Checking Facts Building Trust


About Us...

Memberships and Registrations

Data sources

Who we are

Quality Policy

Link to us


International Newsletters

Follow us on Twitter

Find us on LinkedIn

Investors In People

ISO Accrediation

Verifile International Newsletter Issue #2

28 Oct 2013

Welcome to our second international newsletter aiming to keep you up to date with major legislative changes and significant issues from around the world which impact employers in relation to employment screening.

We would like to thank you for the feedback you gave us on this initiative. We are happy that so many of you found it useful. Many of you asked for a list of articles at the beginning of the newsletter given the large number of stories it covers. Taking this feedback on board we decided to include in the email only a list of the articles covered by the newsletter with quick links to our website where the full version is published.

In this issue of the International Newsletter:


- If You're a Global Employer, You Need Global Employee Data Policies


- Israeli Supreme Court to Rule on Demand for Disclosure of Criminal Record


- New Privacy Law Will Have 'Significant Impact' On Background Screening

- Employee Background Checks: No One Should Be Precluded


- IBM Gets Certified Under APEC Privacy Rules


- The Privacy Act Did Not Give a Worker a "Workplace Right"

- Lost in the Privacy Landscape

- Data Sovereignty: Are You Covered?

- Tread Carefully When Checking Civil Litigation History

- Is Your Drug and Alcohol Policy Enforceable?

- The Case for Hiring Ex-offenders ??

- Criminal Records of Juvenile Offenders May Be Exposed


- China’s Regulation on Personal Data Use by Commercial Websites


- Hong Kong Issues Clearer Guidance on Privacy Notices

- In Hong Kong, When Is Public Data Actually Private Data?

- Guarding Against Abuse of Personal Data in the Public Domain


- Criminal Record May Soon be a Click Away


- Singapore Among Four Countries to Improve Hiring in Q4 2013


- EU LIBE Committee Adopts EU Data Protection Compromises; Reform Package Set for Parliamentary Vote

- Data Protection and Privacy Commissioners Release Resolutions on Tracking, Profiling, International Cooperation

- WP29: Carry Out PIAs Before Public Data Reuse

- What to Do When the Privacy Regulator Comes Knocking on Your Door?

- How To Work With Your European Data Protection Authority

- Draft EU Data Protection Regulation Discussions Stall on One-Stop-Shop Issue


- New Amendments to Austrian Data Protection Law


- New Approval Process for Data Transfer Agreements in Belgium


- German Data Protection Commissioners Push for Suspension of Safe Harbor

- EU Needs 'German Standards' on Data Privacy

- No Right to Ask Applicants About Preliminary Investigations by Public Prosecution Office


- Consultation on the Conducting Privacy Impact Assessments Code of Practice

- Competition to Offer Privacy Protections Could Help Deflect Regulatory Action

- Unions Call for Blacklisting to be Made a Criminal Offence

- Fraud Landscape Tips

- One in Three Scottish Men 'Likely to Have a Criminal Record'

- Disclosure and Barring Service: Filtering

- Employment Agency For Ex-Prisoners Launched

- Criminal Record Disclosure Calculator - For Professionals & Organisations

- ICO Releases PECR Breach Notification Guide


- Privacy Law Losing Relevance, Commissioner Says

- Mid-Employment Checks in Canada Legal but Complicated

- Battle Over Workplace Drug Tests Just Heating Up Following Court Ruling

- Employer's Random Alcohol Testing Policy Constitutes Unreasonable Invasion

- Pre-access Drug and Alcohol Testing Rejected in Ontario

- Ontario Reviewing Access to Criminal Court Records


- CFPB Issues Warning on Furnisher’s Duty to Investigate Disputes

- Military’s Background Check System Failed to Block Gunman with a History of Arrests

- Pre-employment Screening and Social Media

- Bring Back the Box?

- Tenant Screening Laws Update: Passing Background Check Costs to the Applicants

- NJ Passes a Business-friendly Workplace Social Media Privacy Law

- Small Mistakes With Employee Background Screening Can Cause Big Problems

- How to Stop the In-House Data Thief

- Current List of Labs and IITF Meeting Minimum Standards for Federal Urine Testing

- Medical Marijuana and the Drug Free Workplace

- National Drug Abuse Survey: Workplace Abuse Persists; Marijuana, Heroin Use Gain

- Report: E-Verify Accuracy Improving

- E-Verify: Iowa Joins RIDE and New Further Action Notice

- Are Referees Still Important?


- Colombia Adopts Regulations to Implement its Data Protection Laws


- Uruguay Legislators Approve Bill to Legalize Marijuana



World wide news


If You're a Global Employer, You Need Global Employee Data Policies
If your company employs any international employees, it may have obligations under foreign laws to have specific safeguards in place. Failure to observe a jurisdiction's data protection laws can result in staff penalties and unwelcome press coverage. Although the European Union is leading the way with a proposed comprehensive new data protection law, other countries from China to the United Kingdom, South Africa, Qatar, Dubai, and several Latin American countries are developing, or have already enacted, their own data protection laws, with many based on the European model. Many multi-national employers have appointed data protection compliance officers to manage policy compliance. The policies should specify the types of personal data that will be held, how it will be stored, how and under what circumstances it will be transferred, shared with third parties, and destroyed or deleted. At a minimum, the data protection policies should address security measures that will be taken to safeguard personal information.

Read more

Africa Middle East



Israeli Supreme Court to Rule on Demand for Disclosure of Criminal Record
A special panel of seven Supreme Court justices will soon decide whether it is legal for an employer to demand the disclosure of a job applicant’s criminal record, and whether such disclosure can be required in other circumstances, such as a condition for bidding on a tender. The Supreme Court ruled in February that such demands were legal, but now the new, expanded panel, headed by Supreme Court President Asher Grunis, will rehear the case. Attorney General Yehuda Weinstein submitted his opinion, in which he states that such a demand - including for disclosure of an applicant’s criminal record or any open criminal investigations, including ones that never even reached the indictment stage - should be legally barred. However, Weinstein did write that an employer should be allowed to ask a candidate about any criminal past in a job interview. In the ruling, the Supreme Court allowed such requests for a declaration on a criminal record, even though by law the employer is not allowed access to such records. The court ruled that the right to privacy and the state's interest in rehabilitating prisoners was offset by the rights of employers and others to protect themselves and the public "from unreasonable risks."

Read more (Free registration required)


South Africa 2


New Privacy Law Will Have 'Significant Impact' On Businesses
The South African Parliament passed has the Protection of Personal Information (POPI) Bill. POPI represents South Africa's first comprehensive data protection legislation and is expected to come into force before the end of the year. "POPI will, upon promulgation, impose a number of stringent obligations on all persons which in any manner process personal information", said Simone Gill, Director of the Technology Media and Telecommunications Practice at Cliffe Dekker Hofmeyr. "It is expected to have a significant impact on the manner in which private and public bodies process personal information." POPI was drafted on the basis of the EU Data Protection Directive and establishes eight data protection principles, which reflect EU, Canadian and Australian data protection models. Of particular note, POPI restricts cross-border data transfers unless the country to which the data is transferred provides a similar level protection of personal data. Under POPI, companies may adopt contractual clauses and binding corporate codes of conduct. It will also introduce a mandatory data breach notification requirement and establish the Information Protection Regulator (IPR) with investigatory and enforcement powers, including the power to impose fines of up to ZAR 10 million (approx. €740,200).

Read more


Employee Background Checks: No One Should Be Precluded
The widely reported Gauteng Police Commissioner appointment blunder has left the South African Police Service (SAPS) red in the face. Or has it? National Police Commissioner, Riah Phiyega announced Major General Bethuel Mondli Zuma as Gauteng Police Commissioner in August, but withdrew it just two hours later, when it emerged that he had a case pending against him. Zuma faces four counts for allegedly trying to evade a roving anti-alcohol patrol in 2008. These include failing to stop when ordered, drunk driving, attempting to escape from custody, and defeating the ends of justice. Phiyega has said she was not aware of the criminal investigation against Zuma and amidst calls from the DA for her resignation, the National Commissioner is sticking to her guns, saying the appointment was only provisional. This incident once again highlights the critical importance of pre-employment screening and background checks. “It was not deemed necessary to conduct a detailed search, particularly noting that the people being promoted or transferred are senior executives, who are loyal and hardworking career police officers, well respected and had established relationships of trust with the SAPS,” said Phiyega. “In the case of Major-General Zuma, at the very least, requisite background checks aside, he should have been frank with me. That is why I was so disappointed.”

Asia Pacific



IBM Gets Certified Under APEC Privacy Rules
IBM has announced it has achieved certification under the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR), the first company to do so, according to a press release. The CBPR system is designed to facilitate data flows between the U.S. and the other APEC member economies, through voluntary, enforceable codes of conduct. IBM Chief Privacy Officer Christina Peters, CIPP/US, said, "CBPR rules will become the foundation of a globally accepted system that enables data to be shared throughout different regions with strong and trustworthy privacy protections." Hogan Lovell's Partner Christopher Wolf told The Daily Dashboard, "APEC CBPRs, containing enforceable commitments for the protection of personal data, are a lot like BCRs (binding corporate rules) that the EU recognizes as sufficient for cross-border transfers. Their adoption and effectiveness suggests that the EU should move its focus from the adequacy of the U.S. legal framework to whether personal data is being adequately protected through mechanisms like the CBPRs."

Read more




Adverse Action Update: The Privacy Act Did Not Give a Worker a "Workplace Right"
In the case, Austin v Honeywell Ltd, the Federal Circuit Court determined that the Privacy Act 1988 (Cth) is not a "workplace law" for the purpose of protecting a person against adverse action under section 340 of the Fair Work Act 2009 (Cth) (Act). However, the judge conceded that a provision within an Act or regulation could regulate the relationship between employers and employees even though the Act or the regulations as a whole did not do so. In any case, the Judge found that the employer had discharged the onus of proving that it had terminated her employment because of her attitude to her manager and not because she had commenced an adverse action claim. Not all statutory rights amount to workplace rights granting protection against adverse action. Whether a workplace right exists depends on whether the provision or Act is aimed at regulating the relationship between employers and employees. The Privacy Act was held not to be a workplace law, therefore it did not give rise to a workplace right.

Read more


Lost in the Privacy Landscape
Australia's privacy and data protection laws are hard to explain and often poorly understood. The first challenge is to explain that the Australian Privacy Commissioner sits in the Office of the Australian Information Commissioner (OAIC) and applies laws that the Australian parliament has misleadingly called 'principles'. The second challenge is describing how to read principles as laws and fit them together with other provisions in the Privacy Act that clearly are drafted as laws. And then there's the difficulty of trying to interpret these provisions when dealing with novel issues such as cross-border cloud deployment and access to personal information held in another jurisdiction (or jurisdictions unknown), geo-tracking of devices, data warehouses, virtualised servers, big data and customer data analytics. Privacy and data protection in Australia has become a confusing landscape, with forests of regulation to get lost in, unexplored corners and many poorly understood rules. At a time when privacy and information security is becoming a major area of concern for governments, businesses and consumers, it is unfortunate that Australia has created such a confusing thicket of regulation and quasi regulation.

Read more

Data Sovereignty: Are You Covered?
Cloud computing and the opportunities that come with it have quickly swept through the business world, and most organisations wouldn't be blamed if they weren't quite sure where the path leads. Although the concept of offshore data storage is anything but new, its recent proliferation has meant that an understanding of the laws and regulations involved may be further behind than anyone wants to admit. A recent whitepaper by UNSW, Aon, NEXTDC and Baker & McKenzie demonstrates the importance of understanding the laws that surround cloud data and the risks involved. NEXTDC found 88% of organisations experience at least one data breach each year, with between 36% and 62% stating the breaches involved a mistake by outsourcers, cloud providers, and other third parties. HR systems are being overhauled with cloud software, and data security is no longer just an IT responsibility in an organization. Of greatest importance is the understanding that the jurisdiction the data is stored in defines what laws apply to it. As such, understanding of privacy laws where data is stored is paramount to effectively reducing risk of data breaches.

Read more


Tread Carefully When Checking Civil Litigation History
Checking publicly available civil litigation information may ensure organisations safeguard themselves against hiring people found negligent or liable by a civil court, but involves a whole host of limitations and risks.

Last year, Queensland Health was held to account over having employed an IT manager for five years who had previously been the head of an internet services company which was ordered to pay $210,000 worth of damages for using pirated software in 2001. A check of litigation records may have allowed it to avoid getting into this difficult situation. However, checks of civil proceedings may identify cases that would be considered a 'spent conviction' in a criminal history search, and therefore cannot be considered by an employer.


Is Your Drug and Alcohol Policy Enforceable?
Drug and alcohol testing policies that follow industry and Australian standards are more likely to be considered reasonable - and therefore enforceable - than those that depart from standard practice, according to employment lawyer, Erin Rice. The key issues to consider when drafting drug and alcohol testing policies include: what type of testing is most appropriate - for example, a urine test or a saliva test; what disciplinary actions are appropriate once a breach of policy is established; and the purpose of the regime - is the policy intended only to catch workers who are under the influence of a substance during work, or also to act as a vehicle for deterring and monitoring drug and alcohol use? Rice says drug and alcohol testing has become a widely accepted method for employers to meet safety obligations, especially in high-risk industries, but the level of intrusion into an employee's private life can be contentious. In drafting drug and alcohol policies, it can be helpful to mention that the purpose of the policy is not only to test for impairment, but also to allow the company to monitor drug and alcohol consumption for the purposes of meeting its safety obligations more broadly.

Read more (Login Required)


The Case for Hiring Ex-offenders ??
According to management expert James Adonis, there are pros and cons to hiring those with a criminal record. On the one hand, he points out the perils to society if managers universally refused to do so. "The result would be that convicted criminals, or at least those who've been to jail, would either remain on perpetual welfare or fall into the recidivism trap," said Adonis. And on the other hand, he sympathises with those who would have concerns hiring an ex-offender. "Being in business is risky - hiring employees even riskier - and so it makes sense, in a way, to minimise that risk by disqualifying those with a crooked history." One example of a successful rehabilitation programme that Adonis highlighted is run by the Royal Society for the Prevention of Cruelty to Animals (RSPCA). Under this scheme, some prisoners undertake an animal training course to learn how to work with dogs that have behavioural problems. They earn nationally recognised qualifications and vocational skills that will assist them in finding employment once they have left prison. "The success of the programme demonstrates that with the right training and supervision prisoners have the potential to become fine workers." The rate of recidivism in Australia sits at 60%, but the Australian Institute of Criminology has said that the figure can be halved if prisoners are given vocational education and are assisted into employment.

Read more

Criminal Records of Juvenile Offenders May Be Exposed
Secret criminal records of juvenile offenders will be publicly revealed if they reoffend as adults, under a plan being considered by the Victoria (AUS) State Government. Crime victims applauded the move, which comes after decades of policy dictating the identity of child criminals be kept secret. Under current laws, the criminal records of juvenile offenders and their identities cannot be revealed, even if they reoffend, without court permission. Supreme Court challenges to name child brutes have previously failed. The State Government is considering a proposal to change the Children Youth and Family Act and the Corrections Act to allow criminal records of juvenile offenders to be made public if they offended as adults. Under the plan, youth offenders would have to have committed serious crimes, such as murder, manslaughter or sexual offences. Petty thefts and minor offences would not be revealed as part of the plan, keeping in line the ethos of giving the kiddie crims a chance to rehabilitate. The offences committed as juveniles would only be revealed in the adult court system for serious crimes and for repeat offenders.

Read more



China’s Regulation on Personal Data Use by Commercial Websites
China’s Personal Information Provisions, which regulates the collection and use of personal information by providers of telecommunications, Internet and information services within China, came into force on September 1. It will affect a wide range of consumer-facing websites, including corporate sites, product information sites, and social media pages. The Personal Information Provisions follow the same framework as China’s Decision by the Standing Committee of the National People’s Congress on the Strengthening of the Protection of Network Information, but provide significantly more detail by addressing the collection and use of personal information of individual users (i.e., passwords, names, date of birth, addresses, account numbers and so forth, as well as metadata about a user’s habits, including the time and location of the use of the services). From a compliance perspective, the Personal Information Provisions have important business implications for those who are considered “Service Providers,” including many commercial websites. The method and scope of collection and usage must now be specified and consent from data subjects must now be obtained. Those compliance obligations, in and of themselves, are important changes brought about by the recent legislation and may require many foreign-invested businesses in China to adjust their current data collection model and practices.

Read more


Hong Kong



Hong Kong Issues Clearer Guidance on Privacy Notices
The Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) has issued a new guidance note on preparing Personal Information Collection Statements (PICS) and Privacy Policy Statements (PPS). The guidance note is intended to help organizations prepare clear and informative privacy notices in order to comply with the requirements under the Personal Data (Privacy) Ordinance and the Data Protection Principles (DPPs). Broadly, a PICS statement sets out how a data subject’s personal data will be collected and used by the organization. A PPS statement – which often incorporates a PICS – should also set out the organization’s policies on data retention, data security, and how it will deal with requests for data access and correction. The PICS and PPS statements are required under DPP1 (which requires a data user to inform a data subject of the purpose and manner of collection of their personal data) and DPP5 (which requires a data user to take steps to ensure that a data subject can ascertain the personal data policies and practices of the data user), respectively. The publication of this guidance note by the PCPD now, perhaps suggests that in Hong Kong at least there is a concern with the availability and clarity of PICS and PPS statements.

Read more

In Hong Kong, When Is Public Data Actually Private Data?
The Office of the Privacy Commissioner for Personal Data (PCPD) has issued an enforcement notice to stop a company from supplying data on individuals obtained from publicly available litigation and bankruptcy records via a smartphone application, claiming that the company ”seriously invaded” the privacy of those individuals. Various commentators have accused the PCPD of threatening freedom of information, making inconsistent decisions, and being technophobic, while others argue that the decision highlights the limitations of the Personal Data (Privacy) Ordinance (PDPO), which governs the use of personal data in Hong Kong. The offending application allowed users to search a database of publicly available records of civil and criminal litigation and bankruptcy cases by an individual’s name or address in order to carry out simple due diligence and background checks. The basic position in Hong Kong is that while an individual’s personal data may be obtained from a source in the public domain, that does not mean that the individual has given his blanket consent for use of that personal data for other purposes. Anyone who collects and uses personal data from the public domain must observe the requirements of the PDPO. To assist data users to comply with the requirements of the PDPO, the PCPD has issued a new guidance note on the Use of Personal Data Obtained from the Public Domain.

Read more

Guarding Against Abuse of Personal Data in the Public Domain
Many people believe personal data collected from the public domain - such as the companies, land and vehicles registers and even the internet - is open to unrestricted use. This view is incorrect. Personal data, whether publicly available or not, is protected under the Personal Data (Privacy) Ordinance. Technology has exacerbated the risks of a loss of privacy. Advances in the aggregation, matching and further processing of personal data in the public domain means such data mining is now conducted with phenomenal ease and efficiency. Admittedly, such profiling could generate economic and societal benefits. But at the same time, it poses grave privacy risks. It is conceivable that many marketers are using innovative analytics to enhance marketing effectiveness based on data supplied by the customer and data in the public domain. The problem is not so much related to the nature and source of the data but, rather, to the way the data is combined, further processed and used. A use-limitation principle in the ordinance provides that personal data should be used only for the purposes for which it was collected or a directly related purpose, unless exempted for activities such as law enforcement, professional due diligence, and publishing or broadcasting of the data as news and in the public interest.

Read more

New Zealand


Criminal Record May Soon Be A Click Away
Finding out someone's criminal history could soon be as easy as clicking a button, under major changes to improve public access to court documents. Justice Minister Judith Collins said the current system, where people often have to apply in writing to the courts for access to information, is "completely insane". She wants all decisions online once the courts have completed a move to an electronic operating model next year. The documents would effectively act as a public register of criminals, improve public safety, and make the court process more open. Collins accepts some groups will "scream and cry" about the plan, but believes there is overwhelming public interest in making the information available. Court of Appeal and nearly all Supreme Court and High Court decisions since 2005 are published online. The public can apply in writing to receive a copy of a District Court judgment. However, a lot of criminal decisions are recorded, but not transcribed unless they are needed for official purposes, largely because of a lack of resources.

Read more




Singapore Among Four Countries to Improve Hirings in Q4 2013
Despite global job prospects unlikely to improve in the last quarter of 2013, Singapore along with a few countries look set to buck the trend. According to the latest Manpower employment outlook survey, 25% of the 700 employers interviewed in Singapore expect to hire more people, with 4% expecting a drop in headcount numbers and 65% anticipating no change in recruitment. The figures result in a net employment outlook of +20% after adjusting for seasonal factors. This is 6% higher than the current quarter and 2% more than from last year. Out of the 42 economies and cities surveyed in the report, only India (+40%), Taiwan (+37%) and Panama (+24%) look set to have stronger hiring figures than Singapore. Employers in all of Singapore’s seven industry sectors are expecting to increase staffing numbers, with the finance, insurance and real estate sector (+36%) and the public administration and education (+34%) posting the greatest optimism. Elsewhere, the transportation and utilities sector posted the least increment with just 9%. Conversely, the weakest countries are Italy (-17%), Spain (-7%) and Finland (-6%). They are expecting to cut headcounts. Compared to last year, the jobs outlook is stronger in 16 countries, weaker in 25 and remains the same in one country.

Read more





EU LIBE Committee Adopts EU Data Protection Compromises; Reform Package Set for Parliamentary Vote
The EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) voted on 21, October 2013 to adopt its report on the draft General Data Protection Regulation and the separate Directive for the law enforcement sector. This vote sets out the Parliament’s position for its negotiations with the Council and Commission (known as the “trialogue” stage). The Committee aims to have a plenary Parliamentary vote in March before the Parliamentary elections.

The report contains significant amendments compared with the original draft prepared by the European Commission in January 2012.

The vote now permits the Parliament to proceed to the trialogue negotiation with the Council and Commission once the Council has reached an agreed position. Previously the high number of amendments (approximately 4,000) proposed by the Parliament to the legislation had given rise to concerns that the Regulation would not be passed before the next European elections. Now that the European Parliament has made its position known, pressure will shift to the Member State governments to reach agreement on a position within the European Council. Once a common position is reached, negotiations can begin with the European Parliament and Commission.

Read more

Data Protection and Privacy Commissioners Release Resolutions on Tracking, Profiling, International Cooperation
The collected DPAs attending the 35th Annual Conference of Data Protection and Privacy Commissioners showed a united front and that they mean business. As part of his keynote speech kicking off the open part of the conference, Polish Minister of Administration and Digitization Michel Boni said, "We need regulations. Hard regulations. In Europe, we have a discussion pending-we have to make sure it is a strong law to harmonize the laws of all the states rather than a directive." This sentiment was echoed by Jacob Kohnstamm, chairman of the executive committee of the International Conference of Data Protection and Privacy Commissioners. "Even more than before," he said later in the day, "we stand ready to work together to tackle contraventions with our respective legislation and ensure the best possible protection of our citizens. The only way to maintain a high level of protection is for data protection authorities to cooperate closely. We will actively work together in selecting targets for cross-border investigations. If companies break our laws, they should be ready to deal with an international and cooperative response.” It should not be surprising, then, that one of the resolutions to come out of the conference's closed session is "to further encourage efforts to bring about more effective coordination of cross-border investigation and enforcement ." Perhaps the most practical part of the resolution is a mandate for the International Enforcement Coordination Group to develop a common approach to cross-border case handling and enforcement coordination, hopefully to be adopted at next year's conference.

Read more

WP29: Carry Out PIAs Before Public Data Reuse
The Article 29 Working Party (WP29) published - on 27 June 2013 - Opinion 06/2013 on open data and public sector information (PSI) reuse (WP207), which was adopted on 5 June 2013. WP29 recommends data protection impact assessments (PIAs) to be carried out before PSI is made available for reuse. 'The re-use of [PSI] may bring benefits to society, including greater transparency of the public sector and stimulating innovation', stated WP29. '[WP29] stresses that it is important to have a firm legal basis for making personal data publicly available, taking into account the relevant data protection rules, including the principles of proportionality, purpose limitation and data minimisation.' WP29 recommends public bodies to follow 'data protection by design and default' principles, and carry out PIAs before making any PSI containing personal data reusable, including anonymised datasets derived from personal data. A balanced approach needs to be followed and data protection law must help guide the selection process.

Read more

What to Do When the Privacy Regulator Comes Knocking on Your Door? A Short Guide to Handling Inspections and Data Protection Audits in Europe
Inspections and data protection audits from regulators are on the rise across Europe, and this trend is likely to continue. The latest figures for 2012 show that the French data protection authority (CNIL) completed 19% more inspections from 2011. The number of inspections has been steadily rising since 2004, when CNIL’s enforcement powers—and later on, its budget—were significantly increased. Companies need be proactive and take steps to deal with a data protection audit. Any regulatory inspection is a burdensome undertaking, and inspections carry the risk of noncompliance being exposed, sanctions, adverse media attention and damage to reputation. Sometimes noncompliance is only identified after an inspection has been carried out. Even for fully compliant organizations, inspections bring disruption to the conduct of normal business. In light of increasing DPA powers, the rising number of inspections, and the risks of sanctions that may follow, organizations operating in the EEA are advised not only to prepare for a planned, notified inspection, but to establish best practices, policies and procedures on how to handle all inspections.

Read more

How to Work With Your European Data Protection Authority
At the IAPP Privacy Academy in Seattle, Washington, Harriet Pearson, Partner in the Hogan Lovells Privacy and Information Management Practice, hosted a breakout session entitled: How to Work with Your European Data Protection Authority. The Session featured Billy Hawkes, Data Protection Commissioner of Ireland, and focused on providing privacy practitioners with practical advice on how to approach a Data Protection Authority (DPA) and earn their trust. The session also addressed practical compliance questions for European markets, gave advice on making successful regulatory filings, and gave tips for handling complaints and other challenging situations. Lovells has published Working with your European DPA, a quick-reference resource guide on how to build a productive relationship with your DPA and featuring contact information of all national European Data Protection Authorities and the European Data Protection Supervisor. Steps to a productive relationship with your DPA include: In the jurisdictions important to your organization, identify the DPAs and their key staff; Understand the DPA’s current priorities and prior statements and positions; and Identify the filing and registration requirements in the DPA’s jurisdiction, and make sure your organization takes steps to comply.

Read more

Draft EU Data Protection Regulation Discussions Stall on One-Stop-Shop Issue
The Ministries for Justice and Home Affairs of the 28 Member States of the European Union met to further discuss the draft General Data Protection Regulation that is intended to replace the current European data protection framework. The new draft framework aims at simplifying the regime and lowering the administrative burden. This principle has been called the “one-stop-shop” and has been criticized by a number of national data protection authorities concerned about the potential for forum shopping for the jurisdiction offering the lowest level of protection. Despite several different propositions, the way to a consensus seems to still be long and puts the initial calendar for adoption of the new text in jeopardy. The Council issued a press release indicating that “expert work” towards finding a compromise will continue, notably around the scope of the powers to be granted to the competent supervisory authority (potentially limiting the scope of its powers), the involvement of other “local” data protection authorities in the decision making process, and the evolution of the role and powers of the European Data Protection Board. Nevertheless, Viviane Reading, the European Commissioner responsible for Justice, Fundamental Rights and Citizenship has indicated that she hopes to see a compromise text presented in December and a decision taken before May 2014, when the European elections will take place.

Read more




New Amendments to Austrian Data Protection Law
The Austrian Data Protection Act (DPA) has been substantially revised for the first time since becoming effective in 2000. The revised DPA introduced a "data breach notification duty" to the Austrian data protection regime, which is similar to the respective obligations under U.S. and UK data privacy laws. With this, Austria (in addition to Germany) is one of the first Member States to implement such an information duty. In a nutshell, this obligation requires every data controller in Austria to inform data subjects properly if he becomes aware of a systematic and seriously unlawful misuse of their data. The revised DPA also provides for new provisions about the processing of personal data in the course of videotaping / video monitoring, the data subjects' rights of data access, and a new approach of self registration through the data controller combined with a massive extension of the authority's competencies. The administrative fines for breaches of the DPA were also raised to a maximum penalty of EUR 25,000 for deliberate violation of those provisions and EUR 10,000 for violation of the notification and information obligations of the DPA.

Read more





New Approval Process for Data Transfer Agreements in Belgium
The Belgian Privacy Commission and Ministry of Justice have executed a protocol that puts in place a new approval process for data transfer agreements (DTA). For customized DTA, it brings considerable improvement, but unfortunately it also adds a layer of administrative burden in relation to the use of the EU Model Clauses. The Protocol now acknowledges that it is sometimes justified for data exporters to make (some) changes to the EU Model Clauses. In order to facilitate this, the approval process has therefore been streamlined. But while this is a big step forward, at the same time, it is a big step backwards when it comes to the use of EU Model Clauses. Prior to the Protocol, no formal approval was required when the EU Model Clauses were used in an unaltered form. A data exporter simply had to submit a copy to the Privacy Commission when filing the notification. This has now changed. It has come to light that the Belgian Privacy Commission did not intend to increase the administrative burden for the use of EU model clauses. While the Protocol clearly uses the word 'authorizing', this should not be interpreted as introducing a formal authorization requirement, but rather as a confirmation given to the data exporter that the DTA used does indeed comply with the EU model clauses.

Read more




German Data Protection Commissioners Push Government Towards Suspension of US - EU Safe Harbor Regime
German data protection commissioners have sent a letter to the German Chancellor Angela Merkel, asking her to urge the European Union to suspend the US - EU Safe Harbor regime because of the recently disclosed NSA activities. The letter is signed by the Federal Commissioner for Data Protection and Information Freedom and the State data protection commissioners. The officials argue that the European Union should suspend the Safe Harbor regime until the facts about NSA surveillance of European citizens are cleared. The official press release of the data protection commissioners expects "the Federal Government to do everything to protect the people in Germany against access to their data by third parties" and asks the Government "to negotiate a high level of data protection and regulation in Brussels which will prevent comprehensive and causeless surveillance by European and non-European authorities". The new move could have a significant impact if it is successful: all companies relying on Safe Harbor for the transfer of personal data from the EU to the US could suddenly face a situation where either such data transfers must be suspended or face fines by data protection authorities for unlawful processing of data.

Read more

EU Needs 'German Standards' on Data Privacy
In response to the recent disclosures of the U.S. National Security Agency surveillance programmes, German Justice Minister Sabine Leutheusser-Schnarrenberger said EU data privacy rules should be as strict as those found in Germany. "High German data protection standards should be the rule," she said. "U.S. companies that do not uphold these standards should be banned from the European market." Leutheusser-Schnarrenberger, who has strongly criticized the scope of the U.S.' spying programme, noted that it should not be intelligence services that set the standards for data protection but rather "citizens' basic rights." The EU is currently updating its data privacy legislation with the draft rules under scrutiny in the European Parliament. "If a European data security sphere is to be created, then it needs stronger parliamentary control over secret services and regular, intensive information exchanges between supervisory committees," said Leutheusser-Schnarrenberger. In Germany, where data privacy is highly valued, the issue has moved onto the political agenda ahead of elections in September.

Read more


Job Interviews in Germany: No Right to Ask Applicants About Preliminary Investigations by Public Prosecution Office
The German Federal Labor Court recently passed a decision that dealt with what questions employers can and cannot ask in interviews with job applicants. Employers are entitled to ask job applicants questions as long and to the extent they have a "legitimate interest worth of approval and protection" in the response to such questions. It is required that the interest of the employer to obtain the requested information outweighs the interest of the employee to protect his personal privacy. By applying German data protection law, the Court ruled that companies do not have any legitimate interest to know about preliminary investigations that do not lead to criminal conviction. The new decision is another example for the growing sensibility among the German labor courts regarding the collection and use of personal data of employees, during the employment, but also prior to an employment. Respective limitations are not only prescribed by the courts with regard to the collection of personal data during interviews, they are also discussed with regard to the collection of personal data in publicly available Social Media platforms, such as Facebook and LinkedIn. Companies are requested to carefully consider what information is in fact needed for the concrete position prior to entering into interviews with their candidates.

Read more


United Kingdom 2


Consultation on the Conducting Privacy Impact Assessments Code of Practice ??
The UK Information Commissioner's Office (ICO) has published a consultation on a new privacy impact assessment (PIA) code of practice and released a study on PIA and risk management. The ICO first announced the study, conducted by Trilateral Research & Consulting, was underway back in January. The new code of practice on conducting privacy impact assessments (PIAs) is intended to replace the current PIA Handbook. The aim of the new code is to produce a practical guide, which will help organisations conduct assessments of new projects that involve the use of personal information. The code explains the key principles behind a PIA and suggests how a PIA can be integrated with an organisation's project and risk management processes. The closing date for the consultation is 5 November 2013.

Read more

Competition to Offer Privacy Protections Could Help Deflect Regulatory Action to Other Markets, Says ICO ??
Companies operating in markets in which businesses can gain a competitive advantage from offering enhanced privacy protections to customers are less likely to be the subject of enforcement action over breaches of data protection laws, the Information Commissioner's Office (ICO) has said. The UK's data protection watchdog has published a Data Protection Regulatory Action Policy that sets out the factors it will take into account when deciding whether to initiate regulatory action. The ICO said that it will be selective about which breach cases to pursue regulatory action in and that "market factors" could influence its decision whether to take up an investigation. "Our approach will be driven by concerns about significant actual or potential detriment caused by non-compliance with data protection principles, the PECR (Privacy and Electronic Communications Regulations) or other relevant legal requirements," the ICO's Policy said. "The initial drivers will usually be: issues of general public concern; concerns that arise because of the novel or intrusive nature of particular activities; concerns raised with us in complaints that we receive; and concerns that become apparent through our other activities." Under its existing information rights strategy, the ICO pledged to focus its regulatory attention on organisations operating in the health, credit and finance, criminal justice, Internet and mobile services and security sectors.

Read more


Unions Call for Blacklisting to be Made a Criminal Offence
The blacklisting of workers should be made a criminal offence punishable by jail and unlimited fines, trade unions have said. The call follows an announcement by the TUC that there will be a national day of action in support of workers who have been blacklisted. Blacklisting was discovered in 2009 when thousands of names, mainly construction workers, were found on a list held by the Consulting Association when its offices were raided by the Government's data watchdog. Unions claim that workers have been denied employment, often for raising health and safety issues or for being union activists. The TUC is unhappy that companies who have blacklisted workers have still not been held accountable. "Blacklisting is a shameful practice that has no place in a modern society,” said general secretary, Frances O'Grady. “It causes misery for those blacklisted and their families and it puts lives at risk.” The TUC also said all companies must be asked if they have ever complied, used, sold or supplied information that could be used for blacklisting. It said if they refuse to comply and compensate victims, and if they have engaged in blacklisting, then they should be barred from bidding for any public sector contracts.

Read more


Fraud Landscape Tips
Use of fake identity details, or the impersonation of an innocent victim (identity fraud) now accounts for 52% of all fraud. That is according to frauds recorded by cross-sector members of CIFAS - the UK fraud prevention trade association, during the past 12 months. "CIFAS has long highlighted that data is the cornerstone of the fraudster's trade," said Richard Hurley, CIFAS Communications Manager. "With two thirds of all recorded fraud now relating to the abuse of identity details, the message is clearer than ever, ?said Hurley. "Organisations and individuals must develop new ways of safeguarding their personal data, otherwise they effectively provide the fraudster with a licence to steal money." CIFAS says that you can reduce the risk of your details falling into criminal hands by keeping your personal details to yourself. Here are some tips: Treat your personal details as something to be looked after. If you use social networking sites, limit the amount of information you give away and activate tough privacy settings. Only enter your personal details into secure websites belonging to organisations you know and trust. Make sure your computer has an up-to-date firewall and is protected by anti-virus and anti-spyware programmes. "Organisations must always play their part, and CIFAS always calls for them to invest in strong preventative measures to combat fraud," adds Hurley. "But there is much that individuals themselves can do to help."

Read more


One in Three Scottish Men 'Likely to Have a Criminal Record'
More than a third of men and almost one in ten women in Scotland are likely to have at least one criminal conviction, according to a new report. The figures were revealed in a research paper examining changes to the law governing when criminal convictions are considered spent. In was produced in response to a Scottish Government consultation on the Rehabilitation of Offenders Act (1974) to be launched this summer. The act has been criticised for not achieving the right balance between protecting the public and allowing people to put their previous offending behaviour behind them and get back into employment. Concerns have been raised that rehabilitation periods set out in law are too long and offenders face stigma while waiting for a criminal record to expire. Disclosure Scotland processes more than one million applications for basic disclosure of criminal convictions every year. A Scottish Government spokeswoman said: "The Rehabilitation of Offenders Act 1974 has been on the statue books for nearly 40 years and it is important to ensure the legislation still operates in line with its original purposes of balancing the need to protect the public whilst allowing ex-offenders to be rehabilitated from their previous offending behaviour."

Read more

Disclosure and Barring Service: Filtering
DBS will filter certain old and minor cautions and convictions, reprimands and warnings from criminal record certificates. The DBS will be removing certain specified old and minor offences from criminal record certificates issued from the 29 May 2013. Changes to the legislation were introduced to allow us to do this. The filtering rules and the list of offences that will never be filtered are now available for you to view. In line with these changes, we have provided clarification on how to interpret question e55 on our DBS application form for a criminal record check. To follow the law correctly, we need Registered Bodies to bring this change to the applicants' attention when completing the DBS application form. Question e55 asks the applicant "have you ever been convicted of a criminal offence or received a caution, reprimand or warning?" Applicants should now ignore this question and treat this question as if they were being asked, "Do you have any convictions, cautions, reprimands or final warnings which would not be filtered in line with current guidance?"

Read more

Employment Agency For Ex-Prisoners Launched
A temporary recruitment agency has been launched to help provide temporary employment opportunities for prisoners upon their release. Established by Kate Beech, who has 20 years' experience in recruitment, and Her Majesty's Prison (HMP) Featherstone, the new company Chance (2013) Ltd. aims to support former prisoners into work. Beech said the level of skill and qualifications of many of the prisoners was often ignored due to their criminal background. During their time in prison, however, she said many of them had developed a strong desire to work and even in some cases start a new career. For some, they want to return to the jobs they successfully held before being convicted. "The relationship between [the] staff at Chance and [the] prisoners is built up over the final three months of their sentence so we are confident we [can] place them with the appropriate employer and within the right industry," said Beech. She adds: "This recruitment process means they will come out paying National Insurance and paying their own rent rather than relying on benefits until they find a job which may never happen on their own." Beech is also working with charities and rehabilitation groups to offer general support to the prisoners when they are released.

Read more

Criminal Record Disclosure Calculator - For Professionals & Organisations
The (UK) Disclosure Calculator is a web tool that can be used to find out when a criminal record becomes spent under the Rehabilitation of Offenders Act 1974 (ROA). The need to interpret complex legislation means that many people with a criminal record do not benefit from their legal rights under the ROA, making it harder for them to reintegrate into society. Professionals and organisations working with people with a criminal record can find it difficult to find out when their clients record becomes spent, particularly for clients with multiple convictions. The Disclosure Calculator makes it simple for you to calculate when a client’s criminal record becomes ‘spent’ and no longer needs to be disclosed under the ROA (e.g. to employers and insurers), removing the discrimination, which acts as a barrier to successful reintegration. You will need to set up a corporate account so that you and/or your organisation you can integrate use of the Disclosure Calculator into the services that you provide to people with a criminal record. The tool is only as good as the information that you input - it will only give you an accurate result if you input accurate information.

Read more


ICO Releases PECR Breach Notification Guide
The reports that telecoms companies will have to submit to the Information Commissioner's Office (ICO) containing details of data breaches may be disclosed under freedom of information (FOI) laws. The ICO has issued new guidance to public electronic communication service providers that explains when those companies are obliged to report personal data breaches to it after new EU data breach rules affecting such providers came into force. Under the guidance, telecoms companies would be required to submit a monthly report to the ICO detailing all the security breaches they have experienced. The Privacy and Electronic Communications Regulations (PECR) already required telecoms companies to keep a log of personal data breaches, complete with details on the facts surrounding the breach, the effects of the breach, and remedial action taken, and it is this log that the ICO is seeking be reported every month. "Strictly speaking, PECR does not require this monthly return," the ICO said. "However, we believe that this remains a useful exercise as it will demonstrate that service providers are monitoring their security properly and taking their responsibilities seriously. If we do not receive a monthly return from a service provider, this may trigger further investigation."

Read more


North America

Canada 2


Privacy Law Losing Relevance, Commissioner Says
In essence, Canadian privacy laws lack incentive for companies to obey and are losing relevance, said Jennifer Stoddart, the country’s privacy watchdog. The commissioner administers two federal laws—one in each the private and public sectors—pertaining to privacy and the protection of personal information. Throughout her 10 years in office, she has called for reforms to both, without much response from Canada’s lawmakers. “It doesn’t really do anything to deter those who want to misuse Canadians’ privacy, and therefore doesn’t give a marginal advantage to the many corporations that are protecting Canadians’ privacy,” Stoddart said. “If you’re deliberately launching a product that’s misusing peoples’ personal information, collecting their personal information or, indeed as one company was doing, spying on people who rent laptops, there should be some sort of sanction.” As it stands, the office can launch an investigation after receiving a complaint. If the investigation reveals a company was breaking the law, the legislation is written in such a way that if the company comes to an understanding with the commissioner’s office, then that’s that. Stoddart is looking for the ability to slap corporations with heavy fines. Thus far, Parliament has not taken action to address concerns Stoddart has been expressing for the better part of six months.

Read more


Mid-Employment Checks in Canada Legal but Complicated
In the aftermath of a recent decision by a Canadian government institution to perform mid-employment background checks, Canadian HR professionals are saying that while the practice is legal, companies conducting such checks should proceed with caution. "…it opens the door for discrimination," said an HR business advisor based in Toronto. "Depending on the purpose and how it is applied, it might discriminate on long-term employees with good performance, sometimes with minor records that have no effect on their work." Canada Post announced in March 2013 that it would implement the new screening practice for its employees, which would allow them to perform background checks on current employees every 10 years and gives the organization authority to change the frequency of employee screenings at any point. "The Canadian Union of Postal Workers (CUPW) opposes this policy of mid-employment checks primarily because it's a breach of members' privacy and also because Canada Post has not been clear and specific about the scope, requirements, process or intent of the checks," said Gayle Bossenberry, CUPW's first national vice president. The impact of the mid-employment background check on current Canada Post employees depends on how the postal service implements a review program with its employees and how it plans to take action on the results.

Read more


Battle Over Workplace Drug Tests Just Heating Up Following Court Ruling
More and more Canadians are being asked to prove, in the name of safety, that they are sober before clocking in at work. Earlier this month, the Supreme Court of Canada issued its first ruling on this invasion of personal privacy and opened the discussion about when it can be allowed. The high bench confirmed that drug-and-alcohol testing is lawful only under certain circumstances and it gave unions a means by which to challenge some of these policies by demanding better evidence of an existing problem. The court said an employer must establish a substance-abuse problem in a safety-sensitive work environment before such random screening can occur. The unions maintain employers like drug-testing programs because they give the impression that something decisive is being done about safety, but they don't work. "Privacy rights don't trump the employers' rights, but the court has placed a high value on them," said Ritu Mahil, a lawyer at Lawson Lundell specializing in employment law. "Now labour arbitrators will have to interpret that and apply it. They will have to assess what constitutes sufficient evidence, where are the workplace safety concerns and how do they balance against privacy rights."

Read more

Employer's Random Alcohol Testing Policy Constitutes Unreasonable Invasion of Employees' Rights to Privacy
An employee's right to ensure workplace safety versus an employee's right to privacy, have been competing rights present in the workplace for many years. In Communications, Energy and Paperworkers Union of Canada, Local 30 v. Irving Pulp & Paper Limited, the Supreme Court of Canada (SCC) recently weighed in on how to balance these rights in the context of an employer implementing a drug and alcohol testing policy. In this case, a majority of the SCC favoured employees' privacy rights. Key in the majority's decision was that the employer could not demonstrate the necessary safety concerns to justify the random alcohol testing component of its policy made on employee privacy. As such, the testing was found to be unlawful. While Irving does not produce an ideal result for employers who understandably see the safety and deterrence benefits that random alcohol testing provides, it is important to stress that Canada's highest court has not prohibited such testing in its entirety. Rather, employers with dangerous operations who wish to unilaterally impose such a policy must adequately justify and substantiate the policy's reasonableness through verifiable evidence that the workplace in question has problems with alcohol use.

Read more

Pre-access Drug and Alcohol Testing Rejected in Ontario
Drug and alcohol testing of employees in the construction industry continues to be an area of concern and constantly developing law for employers. An arbitration award out of Ontario recently held that pre-access testing was an unreasonable exercise of management rights and it was in violation of the applicable human rights legislation. The arbitrator relied heavily on the Irving Pulp and Paper Ltd. ruling that there was an obligation upon employers to justify the invasion upon employee privacy rights occasioned by drug and alcohol testing. If this award is followed, it means an employer must show a pre-existing drug or alcohol problem at its worksite before it can implement random testing or pre-access testing. Moreover, it appears an employer will not be able to rely on general statistical averages regarding substance use in the region, or on effectiveness of similar programs for other employers to show a problem. At a minimum, an employer implementing drug testing will need evidence that those statistical averages relate to the worksite in question and, more likely, will require actual evidence from its own specific workplace before it can justify not-for-cause testing. Once it clears this hurdle, employers will still be faced with showing that the testing is reasonably balanced against privacy rights by showing that the policy is effective and impairs employee rights to the minimal extent necessary.

Read more


Ontario Reviewing Access to Criminal Court Records
The Ministry of the Attorney General is reviewing its policies on media access to criminal court records in a bid to make the province’s justice system more open and transparent. The court staff in Ontario are increasingly denying public access to records that legal experts say should be readily available. The ministry, in consultation with the province’s chief justices, is checking to see if policies must be clarified to ensure court staff are properly applying the law. “In some instances existing policies are not clearly enough expressed and as a result differing practices can develop,” a ministry spokeswoman said in a statement. “The ministry continues to work to provide as much consistency in policies and procedures as possible in courts across the province, recognizing the very different case loads, sizes and resources of different court locations.” While the current policy makes it clear that information from court hearings should be made public, some staff have denied that information because of a guideline that forbids them from releasing a “general criminal record.” Media lawyers and privacy experts say these actions appear to run afoul of the country’s “open court” principle. “The openness of the court is essential to the credibility to the court as a democratic institution,” said Dan Burnett, president of the Canadian Media Lawyers Association.

Read more


United States



CFPB Issues Warning on Furnisher’s Duty to Investigate Disputes
The Consumer Financial Protection Bureau (CFPB) has issued a bulletin to companies that furnish information to CRAs reminding them of their obligation under the FCRA to investigate consumer disputes forwarded by a CRA and “review all relevant information” relating to the dispute. In the bulletin, the CFPB warns that it will take appropriate supervisory and enforcement actions to address furnisher violations of the FCRA or other federal consumer financial laws, including requiring restitution to harmed consumers. The CFPB expects furnishers to have reasonable systems and technologies in place to handle notices of disputes received from CRAs and information regarding disputes, including documentation forwarded by CRAs. The CFPB takes the position that a furnisher’s FCRA duty to review “all relevant information” relating to a dispute requires the furnisher to review and consider all of its own information relating to a dispute as well as all documents that a CRA includes with a notice of dispute or transmits during the furnisher’s investigation. In the bulletin, the CFPB outlines what it generally expects furnishers to do to comply with the FCRA’s requirements. Furnishers not currently meeting the CFPB’s expectations are advised to “take immediate steps” to comply.

Read more

Military’s Background Check System Failed to Block Gunman with a History of Arrests
The military’s beleaguered background-check system failed to block Navy Yard gunman Aaron Alexis from an all-access pass to a half-dozen military installations, despite a history of arrests for shooting episodes and disorderly conduct. Alexis, a military contractor, used his secret-level clearance to gain entry to the Washington Navy Yard, where officials said he gunned down a dozen people before being killed by police. The revelations about Alexis’s troubled past — and his ability to pass the government’s security-check system — prompted multiple examinations into how background checks are conducted and how long a security clearance can last without review. President Obama directed his budget office to conduct a government-wide review of security standards for contractors and employees across federal agencies. Defense Secretary Chuck Hagel also ordered a broad review into security and access to military installations worldwide. The private contractor that most recently employed him pointed the finger at the Defense Department, which defended its handling of the case. The Defense Department said the latest background check and security clearance confirmation were in late June of 2013 and revealed no issues other than one minor traffic violation.

Read more

Preemployment Screening and Social Media
While it’s not a standard practice to consider potential employees’ social media presence during the application process, it might become so in the future as technology continues to improve and people spend more time interacting online. This was the focus of an ASIS International Information Asset Protection and Pre-Employment Screening Council (IAPPES) conference call. “It’s a reality that that data trail is going to start to be crunched and munched by computers and people are going to start making decisions on those things,” says Dr. Charles Handler, executive scientist for Logi-Serve, LLC. Handler says it’s only a matter of time until people in charge of making hiring decisions begin to use applicants’ LinkedIn and Facebook profiles to evaluate them, which could lead to legal consequences. And while thirty six states have introduced laws, or have legislation pending that prevent employers from requiring employees to provide them with their social media account passwords after they’re hired, there is still a lack of legislation about using social media in the hiring process, specifically when using it as a hiring disqualifier. Handler says that companies need to hold all of their employment screening tools to a higher standard and ensure that applicants are being evaluated in a standardized way that tests the skills that are critical to successful job performance.

Read more

Bring Back the Box?
In 2010, the California State Personnel Board mandated that the state’s civil-service job applications would no longer seek information pertaining to criminal backgrounds. However, the state may be wishing it had a do-over on that one. Perhaps asking Carey Renee Moore if she was ever convicted of a felony would have precluded her from getting another job with the state after a two-year stint in jail on felony grand theft charges. Moore’s decision to resign before being fired and the fact that no one asked criminal background-related questions enabled her to fly under the radar and land a job despite her past. California is far from the only place where questions surrounding the criminal records of employees and/or job applicants are restricted. The New Jersey Senate, for example, recently introduced The Opportunity to Compete Act, which put the Garden State in the company of more than 40 cities and counties—including Boston, Chicago, Detroit, New York, San Francisco and Seattle—seeking to “ban the box” that asks about criminal histories on job applications. So, it’s safe to say we’re almost certain to see more cities pursue similar initiatives. But it’s also a good bet there is at least one employer in California right now who, in light of the Moore debacle, wouldn’t mind bringing the box back.

Read more


Tenant Screening Laws Update: Passing Background Check Costs to the Applicants
The states of Washington and Oregon recently enacted laws in connection with tenant screening. Among the provisions in both Washington's RCW §59.18.257 and Oregon's OAS §90.295, is that the entire cost of the background check can be charged to the applicant, if the screening is performed by a consumer reporting agency (CRA). However, if the landlord conducts the background check, it may not charge in excess of the customary fees of the CRAs in its geographical area. Notably, California's Civil Code §1950.6(b) provides that a landlord cannot charge (or pass-through) to the applicant more than $30 for a background check. This application screening fee may be adjusted annually by the landlord or its agent commensurate with an increase in the Consumer Price Index. (The current adjusted amount is $41.50.)

Read more


NJ Passes a Business-friendly Workplace Social Media Privacy Law
The State of New Jersey finally has itself a workplace social media privacy law, becoming the 12th state to restrict company access to prospective and current employee social media. Like similar laws in other states, this new law prohibits employers from requiring prospective and current employees from disclosing online usernames and passwords. It's worth noting that there are severable notable differences in the new NJ law, which loosen the restraints on local companies: Many public employers which deal in public safety are exempted; Any employer may require that the login/password of any account maintained for business purposes of the employer -- even if created by a current or prospective employee -- be disclosed; Employers can also demand login/password as part of several categories of workplace investigations; Employers can ask a current or prospective employee if he/she has a social media account; and Any aggrieved current or prospective employee may report an alleged violation to the Commissioner of Labor and Workforce Development, but cannot bring a private action against the employer. The new law goes into effect on December 1.

Read more

Small Mistakes With Employee Background Screening Can Cause Big Problems
Small employee background screening mistakes continue to give rise to large class actions with big settlements. If you obtain background screening reports from a third-party agency regarding your job applicants or employees, and have not reviewed your background screening policy and practices in a while, now is a good time to do so. Here are four things to look for: 1. Are you supplying job applicants and employees with the correct version of the federal notice entitled “A Summary of your Rights Under the Fair Credit Reporting Act”? The new version references the Consumer Financial Protection Bureau throughout the notice while the old version references the Federal Trade Commission. 2. Does your background screening consent form (“Disclosure and Authorization”) contain a release of liability? 3. Do you provide BOTH a pre-adverse action letter and a post-adverse action letter when excluding an individual based upon a background screening report from a third-party vendor, and do those letters contain the correct information? 4. Do you have a blanket policy that excludes all convicts or felons? It is important that employers update their background screening policies to reflect recent changes, and consult with counsel before excluding an individual based upon a background screening report.

Read more


How to Stop the In-House Data Thief
The highly networked computer technology that has made companies more efficient has also left them more vulnerable to threats from insiders intent on stealing information or sabotaging a company's operations. Companies looking to protect themselves from in-house data theft can undertake a number of preventive measures. According to Carnegie Mellon University's Software Engineering Institute, about half of the companies surveyed each year since 2004 said they had experienced at least one in-house breach in the previous year. These breaches are further complicated by cloud storage, which may allow insiders to steal larger amounts of information at a time. To mitigate these risks, companies must implement layered protections. The first of these layers should focus on identifying and limiting access to the data and systems that are most vulnerable. Even system administrators do not need to have full access to all systems. Companies can also rely upon a variety of data-loss prevention technologies that can perform functions such as preventing employees from copying files to flash drives and other types of portable storage media. Network monitoring is also necessary, as this allows companies to quickly flag any suspicious activity and conduct a thorough investigation to minimize any damage.

Read more


Current List of Labs and IITF Meeting Minimum Standards for Federal Urine Testing
The Department of Health and Human Services (HHS) notifies federal agencies of the Laboratories and Instrumented Initial Testing Facilities (IITF) currently certified to meet the standards of the Mandatory Guidelines for Federal Workplace Drug Testing Programs (Mandatory Guidelines). The Mandatory Guidelines were first published in the Federal Register on April 11, 1988 and require strict standards that IITF must meet in order to conduct drug and specimen validity tests on urine specimens for Federal agencies. To become certified, an applicant Laboratory/IITF must undergo three rounds of performance testing plus an on-site inspection. To maintain that certification, a Laboratory/IITF must participate in a quarterly performance testing program plus undergo periodic, on-site inspections. A notice listing all currently certified laboratories and IITF is published in the Federal Register during the first week of each month. If any laboratory or IITF certification is suspended or revoked, the laboratory or IITF will be omitted from subsequent lists until such time as it is restored to full certification under the Mandatory Guidelines. If any laboratory or IITF has withdrawn from the HHS National Laboratory Certification Program (NLCP) during the past month, it will be listed at the end and will be omitted from the monthly listing thereafter.

Read more

Medical Marijuana and the Drug Free Workplace
An increasing number of states have passed varying laws regarding marijuana legalization and the use of medical marijuana. At the same time, the federal government still maintains that marijuana use is illegal. Businesses that operate under federal contracts or fall under the Department of Transportation still must comply with drug testing regulations, regardless of state laws. Medical marijuana use is of special importance to employers, especially those who have a drug testing program in place. Some state laws do not mention their effect on the workplace, while others such as Arizona, Delaware, Maine and Michigan include provisions that address marijuana and the workplace. In states that allow medicinal marijuana, employers may still lawfully prohibit employees from using marijuana during work hours. Drug testing potential employees and those who are already employed with your company is very important, and although not a requirement under the Drug-Free Workplace Act of 1988 for most industries, it is recommended, and can be an integral part of your background check program. As the courts continue to update laws on medical marijuana, HR departments need to obtain guidance from local attorneys that specialize in labor laws to create drug policies that protect both their business interests and employees.

Read more

National Drug Abuse Survey: Workplace Abuse Persists; Marijuana, Heroin Use Gain
The Government’s results from the 2012 National Survey on Drug Use and Health: Summary of National Findings and Detailed Tables, finds that 8.9% of full-time employees and 12.5% of part-time employees, 18 years of age and older, are current illicit drug users, while 18.1% of unemployed adults in that age group are current illicit drug users. The Survey, published by the Substance Abuse and Mental Health Services Administration (SAMHSA) of the U.S. Department of Health & Human Services contains an ominous reminder for employers: “…most illicit drug users are employed. Of the 21.5 million current illicit drug users aged 18 or older in 2012, 14.6 million (67.9%) were employed either full or part-time.” The Survey suggests the need for continued vigilance against workplace substance abuse. The only sure way of detecting abuse and addressing it is by drug and alcohol testing using a lawful, common-sense policy. While the popularity of certain illicit drugs may ebb and flow, drug and alcohol abuse continue to pose hazards to workplace safety and impede efficient operations. For many, only the threat of loss of employment may propel them to enter a program that can end a pattern of abuse and dependence.

Read more


Report: E-Verify Accuracy Improving
U.S. Citizenship and Immigration Services (USCIS) have released the results of the most recent Westat Survey conducted on the accuracy of E-Verify, providing further validation that E-Verify is an accurate and robust tool. Though the survey was completed in July 2012, the results are finally being released to the public. Westat conducted the accuracy survey on E-Verify by evaluating the E-Verify Transaction Database. It’s worth highlighting that employer activity while logged into the E-Verify system is tracked and monitored by USCIS. The survey found that E-Verify accuracy is improving since the last survey released in 2009, which evaluated the tentative nonconfirmation (TNC) rates. The TNC rate in this report declined from 0.7% to 0.3%. Where a secondary review of a TNC is conducted by USCIS, the accuracy rate is 90% effective compared to a 58% effective rate in the absence of secondary reviews. A substantial portion of the survey was devoted to providing USCIS with recommendations on how to increase E-Verify’s accuracy moving forward, and other recommendations that would streamline the employment eligibility verification process. Some of Westat’s recommendations have already been implemented by USCIS, which potentially explains why this survey wasn’t made publicly available until now.

Read more

E-Verify: Iowa Joins RIDE and New Further Action Notice
USCIS has been busy with enhancements to the E-Verify system. Beginning September 8, 2013, the Records and Information from Dives for E-Verify (RIDE) Program will be adding Iowa to the program. This means that data from ID and driver's licenses issued by the Iowa Department of Transportation's Motor Vehicle Division (MVD) can now be inputted into the E-Verify system to be checked against the records of the MVD database for accuracy. The addition of Iowa as the fourth state to join the RIDE program (in addition to Mississippi, Florida and Idaho) is another step towards combating document fraud, a challenge that has plagued USCIS ever since the rollout of the E-Verify system. Employers are affected by the RIDE program only when workers present documents issued from any of the four states who participate in the program, regardless of where the employer’s place of employment is. For example, an employer participating in E-Verify may be located in Oregon. The employer’s newly hired worker has presented an Iowa driver’s license along with a social security card during the I-9 process. The employer would be prompted to enter the driver’s license data during the E-Verify case process, where the system will automatically check Iowa MVD’s records for a match.

Read more


Are Referees Still Important?
LinkedIn endorsements, online recommendations and more fleshed-out social media profiles have become important elements of understanding a candidate and evaluating them for a position in today’s world – and all of these exist outside of the traditional resume. Due to these developments, some employers believe referees and references are no longer relevant to recruitment. “Different social media profiles and other information that is kept up to date will provide a much richer experience than a [traditional] resume can,” Bryce Dunn, senior vice president at PageUp People. Dunn elaborated on the activity of a candidate – such as their posts on message boards relating to the profession – being more telling of them and their skills than a resume. However, Nick Deligiannis, managing director of Hays in Australian and New Zealand, stated that online recommendations are not a substitute for traditional references. Recruiters and employers should still be looking at referees as the most complete and important sources of information on candidates, as they will be able to demonstrate how a candidate used their skills and experience to help benefit their previous employers.

South America



Colombia Adopts Regulations to Implement its Data Protection Laws
With the advent of new rules regulating the protection of personal data, companies with operations in Colombia must implement policies and practices to comply with Colombia's privacy law. In October 2012, Colombia enacted Law 1581 to regulate the protection of personal data and safeguard the constitutional right of privacy in the midst of the challenges posed by globalization and new technologies that enable the easy electronic transfer of personal data. On June 27, 2013, Colombia's executive branch issued Decree 1377 ,to implement various provisions of Law 1581 and went into effect immediately. Law 1581 is part of a growing trend in Latin America to establish broad data protection regimes. Under the Political Constitution of Colombia of 1991, all citizens have an inviolate fundamental right to personal and familial privacy and to the protection of their good name. It is expected that the Superintendency of Industry and Commerce (SIC) will conduct inspections to monitor compliance, placing special focus on the health and financial industries, given these industries' reliance on collecting and processing personal data to conduct their activities. Therefore, employers must comply with the privacy law when collecting or processing personal data and to transfer it outside of Colombian borders.

Read more




Uruguay Legislators Approve Bill to Legalize Marijuana
Legislators in the lower house of Uruguay voted to approve a bill to legalize marijuana and the country’s Senate is expected to approve the bill. If the bill becomes law, Uruguay would become the first Latin American country to legalize marijuana. President José Mujica has said the bill is needed to free up police to fight street crime and criminals who smuggle other types of drugs. Polls have shown a majority of people in Uruguay oppose marijuana legalization. The bill would allow people to grow up to six marijuana plants in their homes and they could form cooperatives that would be allowed to cultivate 99 plants. Private companies would be allowed to grow marijuana, but their harvests could be bought only by the government. Marijuana would be sold in licensed pharmacies. Uruguayans who purchased marijuana would be entered into a confidential federal registry. They would be allowed to purchase 40 grams monthly. Only citizens of the country could buy marijuana.

“This vote is destined to have a big impact, with regional and even global repercussions for drug policy,” said John Walsh, an analyst at the humans rights group Washington Office on Latin America. “Uruguay’s timing is right. Because of last year’s Colorado and Washington state votes to legalize, the U.S. government is in no position to browbeat Uruguay or others who may follow.”

Read more

Share on Facebook
Share on LinkedIn

Previous Page

Follow us on Twitter
Follow us on Twitter
Find us on LinkedIn