返回列表 发表时间:2021-08-30    浏览次数:824

背景调查和国际劳动力

如今,企业在其生命周期中比以往任何时候都更早地成为国际企业。也许是因为现在出国旅行变得更加容易和快捷,而且由于技术的存在,与世界各地的员工、供应商、顾问和其他人合作变得更加容易(可能完全不需要旅行)。员工不再需要身在公司的主要办公室才能工作。招聘现在认识到人才可能跨越国界。

在另一个国家寻找人才现在可能是必要的,但它也需要扩大背景审查,以最好地确保不仅招聘顶级人才,而且有助于降低风险和保障安全。

众所周知,美国有无数的联邦、州和地方法律会影响背景筛选过程。平等就业机会委员会(“EEOC”)禁止基于种族、性别、国籍和其他基础的就业歧视。联邦贸易委员会 (“FTC”) 和消费者金融保护局 (“CFPB”) 执行《公平信用报告法》(“FCRA”),该法律规定了有关雇主在通过以下方式进行背景调查时应遵循的程序的规则:第三方。许多州和地方司法管辖区也有规定雇主何时可以询问犯罪记录、信用和工资信息的法律。

美国公司遵守美国法律是一个相当大的挑战。但在从海外吸引人才时,理解和应用其他国家经常令人困惑和相互冲突的法律可能是一项更加艰巨的任务。

美国、加拿大、中美洲和南美洲

美洲在如何处理监管系统方面深受美国和加拿大的影响。在普通法国家,法律通常是“禁止性的”。换句话说,只要法律没有规定你不能,你就可以为所欲为。因此,这种方法往往是“选择退出”。虽然美洲有许多国家的法理背景不同,但美国的影响力仍然不容小觑。

我们看到影响背景筛查工作的监管最常见的地方是信用和犯罪历史。总的来说,美国是一个基于同意的系统。

信用报告

与美国类似,加拿大也有法律规范信用记录的开发和使用。《信用报告法》规定了信用报告机构可以收集哪些信息、谁可以向他们提供这些信息、谁可以使用信用报告以及报告的用途。

该法案还通过限制信用报告机构可以包含在信用报告中的信息种类以及限制谁可以接收和使用该信息来保护个人隐私。加拿大的一些省和地区颁布了法律,对雇主提出了额外的限制和要求。

犯罪记录

在美国以外,犯罪记录通常被视为敏感数据,因此受到保护和限制。

综合隐私法

与美国不同,加拿大在联邦和省两级都有“综合”隐私法。联邦《个人信息保护和电子文件法》(“PIPEDA”)通过规定允许跨省边界运营的所有信用报告机构处理个人信息来保护个人。PIPEDA 对收集和使用个人信息的任何人施加通知和同意要求。其中一项义务是要求仅以数据主体(而非使用数据的企业)认为合理的方式使用个人信息。

中美洲和南美洲的九个国家拥有类似于加拿大联邦 PIPEDA 的综合隐私法。其中包括重要的贸易伙伴,如墨西哥、秘鲁和哥伦比亚。此外,阿根廷和乌拉圭在跨境数据传输方面采用了类似欧盟的充分性要求。结果是,这些国家/地区中的每一个都对可以用来进行背景筛查的范围和程序有特定的限制。

欧盟立法

2016 年 4 月,欧盟成员国和其他 11 个维持跨境数据传输“充分性”法规的国家采用了新的欧盟数据保护框架。通用数据保护条例 (GDPR) 将取代当前的欧洲数据保护指令 95/46/EC,并将直接适用于所有成员国,无需实施额外的国家立法。新法规将于 2018 年 5 月 25 日生效。

有许多一般原则可以一致地应用于背景筛查,最好的做法是确保管理此类流程以符合欧盟 (EU) 的一般隐私法。

数据保护(隐私)法

欧盟数据隐私法的基石是数据保护原则(“原则”),根据 GDPR 的部分要求,任何个人数据是:

  1. 以合法、公平和透明的方式处理数据主体(“合法、公平和透明”);

  2. 为特定的、明确的和合法的目的收集,并且不会以与这些目的不符的方式进一步处理;根据第 89 条第 1 款,出于公共利益、科学或历史研究目的或统计目的的存档目的的进一步处理不应被视为与最初目的不符;('目的限制');

  3. 充分、相关且仅限于与处理目的相关的必要内容(“数据最小化”);

  4. 准确,并在必要时保持最新;必须采取一切合理措施确保不准确的个人数据在考虑到处理目的后立即被删除或纠正(“准确性”);

  5. 以允许识别数据主体的形式保存,时间不超过处理个人数据的目的所需的时间;根据第 83 条第 1 款的规定,在实施适当的技术和组织措施的情况下,个人数据可能会被存储更长时间,因为个人数据将仅出于公共利益、科学或历史研究目的或统计目的而被处理本法规要求的保护数据主体权利和自由的措施(“存储限制”);

  6. 以确保个人数据适当安全的方式进行处理,包括使用适当的技术或组织措施(“完整性和保密性”)防止未经授权或非法处理以及意外丢失、破坏或损坏。

显然,背景筛选正在处理个人信息,因此问题是如何实现上述原则?

人们普遍认为,证明遵守原则的最有效方式是披露和同意,尽管包括法国和西班牙在内的一些成员国质疑同意在就业环境中的有效性,因为双方谈判地位的不平等。候选人和公司。同意必须是在背景筛选的情况下自由给予的、具体的和知情的;候选人必须知道他们为何被筛选以及由谁进行筛选、将验证哪些类型的信息、谁可以访问结果以及他们的数据可以在哪些司法管辖区进行处理。此外,候选人必须能够随时撤销同意。

信用报告和犯罪记录

每个成员国还制定了管理信用记录和犯罪记录信息的收集和使用的当地法律。这些法律应与当地数据隐私法和 GDPR 一起阅读,但在考虑是否将此类检查纳入任何背景筛查包时应进一步小心,因为当地劳动法也会影响可能收集和使用的数据/信息在任何雇佣决定中。

亚洲

虽然包括香港和日本在内的一些亚洲国家已经制定了数据隐私立法,但作为一个地区,亚洲正在这方面不断发展。多年来,亚洲缺乏数据隐私立法对招聘公司很有吸引力,但随着个人对基本权利的普遍认识的提高,雇主越来越关注确保他们似乎实施了保护。

正如亚太经济合作论坛(“APEC”)所看到的,数据保护是经济扩张的门槛问题:该地区的监管体系都在努力解决这个问题,而法律法规正在仍在不断变化中,马来西亚和越南等许多新兴市场正在实施数据隐私法,以吸引投资者开展业务,而菲律宾最近颁布了广泛的数据保护规则和法规。

数据保护(隐私)法

十四个国家最近实施了数据保护法,包括韩国、马来西亚、菲律宾和新加坡。许多国家已经从欧盟的书中汲取了一页,并决定积极将保护写入其法规。幸运的是,大多数亚洲国家都将同意作为处理合法化的主要依据。然而,一些著名的国家对数据保护采取了比美国模式所考虑的要强得多的立场。韩国拥有被认为是世界上最强大的数据隐私法,最近进一步修订以禁止收集和处理居民登记号码 (RRN) 的形式加强对个人数据的保护。

亚洲监管体系中的另一个重要因素是刑事处罚的可能性。韩国、菲律宾和其他亚洲国家已纳入直接民事和刑事补救措施,可用于针对违反数据保护法的个人。这使得制定背景筛查合规计划更加直接,因为负责进行背景筛查的个人可能会受到民事和刑事制裁。

不幸的是,由于这些大多是新法律,因此没有一套执法和解释历史来帮助通知想要开发和管理筛选计划的企业。因此,在这些司法管辖区有一个了解当地文化的合作伙伴能够帮助引导这些法律的执行方式至关重要。

信用报告和犯罪记录

虽然亚洲的许多国家/地区都有综合隐私法,但许多国家也有像美国这样的部门法律。韩国有 FCRA 式的法律。新加坡和韩国都有法律禁止将犯罪记录用于某些目的。无论如何,在背景筛选过程中有用的许多数据都将被视为敏感数据。这会增加您必须获得的同意类型,并减少您可以使用此类数据的目的。

结论

在日益全球化和相互关联的劳动力中,有效和高效地管理人才需要背景筛选流程。然而,有许多文化差异导致监管系统对公司如何实施筛选过程有非常不同的要求。因此,任何正在建立或发展其背景筛选流程的公司都需要采用一种足够灵活和智能的整体方法,以便能够识别本地差异,并以高效且具有成本效益的方式解决这些差异. 这不是不可能,但很复杂。它还需要对当地法律、习俗和执法重点有一些相当具体的了解。

Finding talent in another country may now be requisite, but it also demands extending background screening to best ensure the hiring not only of top tier talent, but to help to reduce risk and safeguard security as well.

As most know, the United States has a myriad of federal, state, and local laws which impact the process of background screening. The Equal Employment Opportunity Commission (“EEOC”) prohibits employment discrimination based on race, gender, national origin and other bases. The Federal Trade Commission (“FTC”) and Consumer Financial Protection Bureau (“CFPB”) enforce the Fair Credit Reporting Act (“FCRA”), the law which sets forth rules regarding the procedure for employers to follow if it conducts background checks through third parties. Many states and local jurisdictions also have laws governing when employers can ask about criminal history, credit, and salary information.

It’s quite a challenge for American companies to adhere to U.S. laws. But when drawing talent from overseas, understanding and applying the often confusing and conflicting legalities of other nations may present an even more daunting task.

US, Canada, Central & South America

The Americas are heavily influenced by the United States and Canada in terms of how they approach regulatory systems. In the common law countries, the law generally operates to be “prohibitive.” In other words, you can do whatever you want as long as the law doesn’t say you can’t. Consequently, the approach tends to be “opt-out.” While there are a number of countries in the Americas which come from a different jurisprudential background, the US influence still cannot be underestimated.

The most common place we see regulation which impacts the background screening efforts is in credit and criminal history. In general, the US is a consent-based system.

Credit Reports

Similar to the US, Canada has a law regulating the development and use of credit history. The Credit Reporting Act sets out what information credit reporting agencies are allowed to collect, who can provide that information to them, who can use credit reports, and what the reports can be used for.

The Act also protects individuals’ privacy by placing limits on the kinds of information that a credit reporting agency can include in a credit report and by limiting who can receive and use that information.  Some Canadian Provinces and Territories have enacted laws which place additional restrictions and requirements on employers.

Criminal Records

Outside the US, criminal records are often considered sensitive data, and are protected and restricted as such.

Omnibus Privacy Law

Unlike the US, Canada does have an “omnibus” privacy law at both the federal and provincial levels. The federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) protects individuals by setting out what all of the credit reporting agencies operating across provincial borders are allowed to do with information about individuals. PIPEDA imposes notice and consent requirements on anyone who collects and uses personal information. One of those obligations is the requirement that personal information only be used in a way that the data subject (not the business using the data) would consider reasonable.

Nine countries in Central and South America have omnibus privacy law similar to Canada’s federal PIPEDA. These include significant trading partners like Mexico, Peru, and Colombia.  In addition Argentina and Uruguay have adopted EU like adequacy requirements concerning cross-border data transfers. The result is that each of these countries will have particular limitations as to the scope and process one can use to perform background screening.

EU Legislation

In April, 2016 a new EU data protection framework was adopted by EU Member States and 11 other countries maintaining cross-border data transfer “adequacy” regulations.  The General Data Protection Regulation (GDPR) will replace the current European Data Protection Directive 95/46/EC and will be directly applicable in all Member States without the need for implementing additional national legislation. The new Regulation will be enforceable effective May, 25 2018.

There are a number of general principles that can be consistently applied to background screening and it is best practice to ensure that such processes be managed to comply with the general privacy law in the European Union (EU).

Data Protection (Privacy) Law

The cornerstone to data privacy law in the EU are the data protection principles (“Principles”) which under the GDPR require in part, that any personal data is:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes; (‘purpose limitation’);

  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);

  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 83(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).

Clearly, background screening is processing personal information so the question is how can the principles described above be achieved?

It is the general view that the most effective way to demonstrate compliance with the Principles is via disclosure and consent, even though some member states including France and Spain, question the validity of consent in an employment context due to the inequality of bargaining position between the candidate and the company. Consent must be freely given, specific and informed and in the context of background screening; the candidate must know why they are being screened and by whom, what type of information will be verified, who will have access to the results, and in which jurisdictions their data may be handled. Further, the candidate must be able to revoke consent at any time.

Credit Reports & Criminal Records

Each member State also has local laws governing the collection and use of credit history and criminal history information. These laws should be read in conjunction with local data privacy laws and the GDPR, but further care should be taken when considering whether to include such checks in any background screening package as local labor laws also impact on what data/information may be gathered and used in any employment decision.

Asia

While some nations in Asia including Hong Kong and Japan have established data privacy legislation, as a region Asia is evolving in this area. For many years Asia’s lack of data privacy legislation was attractive to hiring companies but with an increased general awareness of fundamental rights by individuals, employers have been increasingly concerned to ensure that they appear to implement protections.

As the Asia-Pacific Economic Cooperation Forum (“APEC”) has seen, data protection is a threshold issue with regard to economic expansion: the regulatory systems of the region are all trying to get a handle on this and while the law and regulation is still very much in flux, many emerging markets such as Malaysia and Vietnam are implementing data privacy laws with a view to attract investors in setting up operations, while the Philippines have recently issued widespread data protection rules and regulations.

Data Protection (Privacy) Law

Fourteen countries have recently implemented data protection laws, including South Korea, Malaysia, Philippines, and Singapore. Many countries have taken a page out of the EU’s book and decided to be aggressive in writing protections into their statutes. Fortunately, most Asian countries are using consent as a primary basis for legitimizing processing. However, several notable countries have taken a much harder stance to data protection than the US model would consider. South Korea has what is regarded as the strongest data privacy laws in the world and recently made further amendments strengthening the protection of personal data in the form of a prohibition on the collecting and processing of Resident Registration Numbers (RRN).

The other important element in the regulatory systems in Asia is the potential for criminal penalties. South Korea, Philippines and other Asian countries have included direct civil and criminal remedies which can be used against individual persons who violate the data protection laws. This makes having a compliance program for background screening even more immediate as  the individual responsible for doing background screening may be subject to civil and criminal sanctions.

Unfortunately, as these are mostly new laws, there isn’t a body of enforcement and interpretation history to help inform businesses who want to develop and manage screening programs. It is therefore critical to have a partner on the ground in these jurisdictions who knows the culture to be able to help navigate the way these laws will get enforced.

Credit Reports & Criminal Records

While a number of countries in Asia have omnibus privacy law, many also have sectorial laws like the US. South Korea has a FCRA-style law. Singapore and South Korea both have laws prohibiting the use of criminal history for certain purposes. In any event, much of the data that would be useful in a background screening process would be considered sensitive. This has the effect of elevating the types of consent you must obtain, and reducing the purposes for which you can use such data.

Conclusion

Background screening processes are necessary for the effective and efficient management of talent in an increasingly global and interconnected workforce. However, there are a number of cultural differences which drive regulatory systems that have very different requirements on how a company can implement a screening process. As a consequence, any company that is setting up, or evolving, their background screening processes will need to have a holistic approach which is flexible and intelligent enough to be able to recognize local differences, and address those differences in an efficient and cost effective way. It isn’t impossible, but it is complicated. It also requires some fairly specific knowledge of local law, customs, and enforcement priorities.

电子屏_画板 7.png