Privacy and Data Protection in Background Check Screening Reports

Because background reports and background release forms contains sensitive and confidential information, efforts must be made to keep the contents private and confidential and only available to decision-makers directly involved in the hiring process.

The Report itself, along with the Release and Authorization forms signed by the applicant, should be maintained separately from the employee’s personnel file. They should be kept in a relatively secured area, in the same fashion that medical files or sensitive employee matters are kept. These reports should definitely not be made available to supervisors or managers other than those in the hiring approval process. For example, during periodic performance appraisals, an employer would not want a supervisor to have access to a non-performance-related confidential background report.

For screening firms with advanced internet systems, there is no need to physically download the report. It is available online. However, an employer needs to be assured that the screening firm has appropriate internet and data security, and the employer needs to maintain a system of strong password protections. It is important that authorized users do not share passwords with those not authorized, nor reveal the password in any manner. Some screening firms require the user to change passwords periodically as a security measure and to sign security agreements.

Typically, reports are returned to either Human Resources or Security Departments. Reports are reviewed for any negative information. If the report is clear, then the hiring manager is notified and the hiring proceeds. If there is a red flag or derogatory information, then the information itself is shared with the appropriate decision-makers. The physical report, however, should normally stay with HR or Security. This protects against confidential information wrongfully being made known generally within the company if reports are transmitted between departments either by means of a paper copy or electronically.

The question arises as to how long records and documents should be maintained after separation. Unlike Canada where privacy laws encourage the destruction of confidential data when no longer needed, there are no U.S. requirements that materials related to background screening be destroyed.  In fact, there are a number of state and federal laws that control document retention, and labor attorneys will typically advise employers on how long various documents must be retained. However, for purposes involving safe hiring and background screening, the recommendation by ESR is six years. The FCRA was amended in 2003 to lengthen the statue of limitations under the act to as long as five years. In addition, state laws often allow a one-year period to file and serve a lawsuit. As a workable general rule, a six-year retention period should serve employers, with the six years running from the termination of employment or, if not hired, from the time the decision was made not to hire the applicant.

Many screening firms now store reports indefinitely, and if the applicant used an online system, the consent and disclosure can also be retained indefinably.  However, if an employer downloads any data, or used a paper based consent and disclosure, then consider six years as the minimum.  Although technically there is no maximum period under federal law, it is still a best practice to periodically purge old data in order to minimize the amount of Personal and Identifiable Information (PII) that is available in the work environment.  After all, most identity theft occurs in the workplace.

If disposing of any information in a consumer report, it is important to follow regulations set out by the FTC pursuant to FCRA Section 628. Paper or electronic reports must be destroyed, pulverized or erased so it cannot be read or reconstructed. an employer must show due diligence when a shredding firm is hired. See:

For best practices when it comes to privacy in the workplace, see the recommendations from the Privacy Rights Clearinghouse available at: