Background Check Providers & Data Management
Tim Gordon
November 26 2024
Protecting personal data is one of the most important parts of background checks. Background check providers work with sensitive information like Social Security Numbers (SSNs), addresses, and criminal records. This makes it critical for them to prioritize data security and comply with screening laws and regulations.
Let’s explore what your background check provider should do to keep candidate information secure. From compliance requirements to protecting your business from reputational damage — let’s dive in!
What Is Personally Identifiable Information (PII)?
Personally identifiable information, or PII, includes any data that can identify someone. Examples of PII are names, birthdates, SSNs, addresses, and phone numbers. This information is highly sensitive. If companies mishandle PII, the results can be devastating.
Employers could face lawsuits, fines, and reputational damage. The impact doesn’t stop there — candidates may also lose trust in the hiring process. Once trust is gone, it can be tough to rebuild.
Simplify the process with compliant disclosure and authorization tips
How to Keep PII Safe
Background check providers must follow strict practices to protect PII. Here are a few things they should do:
- Mask Sensitive Information: Throughout the background check process, your provider should mask sensitive information. For example, they should keep SSNs hidden in their systems unless needed. They should only show the last four digits of SSNs in background check reports.
- Use Strong Encryption: Encryption protects data by making it unreadable to unauthorized users. Providers should encrypt both stored and transmitted data.
- Control Access: Only authorized employees should have access to sensitive candidate information. They should limit access based on job roles. For example, someone in the drug department likely does not need access to criminal history results.
In 2023, the average data breach cost was
$4.45M
globally (IBM)
Why Data Hygiene Matters
Data hygiene is all about managing and organizing records responsibly. Poor data management can create major problems.
The FCRA suggests screening companies to maintain records for a minimum of five years. However, they should have a solid data purging policy after that period. Outdated or unnecessary records can pile up, increasing the severity if a breach occurs.
Key Data Hygiene Practices to Ask About
Limit How Long Records Are Kept:
Ask your screening provider how long they keep records. We recommend a minimum of five years but not longer than seven.
Delete Old or Unnecessary Records:
Ask about their data purging procedures. You don’t want sensitive data in the dumpster! Providers should regularly and securely purge outdated reports and unused data. This reduces risk.
Track Who Accesses the Data:
Ask for details about their data access controls. Providers should maintain detailed logs of data access and deletions. This helps with accountability and compliance.
Proper data hygiene is a must for maintaining secure systems and protecting sensitive candidate information.
million people were affected by data breaches in 2023 (Identity Theft Resource Center)
What to Look for in Secure Technology
- Firewalls and Intrusion Detection Systems (IDS): Firewalls block unauthorized access, and IDS tools flag suspicious activity.
- Encryption: Encryption protects sensitive data whether providers store it or send it over the internet.
- Regular Security Audits: Providers should test their systems often to identify and fix vulnerabilities.
Investing in risk assessments and secure systems ensure compliance and protects candidate information.
The Role of Training and Certification
Even with the best technology, mistakes can happen if staff aren’t properly trained on data security. Training employees is essential to keep candidate information safe and meet compliance requirements.
- Regular Updates on Regulatory Requirements: Screening providers should train their staff on the FCRA and other regulations.
- Security Best Practices: Staff should know how to handle sensitive data securely.
- Certifications: In addition to individuals, the overall company can have security certifications. Providers with certifications like SOC 2 show a strong commitment to data security.
Well-trained employees are key to preventing mistakes and protecting sensitive information.
How to Choose the Right Background Check Provider
Choosing a provider isn’t just about getting fast results. It’s about finding a partner who will protect your data and help you stay compliant. Use this checklist to evaluate potential background check providers:
Do They Protect PII?
Providers should encrypt data and mask SSNs in background check reports.
Do They Follow Data Hygiene Practices?
Look for providers who purge outdated records and follow retention policies.
Are They Compliant with Relevant Laws?
Make sure they comply with FCRA, GDPR, and other relevant screening laws and regulations.
Do They Use Secure Technology?
Firewalls, IDS, and encryption should all be part of their systems.
Do They Train Their Staff?
Providers should offer regular training on compliance requirements and data security.
Do They Hold Relevant Certifications?
Certifications like SOC 2 show a commitment to best practices.
Protecting candidate information is more than a legal requirement — it’s a trust-building process. The right background check provider will help you stay compliant with screening laws and regulations while safeguarding sensitive data.
By choosing a provider that values security, compliance, and data management, you can avoid risks and protect your reputation. Make the right choice to build trust and confidence in your hiring process.
On the blog:
Creating a fair hiring process that promotes equal opportunity
About Tim Gordon
Tim Gordon, InfoMart’s Chief Compliance Officer, is a seasoned, knowledgeable professional in the background screening industry dedicated to driving InfoMart’s operations efficiently and profitably. Tim utilizes his extensive history in multiple positions across the company to oversee the processing of InfoMart’s core service offerings. He joined InfoMart in 2004; his tenure at InfoMart has been one of efficiency, communication, and continued innovation. With over a decade of experience running InfoMart’s compliance team, Tim is instrumental in proactively updating company regulations to keep InfoMart ahead of legislative changes. He previously sat on the Background Screening Credentialing Council with PBSA, where he helped oversee the accreditation program. Now, he serves as the Chair of the Professional Background Screening Association, where he helps steer the screening industry and shapes compliance initiatives globally.
About InfoMart
InfoMart has been revolutionizing the global background and identity screening industry for 30 years, providing businesses the information they need to make informed hiring decisions. They develop innovative technology that modernizes talent onboarding, including a first-to-market biometric identity authentication application and a verified sanctions search. The WBENC-certified company is a founding member of the Professional Background Screening Association, and they have achieved PBSA accreditation in recognition of their consistent business practices and commitment to compliance with the FCRA. The company is dedicated to customer service, speed, and accuracy, and it has been recognized for its success, workplace culture, and corporate citizenship with over 45 industry awards. To Get the Whole Story on InfoMart, please visit www.InfoMart-USA.com, follow @InfoMartUSA, or call (770) 984-2727.