Not a Member? Get access to HR news and resources that you can trust.
Standing desks and other innovative workstations can help counterbalance the negative health effects of sitting.
Is your employee handbook ready for the New Year? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Get the HR education you need without travel expenses or time out of the office.
Elevate Your Talent Strategy. Join us in Chicago, IL – April 24-26, 2017.
It’s a new year, but out with the old and in with the new isn’t always the best document retention strategy for background screening reports and related information.
Here are some document retention and destruction best practices for employers who receive and use consumer report information as part of their hiring process.
Retention of Background Screening Information
“Employers should retain consumer reports (i.e., background check reports) and related information for at least five years after the date of the consumer report, which is the statute of limitations in the Fair Credit Reporting Act (FCRA),” according to Seyfarth Shaw, LLP, attorney Pamela Devata.
In addition, “employers that conduct on-going screening of current employees should also retain records through the tenure of their employment or five years from the date of the consumer report or whichever is greater,” she recommended.
Many federal laws, regulations and advisory opinions address proper retention of records as they relate to the private sector. The Federal Trade Commission (FTC), however, has not provided specific retention recommendations or requirements relating to consumer reports. Refer to the company’s HR legal counsel or current FTC regulations for changes in guidance and the law.
Documents to Retain
When examining what should be retained relating to background checks, employers need to consider not only the final consumer report as part of their retention strategy, but also any information and documentation that related to the consumer report.
Documentation such as signed authorizations—hard copy and electronic—and communications in regards to information for the consumer report should be retained. It is best practice for employers to have as much information as possible so that they have the ability to recreate timelines and ongoing communications on a particular consumer report if required in the future.
Remember that many states or other entities require certain certifications or signed authorizations that may be audited. For example, a state may request an audit to confirm that proper authorizations were collected to conduct motor vehicle records checks.
Even periodic audits by a national credit bureau may be conducted to confirm that an employer is accessing credit reports for permissible purpose and with proper authorization.
Since technological advancements have made electronic signatures a valid authorization tool, companies need to confirm that they can properly maintain and accurately reproduce the signature if audited, as storage of an electronic signature can be tricky.
Employers must be able to obtain and provide the signature if either they or their consumer reporting agency is audited. The FCRA Section 604(b)(1) only requires background screening firms or consumer reporting agencies to have an employer sign a blanket certification to confirm and certify that the company is using consumer reports for permissible purposes.
Maintaining a proper and specific authorization from the consumer (i.e., applicant/employee) for each report is the sole responsibility of the employer. Consequently, employers should talk with their background screening firm to specifically discuss the details of who is retaining what information.
Following is a list of items that should be retained:
Consumer reports and any amendments/revisions.
Dates of reports.
Signed authorizations—both hard copy and/or electronic.
A log of all communications by the applicant or employee relating to any consumer report.
A log of all mailings to and from the applicant or employee.
A log of all faxes to or from the applicant or employee.
A log of all e-mails regarding a consumer report or in reference of such.
Receipt of all disputes.
Conclusion of each dispute process.
All preadverse and adverse action letters.
Document Storage How-Tos
Consumer reports kept on file may contain personally identifiable information. This could include the applicant’s or employee’s full name, address, birth date, Social Security number or driver’s license number, passport information or even credit or debit card account numbers.
A company could be put in extreme legal risk if this information is obtained by an unauthorized user or stolen for identity theft purposes. That’s why it’s critical that this information is safeguarded.
Hard copy information can be kept within official personnel files; however, access should be given only to decision-makers and authorized users on a need-to-know basis, and all files should be under secured lock and key.
Scanning the information and storing it electronically is an option, as items can always be printed when necessary.
Remember that stored electronic information should be encrypted and only be available to authorized personnel. Employers should never disseminate information over unsecured means, such as general e-mail or unsecured fax. It is always best practice to blackout or cover up sensitive or personally identifiable information whenever possible, and truncate the Social Security number so only some of the digits are displayed at any time.
For additional security and as a matter of standard best practice, never leave data on a laptop or travel with unprotected data. Employers also should have a strict password policy in place when protecting consumer information and change the password periodically to enhance security. Be aware that data breach legislation is at the top of many state and federal legislative agendas.
File Security, Document Destruction
The provisions of the Fair and Accurate Credit Transaction Act of 2003 (FACTA) relating to proper document destruction became effective June 1, 2005. The terms of FACTA, however, are general and left for interpretation in many areas.
Section 216 of FACTA requires employers and covered entities to take “reasonable measures” to secure information pertaining to or derived from a “consumer report” and to prevent sensitive or financial or personal data from falling into the hands of identity thieves or others with unauthorized access.
FACTA basically covers any information derived from a consumer report that could pertain to applicants, current employees, former employees, customers, vendors or even business investigations.
The term “reasonable measures” is broad and designed to be obtainable by all companies regardless of size. All data formats, including paper and electronic, are covered under the regulation. The term “reasonable measures” could differ depending on the use of consumer reports and the infrastructure and size of an organization.
Following are considerations for maintaining proper file security and document destruction strategies:
Always properly secure consumer information. Do not allow information in hard copy or electronic format to be openly available and visible within the entire office and workspace.
Secure all documents from outside vendors and contractors and any unauthorized personnel.
Never discard consumer reports, or information related to such, into the general office garbage.
When the designated timeframe for destruction of files has been reached, always place consumer reports and any supporting documentation in secured and locked garbage/recycle containers that only authorized personnel can access.
Use a certified or reputable document destruction firm to carry out the functions of proper paper and electronic document destruction.
Audit and test the company’s destruction policy on a regular basis.
Continually train and update staff on proper destruction strategies and policies.
Following best practices for proper retention and destruction of consumer reports can protect applicant and employee privacy, reduce identity theft and security breaches and still provide access to critical and confidential information when necessary.
These are all important aspects to consider when protecting a company and its current and potential employees.
Editor’s note: This article should not be construed as legal advice or counsel.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Exam Late Application Deadline: April 14
SHRM’s HR Vendor Directory contains over 3,200 companies