British Columbia Privacy Commissioner Calling for Changes to Employee Criminal Record Checks

On July 25, 2012, British Columbia’s Privacy Commissioner Elizabeth Denham published an investigation report recommending changes to the B.C. government’s use of criminal record checks to assess current and future employees.

This report comes after the March 2011 announcement that the Commissioner intended to look into the practice of employment-related record checks because of the disturbing trend that more and more employers require employee background checks to reduce the risk of liability for subsequent actions of employees.

She decided to concentrate on the B.C. government because, 1) it is the province’s largest employer, and, 2) they recently expanded their security screening policy and the number of criminal records checks it requests from current and prospective employees.

The Commissioner found that the current policy of the Government of British Columbia with respect to criminal record checks contravenes the Freedom of Information and Protection of Privacy Act (FIPPA). It fails to achieve the balance required between its business needs as an employer and the privacy rights of employees.

The Commissioner summarized her findings and recommendations as follows:

• The current policy of the government of British Columbia with respect to criminal record checks contravenes FIPPA. It fails to achieve the balance required between its business needs as an employer and the privacy rights of employees. The policy should be rectified in accordance with my recommendations.” (Investigation Report F12-03, page 6)
• Government is collecting more information than is necessary to perform a criminal record check on its prospective and current employees and is not in compliance with FIPPA [s. 26(c)]
• Government’s collection of criminal record history for some of its prospective and current employees contravenes FIPPA and it should revise its policy to reduce the number of positions that will require criminal record checks [s. 26(c)]
• Government unnecessarily conducts multiple checks on some employees; for example, on a transfer to a similar position, contrary to FIPPA [s. 26(c)]
• Government does not have authority to re-administer criminal record checks to employees a minimum of every five years. Government should perform ongoing checks not more frequently than every five years and only where an employee exercises a particularly sensitive function that requires ongoing scrutiny
• Government does not meet the requirements in FIPPA to notify prospective and current employees of the collection of their personal information. It does not clearly set out the information it is collecting and there is no statement regarding the contact information of a government employee who can answer questions from concerned individuals [s. 27(2)
• Government’s retention of the personal information it collects contravenes s. 31 of FIPPA. I recommend that government retain criminal record checks for one year
• When government makes substantive changes to its criminal record check policy, it should update its privacy impact assessment and provide my office with the opportunity to review and comment on the changes

In addition to her findings and recommendations, Appendix B of the report includes 16 best practices for employment-based record checks by government as well as other public bodies. The Commissioner has indicated that best practices for employment record checks by private-sector employers will be issued at a later date.

It is important to note that the report, findings, recommendations and best practices are not intended to cover checks required by the Criminal Records Review Act for individuals working or volunteering with children or vulnerable adults.

The best practices include the following,

1. Conduct criminal record checks and not police information checks. A public body will seldom have authority under FIPPA to collect the breadth of information found under a police information check [s. 26(c) of FIPPA]
2. Collect only the minimum amount of personal information necessary to conduct criminal record checks and do not retain a copy of an individual’s identification. Prior to conducting a criminal record check, a public body should limit its collection to that which is necessary to conduct a check [s. 26(c) of FIPPA] – an individual’s surname, given name, date of birth, gender and any aliases or previous names. A public body should only examine an individual’s identification to confirm identity and not record any information or retain a copy of any identification
3. Conduct certified criminal record checks only where criminal record checks are inconclusive. It will seldom be necessary for public bodies to require individuals to submit to fingerprinting as part of the application process. Public bodies only require this type of record check where the results a criminal record check are inconclusive (i.e. there are multiple potential matches of the original check and the identity of the individual can only be confirmed by fingerprinting)
4. Criminal record checks should not be required for all positions. Public bodies should require criminal record checks only for positions with unique access to valuable resources and sensitive information. A public body should determine on a case-by-case basis whether it has the authority under FIPPA to collect personal information regarding the criminal record history of an individual
5. Criminal record checks should be only one minor element of an employer’s screening process. Employers should be more reliant on other screening methods to assess employee suitability, such as interviews, oral and/or written examinations, and reference checks
6. Ensure that proper notification is given to individuals before a check occurs. Before an individual agrees to a criminal record check, the public body must ensure that the individual is told: the public body’s purpose for collecting criminal record history; the public body’s legal authority for collecting this information; and the title, business address and business telephone number of an officer or employee of the public body who can answer the individual’s questions about the collection [s. 27(2) of FIPPA]
7. Conduct criminal record checks on prospective employees only after a public body has made a conditional offer of employment. Public bodies should not perform criminal record checks at any earlier stage of the hiring process [s. 26(c) of FIPPA]
8. Criminal record check results should go to the individual before they are disclosed to the public body. Public bodies should not ask individuals to consent to providing record check results directly to them. The individual should receive the results of his or her record check and have the opportunity to review the check for accuracy. Where a potential error exists, the individual will have the opportunity to challenge the results of the criminal record check before he or she discloses the results to the public body. This also gives individuals an opportunity to abandon their pursuit of a job where they do not wish to disclose the results of a record check to the public body
9. Consider the relevance of an individual’s criminal record history in relation to the specific requirements of a position. In the event that a criminal record check reveals that an individual has a previous conviction or outstanding charge, an employer must determine whether this has any effect on the hiring of the individual by considering the characteristics of the position the individual has applied for. Employers should create a list of potentially relevant convictions for the various positions that they will subject to criminal record checks. Employers must not refuse to employ or to continue to employ an individual because that person has a criminal record that is unrelated to their employment. Employers must also consider the amount of time that has passed since any conviction
10. Allow individuals the opportunity to request a review of a decision to not hire them based on the results of a criminal record check. A public body should ensure that it clearly communicates the availability of a review process to individuals who it decides not to hire after receiving the results of a criminal record check. Someone who was not involved in the initial decision of the public body should conduct the review process
11. Do not use the results of employment-related criminal record checks for any purpose other than to make a hiring decision. A public body does not have authority under FIPPA for uses that are not consistent with making a hiring decision [s. 32 of FIPPA]
12. Set retention periods for criminal record check information. A public body should not retain an individual’s criminal record history indefinitely. Instead, it should retain the results of an individual’s criminal record check for one year [s. 31 of FIPPA]. This one-year period should apply whether the individual is subsequently hired or not, with an exception where a check reveals an individual has a criminal record but the public body determines that the individual is nonetheless suitable for employment. In such instances, the public body should retain a document noting when it performed a criminal record check as well as a brief summary of the individual’s criminal record. This retention will ensure the public body’s future decision-making process is consistent with past decisions regarding this individual’s employability
13. Do not require unnecessary additional checks on employees who change positions within the public body. It is not necessary to conduct an additional criminal record check on an employee simply because of a change in position. An additional check may be justifiable where an employee had a criminal record check performed, but the public body subsequently hires him or her into a position with substantially different responsibilities and risk factors
14. Do not automatically require employees to submit to ongoing criminal record checks even where an initial criminal record check prior to hiring is justifiable. Public bodies should require ongoing checks only where an employee exercises a particularly sensitive function that requires ongoing scrutiny. There is a significant distinction between a public body’s ability to justify the need for criminal record checks at the point of initial hire as compared to as part of an ongoing employment relationship. The waiver of privacy which may be justified when hiring a new employee is substantially less compelling when applied to an employee with many years of service
15. Where possible, assign responsibility for the criminal record check process to a central agency such as a human resources department rather than to a supervisor of the prospective employee. Members of the working group for a prospective employee do not need to know the specifics of the individual’s criminal history. As a result, where possible, a public body’s human resources department or other central agency should be responsible for its criminal record check process
16. Prepare privacy impact assessments to assess and mitigate privacy implications of any new or revised usage of criminal record checks. Public bodies should treat privacy impact assessments as evergreen documents that they review and update on a regular basis as required

So what can be taken from this report?

When conducting reference and background checks for prospective employees, employers must delicately balance their need to know with employees’ privacy, and they must obtain consent. In order to maximize the advantages and minimize the risks associated with pre-hiring background checks, it is vital for employers to carefully consider what information they want and need, and exactly when and how the enquiries should be conducted. Thus, employers should avoid adopting a “more is better” approach to collecting personal information about a job candidate as unnecessary information may ultimately burden an employer with legal liability.

An employer who performs criminal reference checks on prospective employees (as part of a job selection process) must be able to establish that there is a need and bona fide (reasonably valid) reason for doing so. Employers must ensure that processes are in place to screen participants and to conduct criminal reference checks if the type of placement warrants it. Such checks must be clearly related to employment and be a condition of employment. The application form and/or conditional offer of employment must clearly state that the criminal check is necessary because of the position sought.

The results of a criminal reference check are used to determine whether the candidate has a record of offence that would render the candidate unsuitable for employment. If an applicant is rejected because of the results of a criminal reference check, there must be a link between the decision to reject the application, the position, and the applicant’s record.

Employers who establish a criminal reference check policy must comply with privacy legislation, as well as human rights legislation and RCMP guidelines. The workplace policy must clearly state the need for the criminal reference check, the purpose of collecting such information, and how the information will be used and stored. Consent to collect and disclose the information should be obtained.

Thus, careful consideration of recruiting and hiring policies ought to be made with respect to how a candidate’s personal information will be used, obtained, retained and disclosed. Once personal information has been obtained, the employer is obliged to protect the confidentiality of the information and to use it and store it in a responsible way.