Data Security

(Editor: The following is a guest blog post provided by our I-9 partner, Mitratech)

In talent acquisition and recruiting, staying ahead requires an understanding of industry trends and emerging technologies. It is essential to have an awareness of the many compliance laws and regulations governing the recruitment process.  Specifically, employee data protection is undergoing significant transformations as each state passes new laws around data privacy. This turmoil puts pressure on HR departments as they are challenged to align hiring practices to be compliant with these new laws, specifically around background screening, I-9 forms, and employment and income verifications.

The California Consumer Privacy Act (CCPA)

One of the first consumer privacy laws enacted was the California Consumer Privacy Act (CCPA) in 2020. This law gives consumers and employees (CA residents) certain rights over the personal information businesses collect about them. Businesses are required to inform consumers about how they collect, use, and retain their personal information. Additionally, the California Privacy Rights Act (CPRA) amended the (CCPA) and went into effect on January 1, 2023. The CPRA amended the CCPA by adding additional consumer and employee privacy rights and obligations around their sensitive personal information (SPI) such as:

  • The Right to limit the use and disclosure of SPI
  • The Right to opt out of the sale and sharing of their SPI for cross-context behavioral advertising
  • The Right to correct inaccurate personal information
  • The Right to know what personal information that businesses have collected and how they use and share it
  • The Right to equal treatment for exercising these rights
  • The Right to delete SPI businesses have collected from them
  • The Right to access data: personal information data, categories/sources/collection purposes, and 3rd party disclosures and sales to employees when requested.

Here’s an overview of the recent legal developments that came about since the CPRA:

California Leads the Way

Although California is the only state to include employee data privacy, it is an indicator of the growing trend of considering the extension of privacy rights to employee data. Because of these new and upcoming state-level regulations, protecting sensitive employee information is becoming more crucial to future-proofing your compliance. As we rely more on data-driven decisions, maintaining the confidentiality of employee data is not only a legal requirement but builds trust within the workplace. Failure to handle sensitive employee information with care can lead to legal consequences, data breaches, information misuse, or harm an organization’s reputation.

1. Data Subject Rights

The CPRA and other similar laws are crafted entirely around data subject rights. Data subject rights grant individuals control over their personal information. Under the CPRA, employees have these rights:

  • The right to access
  • The right to delete
  • The right to correct
  • The right to opt out of the sale or sharing of personal data
  • The right to limit the disclosure of personal data
  • The right to opt-in to financial incentives for processes of personal data
  • The right to access information on automated decision-making
  • The right to opt out of automated decision-making; and
  • The right to non-discrimination for exercising these rights.

The process for handling data subject requests begins with a clear and accessible avenue for individuals to submit their requests. The business must honor them free of cost within 45 days or risk facing a penalty. After requests are made, the business should promptly respond to the request, whether it be providing access, correcting inaccuracies, or deleting the data. They must also communicate with any third parties to update the information in their systems per the request of the consumer.

These new laws explicitly require businesses to have a privacy policy in place as well as a consent management process. These are crucial components and often the first step to safeguarding sensitive employee information as they remain pivotal in background screening, I-9, and employment and income verifications.

 According to the CPRA, privacy policies must notify employees before or at the point of collection of their personal information. This notice must include:

  • Categories of personal information to be collected
  • Purposes for which the information is to be collected
  • Whether this information is sold or shared – the employee must be given the option to opt-out
  • The retention period of keeping their personal information or the method used to determine a reasonable period.

CPRA Privacy Policy Elements

The CPRA requires employers to provide a transparent and accessible privacy policy which should contain:

  • A list of categories of personal information it has collected in the preceding 12 months
  • Categories of sources where it has collected the information
  • Business or commercial purposes for collecting, selling, or sharing the information
  • Whether the business sells or shares employees’ personal information or discloses it for a business purpose
  • If the business sells or shares information, a list of the categories of personal information it has sold or shared in the preceding 12 months
  • If the business discloses the information, a list of the categories it has disclosed in the preceding 12 months
  • Categories of third parties to whom the business discloses employees’ personal information
  • Employees’ data privacy rights under the CPRA and the method to exercise them.

Privacy policies serve as guiding principles that outline how personal data is connected, processed, stored, and shared throughout the recruitment lifecycle. A well-crafted privacy policy in the context of hiring ensures transparency and compliance with these data protection regulations. Such policies instill confidence in candidates regarding the responsible handling of their information.

Consent management ensures that individuals provide explicit permission for the collection and processing of their personal information. The Fair Credit Reporting Act (FCRA) requires businesses to obtain explicit consent from job applicants before conducting any background screening and to verify their employment. Companies must also provide an applicant with a disclosure form informing the candidate that you will be checking their background for employment purposes.

3. Data Minimization

Data minimization means an organization should limit the collection of personal information to what is directly relevant and necessary to accomplish a specific purpose. According to the CPRA, businesses cannot process data beyond what’s “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”

Adhering to the principle of data minimization requires regular reviews and updates of the collected data. Routine assessments enable organizations to reevaluate the relevance and necessity of the data. Assessments allow organizations to identify and eliminate any information that no longer serves a legitimate purpose. Doing so minimizes the risk of unauthorized access or misuse and streamlines their data storage practices, promoting efficiency and transparency.

4. Secure Data Storage and Access Controls

Every business must take adequate technical and organizational measures to prevent data breaches. Not only will they harm an organization’s reputation, but they will also lead to violations of the CPRA.

The CPRA states that a business that collects a consumer’s personal information “shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect it from unauthorized or illegal access, destruction, use, modification, or disclosure.”

Estimating these potential data risks and determining the adequate processes to ensure your data is secure is important.  Conduct regular risk assessments to determine whether the benefits of processing sensitive personal information outweigh the risks to consumers, the public, and your business. Additionally, you should perform cybersecurity audits at least once a year.

Key Elements

Secure data storage involves implementing measures to protect sensitive information from unauthorized access, disclosure, alteration, and loss. Several key elements include:

  • Encryption
  • Access Controls
  • Authentication
  • Secure Storage Infrastructure
  • Regular backups
  • Physical Security
  • Secure Protocols
  • Data Masking and Anonymization

Data access controls refer to the mechanisms and policies put in place to manage and restrict access to confidential data within an organization. This involves assigning specific permissions and privileges to individuals based on their roles and responsibilities, ensuring that only authorized personnel can access, modify, or disseminate sets of data.

Prioritizing these practices helps organizations safeguard privacy, maintain regulatory compliance, and build trust in handling sensitive data during the hiring process.

5. Retention and Deletion Policies

Retaining employee data is necessary for background screening, I-9 management, payroll, and more. However, organizations must establish clear policies, timeframes, and protocols for retaining applicant and employee data. Organizations should delete of data that is no longer required.

The CPRA states businesses “shall not retain a consumer’s personal information…for longer than is reasonably necessary for that disclosed purpose.” Not only should the personal information be used for its intended and disclosed purpose, but that information cannot be kept indefinitely.

Striking a balance between retaining essential information and regularly purging outdated records is crucial for maintaining data integrity, protecting employee privacy, and fulfilling legal obligations. Regularly review and update these policies according to the changing data protection regulations to keep up with new laws and amendments.

6. Training and Awareness

HR professionals play a pivotal role in ensuring the lawful and ethical handling of employee data. Comprehensive training equips HR staff with a deep understanding of data protection laws, such as the CPRA, fostering compliance, and minimizing the risk of legal repercussions. It allows them to implement robust data security measures, enforce access controls, and respond effectively to inquiries from consumers on their personal information and data breaches.

Moreover, a well-informed HR team builds a culture of privacy and security awareness, instilling trust among employees and applicants that their personal information is handled with utmost care and integrity. Ultimately, investing in the continuous education of HR personnel on data privacy safeguards both the organization and its employees. This investment reinforces a commitment to ethical data practices and legal adherence.

7. Selecting Vendors

When selecting vendors for background screening, I-9 systems, and employment and income verifications, it’s crucial to prioritize those that comply with data privacy laws and other regulations. Organizations should evaluate the vendors’ commitment to data privacy and security to ensure they adhere to industry-specific laws and regulations.  Vendors must be transparent about data handling processes, encryption practices, access controls, and mechanisms for data breaches or incidents.

Electronic I-9 systems, such as Tracker I-9, can help eliminate risk and ensure compliance. These systems offer built-in error checks to catch mistakes, offer secure storage options to protect from unauthorized access and provide for easy retrieval during audits.

Comprehensive background screening solutions, such as AssureHire, are accredited by the Professional Background Screening Association (PBSA) and SOC2 certified. AssureHire provides detailed and accurate reports on background check findings, ensuring that employers have the necessary information to make informed hiring decisions. The reports comply with disclosure requirements and include only relevant and permissible information.

Automated income verification services through the Vault EDGe Gateway ensure compliance with data privacy laws and FCRA through the integration with Tracker I-9 and AssureHire. Employment details are accessed directly from the employer’s records to reduce risk. This solution provides high-tech encryption, secure data centers, and security protocols that eliminate “send-and-store” file feeds.

Cutting-edge Technology and Strategic Partnerships for Compliant Workplaces

Adhering to data privacy laws is essential to HR processes’ ethical and legal dimensions. As HR professionals navigate data privacy regulations, embracing these standards mitigates legal risks and demonstrates a commitment to respecting individuals’ privacy rights. From privacy policies and consent management to implementing secure storage, these principles create a foundation of trust between employers and their candidates and employees.

For HR professionals, Vault Verify’s partner, Mitratech, provides an end-to-end suite of solutions including background screening and form I-9. AssureHire is a leading provider of candidate-friendly background screening solutions, dedicated to making the hiring process more accessible and convenient for both employers and job seekers. With a strong focus on candidate experience, AssureHire ensures that the screening process is efficient, transparent, and respectful of individuals’ privacy rights.

Tracker I-9 is a user-friendly software that simplifies the Form I-9 process, reduces compliance risks, and offers features such as electronic storage, automated updates, and robust data security. With its intuitive interface and dedicated customer support, Tracker I-9 is an ideal choice for organizations seeking efficient and reliable Form I-9 management.

With our partnership with Mitratech, we can offer more advantages through our EDGe Gateway solution at a reduced price.

The Vault EDGe Gateway provides real-time data for Tracker I-9 and AssureHire through API integration. Learn how this partnership greatly reduces potential employee data exposure and manual admin work.

If you would like to learn more about Vault Verify’s employment and income verification services, and see how our real-time API protects employee data, please request a demo.

For more blog content, be sure to subscribe to stay notified of new blogs.

Miranda Knudtson
Partner Marketing Manager, HR Compliance at Mitratech | Website

Miranda Knudtson is the Partner Marketing Manager of the HRC business unit at Mitratech. Miranda works closely with the Partnership team to develop and execute comprehensive partner marketing strategies and programs to generate demand, increase brand awareness, and drive revenue growth. She collaborates with channel partners to create co-branded campaigns, webinars, events, and various marketing initiatives to foster partner engagement and customer acquisition for Mitratech and their channel partners.

Outside of her role, Miranda enjoys reading, painting and other crafts, along with traveling to National Parks with her partner.