Q: A job applicant claims he’s previously been a victim of identity theft and insists that before he provides us with personal data for our background check, we must promise him that we and the firm we use to conduct the checks will delete all data from our systems immediately after making a hiring decision. Should we comply?
A: Identity theft fears are understandable, but you and the background check service you use have legal obligations, making such a promise inadvisable.
Under the Fair Credit Reporting Act that governs background checks, claims of improper conduct can be filed for up to five years after the date of the alleged violation, making it necessary to retain records for at least five years.
Disposal: The Law Is Clear
Rules regarding identity theft prevention do exist, however, and should allow your applicant to apply for a job with minimal concerns.
The Fair and Accurate Credit Transactions Act of 2003, which complements the FCRA, was enacted specifically to address proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information,” once a suitable retention period has been met.
While not rigid in its mandate for any particular method of disposal, the law is very clear on the necessity of adopting a process that ensures effective destruction of records, whatever their format.
Lastly, your background screening provider should be able to describe their internal safeguards, ranging from systems and communications (security, encryption, backups, etc.) to staffing (background checks on staff), any history of problems, and response strategy, including regular audit activity to monitor access to system data.
If after providing your applicant with the above information he is still unwilling to disclose the necessary personal information, you may need to suggest that he seek employment elsewhere.