Who can have access to Background Check results?
ClaudiaD
2 Posts
We are a construction company with the headquarter office in Florida and multiple sites throughout the US. We've recently had an applicant fail a background check in Texas. The VP at the Texas office wants access to the background check site so they can get the information on applicants. We as HR don't want them to have access but I can't find anything legally to provide to them as to why we're not giving them access. I've checked with the company conducting the background checks and they said it was up to our discretion. How do you recommend this is handled and what would be a good response to the Texas VP? Thank you.
Comments
I've responded via e-mail to your Ask the Expert question on this issue and thought I would also share my response here, just in case others are encountering similar issues and/or would like to provide additional feedback or suggestions.
Your concerns about extending access to these sensitive records are quite valid. As you have noted, applicable law does not specifically state which staff may (and may not) review the results of a background check; however, as a best practice, access to employee and applicant records should be limited to those with a legitimate business reason for access. There are numerous reasons for this.
First, it is far easier to apply a strict access policy fairly and evenly across the board. When access to personnel records is restricted, for example, solely to HR staff (and, upon proper request, the employee), this is an airtight, foolproof policy to implement. Once exceptions are made and additional parties are granted access—supervisors, company officers, third party vendors, etc.—then it becomes more difficult to authoritatively deny further access to subsequent requests. In other words, you may run into a situation where access to records is less based on actual business needs, and more because “So-and-So has access, so I feel that I should, too.” This can lead to the problems discussed below, particularly where sensitive and confidential records are concerned.
Second, a strict access policy is an important protection against actual or alleged discrimination. In this situation, the applicant has failed a background check and necessary action has been taken by the HR department—the department with specific training in how to appropriately and legally review, consider, and document actions taken related to information in an applicant’s background check.
If the applicant were to later claim that he or she were discriminated against based on information from that background check, then the only department that would be required to defend against that claim would be the HR department. No other staff had access to the background check, so they could not have improperly used information in that background check to make an unlawful hiring decision. As noted, the HR department is well-trained in which information can (and cannot) be considered at each stage of the hiring process. The HR department is also diligent about proper documentation of potentially problematic employment actions. Other staff—even those at the executive level—may not be trained on these details, particularly when multi-state laws are considered. Therefore, granting access to this information to additional staff can subject the employer to greater chance of liability for discrimination and other employment claims, plus it can make the defense against such claims more time-consuming and complex (and expensive).
Along these lines, and perhaps of greatest interest to your VP, there is also the possibility that liability for wrongful employment actions can be (and has been) extended to individuals who, based on their level of control over the employment relationship, may be deemed an “employer” or an extension of the employer. This article details one recent case where an HR director may be held individually liable for FMLA violations.
Thus, preventing the VP from having access to records that do not pertain to his or her area of business expertise is also a means of shielding him or her from potential legal liability. (Similarly, each person in the HR department would not need to have unrestricted access to the company’s bank records—these records are best restricted to those personnel with a business reason and appropriate training for working with them safely, securely, and legally.)
Finally, restricting access to employee records is important for data security, as it limits the number of people who could be the source of a data breach (whether intentional or unintentional). If the only individuals with access to employee records are those in HR, then it is much easier to determine the source of any data leaks and, if necessary, to change access passwords when employees with that access leave the company.
Essentially, employee and applicant records are akin to the “bank records” of the HR department. Without a specific request and demonstrated business need to know what is in those records, it is in the company’s best interest to limit access to as few employees as possible—yes, even if those requesting access are at the executive level.
With this in mind, if the VP (or other staff) has a specific business reason for access to or a copy of a specific individual’s record, then this may be something your department can provide on a case-by-case basis (and while taking appropriate security measures to redact any sensitive information such as SSN). However, your hesitation to provide unrestricted access to the entire account of background checks is legally sound and practical.
Thanks again for your question and your post!