FTC Reviews Background Check Disposal Rule

By Roy Maurer Sep 16, 2016

The regulation requiring employers to properly dispose of sensitive information derived from background checks is up for review.

The Federal Trade Commission (FTC) is seeking public comment on its "disposal rule," which took effect in 2005. The rule applies to background checks and information derived from background checks, as well as to the background screening companies that provide these reports and the employers that use them.

HR and others who use employment screens for business purposes have until Nov. 21 to weigh in on the economic impact and benefits of the rule, how it can be modified, and possible conflicts with other laws. They may also give input as to whether the definition of "consumer information" that should be disposed of should be expanded to include aggregate information or blind data that "can be reasonably linked to an individual in light of changes in relevant technology or market practices," according to the FTC.

To keep the information from background checks "out of the hands of hackers, dumpster divers and data thieves, and thereby reduce the risk of fraud and identity theft, the disposal rule requires that you take reasonable measures to ensure secure disposal," said Lesley Fair, a senior attorney with the FTC.

Those covered by the rule can determine what measures are "reasonable" based on the sensitivity of the information, the costs and benefits of different disposal methods, and continual changes in technology.

However, the agency also outlines specific disposal methods in the rule, said Montserrat Miller, a partner in the Washington, D.C., office of law firm Arnall Golden Gregory. "They must be shredded, burned or pulverized if in hard copy. If electronically stored, the electronic record should be wiped so that it cannot be reconstructed or recreated."

The FTC recommends that companies apply due diligence when hiring a document destruction contractor to dispose of employment screening information, including by:

  • Reviewing an independent audit of the disposal company's operations and its compliance with the disposal rule.
  • Obtaining information about the disposal company from several references.
  • Requiring that the disposal company be certified by a recognized trade association.
  • Reviewing and evaluating the disposal company's information security policies or procedures.

To comment on the disposal rule, use the FTC's comment form by Nov. 21.


Job Finder

Find an HR Job Near You
Post a Job

HR Professional Development Education in a City Near You

SHRM Seminars are coming to cities across the US this fall.

Find a Seminar


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect