislation preventing employers and schools from making decisions based on the private content of social media sites. In April 2012 Maryland became the first state to pass such legislation when it passed SB 433/ HB 964, prohibiting
an employer from requesting or requiring that an employee or applicant disclose any user name, password, or other means for accessing a personal account or service through specified electronic communications devices; prohibiting an employer from taking, or threatening to take, specified disciplinary actions for an employee’s refusal to disclose specified password and related information; prohibiting an employee from downloading specified information or data; etc.
As of September 2012, legislation was still pending in committees in the U.S. Congress, California, Delaware, Michigan, Minnesota, Missouri, New Jersey, New York, Ohio, South Carolina, and Washington. Senators Richard Blumenthal (Connecticut) and Charles Schumer (New York) have requested that the EEOC and the Department of Justice investigate whether employers’ coercive demands violate federal anti-discrimination laws or computer statutes prohibiting unauthorized access.
Privacy issues as they relate to prescreening employment background investigations may include a wide range of information: employment and salary history, credit reports, criminal records, and information derived from open sources such as social media data. It is important to note that privacy laws involve not only how one may “use” personally identifiable information, but often more importantly, how that information is initially obtained or accessed. Employers should review their hiring policies and practices, particularly in light of the recent decisions and policy changes. Prescreening and employment policies should include a social media policy and criminal records considerations, and employers must ensure that the processes are supported by the requirements of the job duties. When adverse employment decisions are considered, job applicants must be given adequate notice and due process as required by applicable federal, state, and local laws.