ESR Check Logo
Search ESRCheck.com
The Background Check Authority ®

Employment Screening Resources® (ESR)
Privacy Policy

Privacy Information

Privacy Policy: Employment Screening Resources® (ESR) is a Consumer Reporting Agency (CRA) that prepares Consumer Reports for authorized employers under the provisions of the federal Fair Credit Reporting Act (FCRA). The ESR Privacy policy is very simple: ESR only collects applicant data pursuant to written Authorization and Disclosure under the FCRA and only disseminates consumer reports to employers as directed in the written authorization. In other words, data is only collected and distributed at the direction and authorization of consumers. The data is maintained in a secured site.  ESR maintains strict policies and procedures in all aspects of its operation to protect the privacy of consumers.

NOTE: ESR does NOT send U. S. applicant information outside of the U.S. for processing. Once data leaves the U.S., the data is beyond the reach of U.S. privacy laws and there are no meaningful privacy protections. ESR believes that firms that send data outside the U.S. put applicants and employers at great risk, for no other reason than to make a little more money. In some countries, it is a well known fact that U.S. identities are stolen and used for identity theft. As a practical matter, someone in the U.S. has no ability to hire a lawyer in a foreign country to pursue legal action or contact a foreign police authority to get any action taken. The only exception is where ESR is asked to perform an international verification and the information resides outside of the U.S. Even in that situation, ESR goes to great length to protect applicant data by going directly to the school or employer. If it is necessary to have a researcher do research in a foreign country, ESR only releases the minimum information absolutely necessary.

ESR strongly advises all employers to ask a screening firm if they send data outside of the U.S. and to seriously consider the dangers to their hiring processes and to their applicants.

  1. This web site collects personally identifiable information online from individuals in the following ways:
  2. a. A potential customer has the opportunity to e-mail this site in order to obtain information about our services. Any information given to this site is completely in the control of the third party who chooses to do so.
    b. A person may choose to sign-up for a newsletter that explicitly requires opt-in. Each newsletter provides the ability of a person to opt-out very easily by hitting a button at the bottom of each newsletter.
  3. This site does not engage in any passive information techniques.
  4. No information provided to this site through e-mail or any other method is ever released, utilized or shared with anyone else, including, but not limited to, third parties or affiliates.
  5. The ESRnet online system is a separate web site that is only available to ESR customers and is utilized as a means for ESR to receive orders from authorized employers and to transmit information to and from authorized users. However, all such usage is strictly between ESR and business entities whose legitimate need for the information and permissible purpose has been verified pursuant to section 607(a) of the FCRA which states:
    (a) Identity and purposes of credit users. Every consumer reporting agency shall maintain reasonable procedures designed to avoid violations of section 605 [§ 1681c] and to limit the furnishing of consumer reports to the purposes listed under section 604 [§ 1681b] of this title. These procedures shall require that prospective users of the information identify themselves, certify the purposes for which the information is sought, and certify that the information will be used for no other purpose. Every consumer reporting agency shall make a reasonable effort to verify the identity of a new prospective user and the uses certified by such prospective user prior to furnishing such user a consumer report. No consumer reporting agency may furnish a consumer report to any person if it has reasonable grounds for believing that the consumer report will not be used for a purpose listed in section 604.
  6. All data on the ESR system is protected by secure access, ensuring "for-your-eyes-only" data exchange. Viewing of information is restricted to the users and customers that should have it with state of the art security, including 128-bit SSL encryption and strong password protection.  Our software has been certified by SecureWorks, which is an approved third party certification agency for the major credit bureaus for the purpose of online retrieval, transmittal and storage of credit information. Physical security of servers is state of the art and has undergone state of the art auditing by third parties. The Privacy and Integrity of all information is fully protected. All employees who have access to any information from this site have signed privacy agreements and are regularly trained in privacy practices and procedures. ESR maintains a Written Information Security Policy (WISP) in conformity with Massachusetts requirements under 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH. In the event of a data breach, ESR acts in conformity with appropriate data breach laws.
  7. Information is retained pursuant to the FCRA for a minimum of six (6) years. The method for a consumer to opt-out of ESR obtaining information is to not consent to a pre-employment background screening with a prospective or current employer. Once a consumer has consented to such a screening, ESR must retain information on file for US residents for the six (6) year period.
  8. Any consumer may exercise their right to inspect any data about them and to object to any data pursuant to the FCRA and applicable state law. See a "A Summary of Your Rights" prepared by the Consumer Financial Protection Bureau (CFPB). Also, learn about your right to request a copy of your data on the FACT Act Compliance page.
  9. Any questions or concerns about Privacy should be directed to customerservice@esrcheck.com ESR will make all reasonable efforts to address a consumer's concerns. If the matter cannot be resolved by ESR, then a consumer has additional rights. See "A Summary of Your Rights."
  10. Upon request, a consumer may also obtain a copy of this ESR Privacy Policy privacy statement or ask questions by mail by sending a request to: Chief Information Security Officer, Employment Screening Resources, 7110 Redwood Blvd., Ste C, Novato, CA 94945.
  11. In the event ESR destroys any information provided by employers, applicants, or third parties during the course of its work the destruction is accomplished in accordance with the approved document disposal rules formulated by the Federal Trade Commission (FTC). For more information, read the FTC Alert 'Disposing of Consumer Report Information? New Rule Tells How'.
  12. ESR reserves the right to modify or change its privacy policy . All such changes will be posted on this page.

Personal Information Disclosure: United States or Overseas

Employment Screening Resources (ESR) opposes the “offshoring” of Personally Identifiable Information (PII) of consumers – such as names, dates of birth, and Social Security numbers (SSNs) – sent overseas outside of the United States and its territories and beyond the protection of U.S. Privacy laws. ESR’s mission is to protect the PII of consumers, which is best done by keeping all such information in the United States.

Employment Screening Resources does not transmit, share, or transfer personal and identifiable information outside the United States or its territories for the purposes of processing or preparing consumer reports.  The sole exception occurs where there is a request for an international background checks and the information needed for the report is located outside of the US or its territories.  Even in that situation, ESR  does not transfer personal information unless absolutely required and would only transfer the minimum information needed to prepare the report.

ESR belongs to ConcernedCRA's (http://www.concernedcras.com/) a group of Consumer Reporting Agencies (CRAs) dedicated to protecting consumer privacy by not offshoring PII. ESR has adopted the policy of ConcenredCRA’s and operates in as follows:

  1. Domestic Background Screening: Where a CRA (background screening firm) is providing background screening services for consumers in the United States based upon information available in the U.S., a firm displaying the ConcenredCRA seal certifies that it does not send data outside the U. S. or its territories for processing or preparation of a background check report or for any other reason. All work is done in the U.S.
  2. International Screening:Where there is an international background check for verification of employment, education, or a professional degree, or for a criminal record check, some information may have to go offshore by necessity since the information being sought is offshore. However, firms displaying the ConcenredCRA seal have taken measures to protect personal and confidential data: a.) Documentation or information such as passport numbers, or unique identification numbers and date of birth, are not sent to anyone overseas other than the actual verification provider (e.g. employer or school registrar) whenever possible. b.) Where it is necessary to utilize a local firm, the local firm will first be asked to provide local contact information so that the CRA can contact the foreign verifying party directly. c.) If, due to infrastructure or other issues in a foreign country, a foreign research firm must perform the verification, then the CRA or its agent has properly vetted the local firm, and will redact any unnecessary information.
  3. Where a CRA utilizes a third party service to perform domestic or international services in connection with providing background reports, firms that adopted this standard have made reasonable inquires to ensure that any provider is also following the ConcenredCRA standard.

If you have any questions about this offshoring policy, or any other aspect of the ESR privacy policy, you may contact the ESR Chief Privacy Officer, James Crocket, by any of the following means:

E-mail: Privacy@esrcheck.com
Address: 7110 Redwood Blvd., Ste C, Novato, CA 94945
Phone: 415-898-0044

How Consumers Dispute Information in a Consumer Report

If consumers are the subject of a consumer report prepared by Employment Screening Resources (ESR) and find incorrect or incomplete information, they have the right under federal law to dispute it. Consumers may contact ESR by calling 888-999-4474 and asking to speak with a Dispute Resolution Specialist. For more information, visit http://www.esrcheck.com/Resource-Center/How-To-Dispute-Consumer-Report/.

The following link will take consumers to the document 'A Summary of Your Rights Under the Federal Fair Credit Reporting Act': http://www.esrcheck.com/file/CFPB_Summary-of-Rights-Under-FCRA.pdf.

Safe Harbor Provisions of Privacy Policy

Employment Screening Resources (ESR) complies with the U.S.-European Union (EU) Safe Harbor Framework and the U.S.-Switzerland Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland.  Employment Screening Resources (ESR) has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement.  To learn more about the Safe Harbor program, and to view the Employment Screening Resources (ESR) certification, please visit http://www.export.gov/safeharbor/.

Frequently Asked Questions (FAQs) for U.S.-EU and U.S.-Switzerland Safe Harbor Framework

1. Sensitive Data

Must an organization always provide explicit (opt in) choice with respect to sensitive data?

No, such choice is not required where the processing is: (1) in the vital interests of the data subject or another person; (2) necessary for the establishment of legal claims or defenses; (3) required to provide medical care or diagnosis; (4) carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; (5) necessary to carry out the organization's obligations in the field of employment law; or (6) related to data that are manifestly made public by the individual.

2. Journalistic Exceptions

Given U.S. constitutional protections for freedom of the press and the Directive's exemption for journalistic material, do the Safe Harbor Principles apply to personal information gathered, maintained, or disseminated for journalistic purposes?

Where the rights of a free press embodied in the First Amendment of the U.S. Constitution intersect with privacy protection interests, the First Amendment must govern the balancing of these interests with regard to the activities of U.S. persons or organizations. Personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives, is not subject to the requirements of the Safe Harbor Principles.

3. Secondary Liability

Are Internet service providers (ISPs), telecommunications carriers, or other organizations liable under the Safe Harbor Principles when on behalf of another organization they merely transmit, route, switch or cache information that may violate their terms?

No. As is the case with the Directive itself, the safe harbor does not create secondary liability. To the extent that an organization is acting as a mere conduit for data transmitted by third parties and does not determine the purposes and means of processing those personal data, it would not be liable.

4. Investment Banking and Audits

The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. Under what circumstances is this permitted by the Notice, Choice, and Access Principles?

Investment bankers or auditors may process information without knowledge of the individual only to the extent and for the period necessary to meet statutory or public interest requirements and in other circumstances in which the application of these Principles would prejudice the legitimate interests of the organization. These legitimate interests include the monitoring of companies' compliance with their legal obligations and legitimate accounting activities, and the need for confidentiality connected with possible acquisitions, mergers, joint ventures, or other similar transactions carried out by investment bankers or auditors.

5. The Role of Data Protection Authorities

How will companies that commit to cooperate with European Union or Switzerland Data Protection Authorities (DPAs) make those commitments and how will they be implemented?

Under the safe harbor, U.S. organizations receiving personal data from the EU or Switzerland must commit to employ effective mechanisms for assuring compliance with the Safe Harbor Principles. More specifically as set out in the Enforcement Principle, they must provide (a) recourse for individuals to whom the data relate, (b) follow up procedures for verifying that the attestations and assertions they have made about their privacy practices are true, and (c) obligations to remedy problems arising out of failure to comply with the Principles and consequences for such organizations. An organization may satisfy points (a) and (c) of the Enforcement Principle if it adheres to the requirements of this FAQ for cooperating with the DPAs.

An organization may commit to cooperate with the DPAs by declaring in its safe harbor certification to the Department of Commerce (see FAQ on self-certification) that the organization:

  1. Elects to satisfy the requirement in points (a) and (c) of the Safe Harbor Enforcement Principle by committing to cooperate with the DPAs;
  2. Will cooperate with the DPAs in the investigation and resolution of complaints brought under the safe harbor; and
  3. Will comply with any advice given by the DPAs where the DPAs take the view that the organization needs to take specific action to comply with the Safe Harbor Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken.

The cooperation of the DPAs will be provided in the form of information and advice in the following way:

The advice of the DPAs will be delivered through an informal panel of DPAs established at the European Union or Switzerland level, which will inter alia help ensure a harmonised and coherent approach.

The panel will provide advice to the U.S. organizations concerned on unresolved complaints from individuals about the handling of personal information that has been transferred from the EU or Switzerland under the safe harbor. This advice will be designed to ensure that the Safe Harbor Principles are being correctly applied and will include any remedies for the individual(s) concerned that the DPAs consider appropriate.

The panel will provide such advice in response to referrals from the organizations concerned and/or to complaints received directly from individuals against organizations which have committed to cooperate with DPAs for safe harbor purposes, while encouraging and if necessary helping such individuals in the first instance to use the in-house complaint handling arrangements that the organization may offer.

Advice will be issued only after both sides in a dispute have had a reasonable opportunity to comment and to provide any evidence they wish. The panel will seek to deliver advice as quickly as this requirement for due process allows. As a general rule, the panel will aim to provide advice within 60 days after receiving a complaint or referral and more quickly where possible.

The panel will make public the results of its consideration of complaints submitted to it, if it sees fit.

The delivery of advice through the panel will not give rise to any liability for the panel or for individual DPAs.

As noted above, organizations choosing this option for dispute resolution must undertake to comply with the advice of the DPAs. If an organization fails to comply within 25 days of the delivery of the advice and has offered no satisfactory explanation for the delay, the panel will give notice of its intention either to submit the matter to the Federal Trade Commission or other U.S. federal or state body with statutory powers to take enforcement action in cases of deception or misrepresentation, or to conclude that the agreement to cooperate has been seriously breached and must therefore be considered null and void. In the latter case, the panel will inform the Department of Commerce (or its designee) so that the list of safe harbor participants can be duly amended. Any failure to fulfill the undertaking to cooperate with the DPAs, as well as failures to comply with the Safe Harbor Principles, will be actionable as a deceptive practice under Section 5 of the FTC Act or other similar statute.

Organizations choosing this option will be required to pay an annual fee which will be designed to cover the operating costs of the panel, and they may additionally be asked to meet any necessary translation expenses arising out of the panel's consideration of referrals or complaints against them. The annual fee will not exceed $500 and will be less for smaller companies.

The option of co-operating with the DPAs will be available to organizations joining the safe harbor during a three-year period. The DPAs will reconsider this arrangement before the end of that period if the number of U.S. organizations choosing this option proves to be excessive.

6. Self-Certification

How does an organization self-certify that it adheres to the Safe Harbor Principles?

Safe harbor benefits are assured from the date on which an organization self-certifies to the Department of Commerce (or its designee) its adherence to the Principles in accordance with the guidance set forth below.

To self-certify for the safe harbor, organizations can provide to the Department of Commerce (or its designee) a letter, signed by a corporate officer on behalf of the organization that is joining the safe harbor, that contains at least the following information:

  1. Name of organization, mailing address, email address, telephone and fax numbers;
  2. Description of the activities of the organization with respect to personal information received from the EU or Switzerland; and
  3. Description of the organization's privacy policy for such personal information, including: a.)  where the privacy policy is available for viewing by the public, b.) its effective date of implementation, c.) a contact office for the handling of complaints, access requests, and any other issues arising under the safe harbor, d.) the specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy (and that is listed in the annex to the Principles), e.) name of any privacy programs in which the organization is a member, f.) method of verification (e.g. in-house, third party)*, and g.) the independent recourse mechanism that is available to investigate unresolved complaints.

Where the organization wishes its safe harbor benefits to cover human resources information transferred from the EU or Switzerland for use in the context of the employment relationship, it may do so where there is a statutory body with jurisdiction to hear claims against the organization arising out of human resources information that is listed in the annex to the Principles. In addition the organization must indicate this in its letter and declare its commitment to cooperate with the EU or Switzerland authority or authorities concerned in conformity with FAQ – Human resources and FAQ – Data Protection as applicable and that it will comply with the advice given by such authorities.

The Department (or its designee) will maintain a list of all organizations that file such letters, thereby assuring the availability of safe harbor benefits, and will update such list on the basis of annual letters and notifications received pursuant to FAQ – Dispute Resolution. Such self-certification letters should be provided not less than annually. Otherwise the organization will be removed from the list and safe harbor benefits will no longer be assured. Both the list and the self-certification letters submitted by the organizations will be made publicly available. All organizations that self- certify for the safe harbor must also state in their relevant published privacy policy statements that they adhere to the Safe Harbor Principles.

The undertaking to adhere to the Safe Harbor Principles is not time-limited in respect of data received during the period in which the organization enjoys the benefits of the safe harbor. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the safe harbor for any reason.

An organization that will cease to exist as a separate legal entity as a result of a merger or a takeover must notify the Department of Commerce (or its designee) of this in advance. The notification should also indicate whether the acquiring entity or the entity resulting from the merger will (1) continue to be bound by the Safe Harbor Principles by the operation of law governing the takeover or merger or (2) elect to self-certify its adherence to the Safe Harbor Principles or put in place other safeguards, such as a written agreement that will ensure adherence to the Safe Harbor Principles. Where neither (1) nor (2) applies, any data that has been acquired under the safe harbor must be promptly deleted.

An organization does not need to subject all personal information to the Safe Harbor Principles, but it must subject to the Safe Harbor Principles all personal data received from the EU or Switzerland after it joins the safe harbor.

Any misrepresentation to the general public concerning an organization's adherence to the Safe Harbor Principles may be actionable by the Federal Trade Commission or other relevant government body. Misrepresentations to the Department of Commerce (or its designee) may be actionable under the False Statements Act (18 U.S.C. § 1001).

7. Verification

How do organizations provide follow up procedures for verifying that the attestations and assertions they make about their safe harbor privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Safe Harbor Principles?

To meet the verification requirements of the Enforcement Principle, an organization may verify such attestations and assertions either through self-assessment or outside compliance reviews.

Under the self- assessment approach, such verification would have to indicate that an organization's published privacy policy regarding personal information received from the EU or Switzerland is accurate, comprehensive, prominently displayed, completely implemented and accessible. It would also need to indicate that its privacy policy conforms to the Safe Harbor Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self- assessment should be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance.

Organizations should retain their records on the implementation of their safe harbor privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with unfair and deceptive practices jurisdiction.

Where the organization has chosen outside compliance review, such a review needs to demonstrate that its privacy policy regarding personal information received from the EU or Switzerland conforms to the Safe Harbor Principles that it is being complied with and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include without limitation auditing, random reviews, use of "decoys," or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed should be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance.

8. Access

ACCESS PRINCIPLE:

Individuals must have access to personal information about them that an organization holds and be able to correct, amend or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the legitimate rights of persons other than the individual would be violated.

Is the right of access absolute?

No. Under the Safe Harbor Principles, the right of access is fundamental to privacy protection. In particular, it allows individuals to verify the accuracy of information held about them. Nonetheless, the obligation of an organization to provide access to the personal information it holds about an individual is subject to the principle of proportionality or reasonableness and has to be tempered in certain instances. Indeed, the Explanatory Memorandum to the 1980 OECD Privacy Guidelines makes clear that an organization's access obligation is not absolute. It does not require the exceedingly thorough search mandated, for example, by a subpoena, nor does it require access to all the different forms in which the information may be maintained by the organization.

Rather, experience has shown that in responding to individuals' access requests, organizations should first be guided by the concern(s) that led to the requests in the first place. For example, if an access request is vague or broad in scope, an organization may engage the individual in a dialogue so as to better understand the motivation for the request and to locate responsive information. The organization might inquire about which part(s) of the organization the individual interacted with and/or about the nature of the information (or its use) that is the subject of the access request. Individuals do not, however, have to justify requests for access to their own data.

Expense and burden are important factors and should be taken into account but they are not controlling in determining whether providing access is reasonable. For example, if the information is used for decisions that will significantly affect the individual (e.g., the denial or grant of important benefits, such as insurance, a mortgage, or a job), then consistent with the other provisions of these FAQs, the organization would have to disclose that information even if it is relatively difficult or expensive to provide.

If the information requested is not sensitive or not used for decisions that will significantly affect the individual (e.g., non-sensitive marketing data that is used to determine whether or not to send the individual a catalog), but is readily available and inexpensive to provide, an organization would have to provide access to factual information that the organization stores about the individual. The information concerned could include facts obtained from the individual, facts gathered in the course of a transaction, or facts obtained from others that pertain to the individual.

Consistent with the fundamental nature of access, organizations should always make good faith efforts to provide access. For example, where certain information needs to be protected and can be readily separated from other information subject to an access request, the organization should redact the protected information and make available the other information. If an organization determines that access should be denied in any particular instance, it should provide the individual requesting access with an explanation of why it has made that determination and a contact point for any further inquiries.

What is confidential commercial information and may organizations deny access in order to safeguard it?

Confidential commercial information (as that term is used in the Federal Rules of Civil Procedure on discovery) is information which an organization has taken steps to protect from disclosure, where disclosure would help a competitor in the market. The particular computer program an organization uses, such as a modeling program, or the details of that program may be confidential commercial information. Where confidential commercial information can be readily separated from other information subject to an access request, the organization should redact the confidential commercial information and make available the non-confidential information. Organizations may deny or limit access to the extent that granting it would reveal its own confidential commercial information as defined above, such as marketing inferences or classifications generated by the organization, or the confidential commercial information of another where such information is subject to a contractual obligation of confidentiality in circumstances where such an obligation of confidentiality would normally be undertaken or imposed.

In providing access, may an organization disclose to individuals personal information about them derived from its data bases or is access to the data base itself required?

Access can be provided in the form of disclosure by an organization to the individual and does not require access by the individual to an organization's data base.

Does an organization have to restructure its data bases to be able to provide access?

Access needs to be provided only to the extent that an organization stores the information. The access principle does not itself create any obligation to retain, maintain, reorganize, or restructure personal information files.

These replies make clear that access may be denied in certain circumstances. In what other circumstances may an organization deny individuals access to their personal information?

Such circumstances are limited, and any reasons for denying access must be specific. An organization can refuse to provide access to information to the extent that disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security; defense; or public security. In addition, where personal information is processed solely for research or statistical purposes, access may be denied. Other reasons for denying or limiting access are:

An organization which claims an exception has the burden of demonstrating its applicability (as is normally the case). As noted above, the reasons for denying or limiting access and a contact point for further inquiries should be given to individuals.

Can an organization charge a fee to cover the cost of providing access?

Yes. The OECD Guidelines recognize that organizations may charge a fee, provided that it is not excessive. Thus organizations may charge a reasonable fee for access. Charging a fee may be useful in discouraging repetitive and vexatious requests.

Organizations that are in the business of selling publicly available information may thus charge the organization's customary fee in responding to requests for access. Individuals may alternatively seek access to their information from the organization that originally compiled the data.

Access may not be refused on cost grounds if the individual offers to pay the costs.

Is an organization required to provide access to personal information derived from public records?

To clarify first, public records are those records kept by government agencies or entities at any level that are open to consultation by the public in general. It is not necessary to apply the Access Principle to such information as long as it is not combined with other personal information, apart from when small amounts of non-public record information are used for indexing or organizing public record information. However, any conditions for consultation established by the relevant jurisdiction are to be respected.  Where public record information is combined with other non-public record information (other than as specifically noted above), however, an organization must provide access to all such information, assuming it is not subject to other permitted exceptions.

Does the Access Principle have to be applied to publicly available personal information?

As with public record information (see Q7), it is not necessary to provide access to information that is already publicly available to the public at large, as long as it is not combined with non-publicly available information.

How can an organization protect itself against repetitious or vexatious requests for access?

An organization does not have to respond to such requests for access. For these reasons, organizations may charge a reasonable fee and may set reasonable limits on the number of times within a given period that access requests from a particular individual will be met. In setting such limitations, an organization should consider such factors as the frequency with which information is updated, the purpose for which the data are used, and the nature of the information.

How can an organization protect itself against fraudulent requests for access?

An organization is not required to provide access unless it is supplied with sufficient information to allow it to confirm the identity of the person making the request.

Is there a time within which responses must be provided to access requests?

Yes, organizations should respond without excessive delay and within a reasonable time period. This requirement may be satisfied in different ways as the explanatory memorandum to the 1980 OECD Privacy Guidelines states. For example, a data controller who provides information to data subjects at regular intervals may be exempted from obligations to respond at once to individual requests.

9. Human Resources

Is the transfer from the EU or Switzerland to the United States of personal information collected in the context of the employment relationship covered by the safe harbor?

Yes, where a company in the EU or Switzerland transfers personal information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the United States participating in the safe harbor, the transfer enjoys the benefits of the safe harbor. In such cases, the collection of the information and its processing prior to transfer will have been subject to the national laws of the EU country or Switzerland where it was collected, and any conditions for or restrictions on its transfer according to those laws will have to be respected.

The Safe Harbor Principles are relevant only when individually identified records are transferred or accessed. Statistical reporting relying on aggregate employment data and/or the use of anonymized or pseudonymized data does not raise privacy concerns.

How do the Notice and Choice Principles apply to such information?

A U.S. organization that has received employee information from the EU or Switzerland under the safe harbor may disclose it to third parties and/or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees.

It should be noted that certain generally applicable conditions for transfer from some Member States may preclude other uses of such information even after transfer outside the EU or Switzerland and such conditions will have to be respected.

In addition, employers should make reasonable efforts to accommodate employee privacy preferences. This could include, for example, restricting access to the data, anonymizing certain data, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand.

To the extent and for the period necessary to avoid prejudicing the legitimate interests of the organization in making promotions, appointments, or other similar employment decisions, an organization does not need to offer notice and choice.

How does the Access Principle apply?

The FAQs on access provide guidance on reasons which may justify denying or limiting access on request in the human resources context. Of course, employers in the European Union or Switzerland must comply with local regulations and ensure that European Union or Switzerland employees have access to such information as is required by law in their home countries, regardless of the location of data processing and storage. The safe harbor requires that an organization processing such data in the United States will cooperate in providing such access either directly or through the EU or Switzerland employer.

How will enforcement be handled for employee data under the Safe Harbor Principles?

In so far as information is used only in the context of the employment relationship, primary responsibility for the data vis-à-vis the employee remains with the company in the EU or Switzerland. It follows that, where European Union or Switzerland employees make complaints about violations of their data protection rights and are not satisfied with the results of internal review, complaint, and appeal procedures (or any applicable grievance procedures under a contract with a trade union), they should be directed to the state or national data protection or labor authority in the jurisdiction where the employee works. This also includes cases where the alleged mishandling of their personal information has taken place in the United States, is the responsibility of the U.S. organization that has received the information from the employer and not of the employer and thus involves an alleged breach of the Safe Harbor Principles, rather than of national laws implementing the Directive. This will be the most efficient way to address the often overlapping rights and obligations imposed by local labor law and labor agreements as well as data protection law.

A U.S. organization participating in the safe harbor that uses EU or Switzerland human resources data transferred from the Europe Union or Switzerland in the context of the employment relationship and that wishes such transfers to be covered by the safe harbor must therefore commit to cooperate in investigations by and to comply with the advice of competent EU or Switzerland authorities in such cases. The DPAs that have agreed to cooperate in this way will notify the European Commission or the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland and the Department of Commerce. If a U.S. organization participating in the safe harbor wishes to transfer human resources data from a Member State where the DPA has not so agreed, the provisions of FAQ – Data Protection will apply.

10. Article 17 contracts

When data is transferred from the EU or Switzerland to the United States only for processing purposes, will a contract be required, regardless of participation by the processor in the safe harbor?

Yes. Data controllers in the European Union or Switzerland are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside the EU or Switzerland. The purpose of the contract is to protect the interests of the data controller, i.e. the person or body who determines the purposes and means of processing, who retains full responsibility for the data vis-à-vis the individual(s) concerned. The contract thus specifies the processing to be carried out and any measures necessary to ensure that the data are kept secure.

A U.S. organization participating in the safe harbor and receiving personal information from the EU or Switzerland merely for processing thus does not have to apply the Principles to this information, because the controller in the EU or Switzerland remains responsible for it vis-à-vis the individual in accordance with the relevant EU or Switzerland provisions (which may be more stringent than the equivalent Safe Harbor Principles).

Because adequate protection is provided by safe harbor participants, contracts with safe harbor participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the Member States) as would be required for contracts with recipients not participating in the safe harbor or otherwise not providing adequate protection.

If you have any questions regarding this policy, please contact ESR (See Contact page). For a copy of this policy, print this web page.

Go To ESR Privacy Policy Page 2 »

Safe Hiring Manual Services Perfromed in the USA Member of Concerned CRAs Certified with the National Association of Professional Background Screeners Founding Member of the National Association of Professional Background Screeners Certified Safe Harbor US Department of Commerce ESR's SOC 2 Audit Report confirms it meets high standards set by the American Institute of Certified Public Accountants (AICPA) for protecting customer information