The expectations by regulators, consumers, nongovernmental organizations, and patients on companies have never been that high. Companies are expected to comply with an ever-increasing list of laws and regulations, act ethically, and take the lead on environmental, social, and corporate governance (diversity and inclusion, board compensation, human rights, environmental footprint) topics. At the same time, any mistakes a company makes are essentially shown real-time in the media and communicated to a global audience of consumers worldwide.
As such, it becomes increasingly important for companies and boards to discuss internally the above-mentioned societal expectations, have strong company values, and, when recruiting new employees, ensure they are aligned with these values. One way companies can do this is to conduct background checks on future or existing employees.
In most jurisdictions, background checks must be conducted in line with local labor law and data privacy. In the United States, attention must additionally be paid to the Fair Credit Reporting Act (FCRA), U.S. Equal Employment Opportunity Commission (EEOC) guidelines on background checks,  and “Ban the Box” laws that in various U.S. states only allow conducting criminal background checks after an initial job offer has been made. Not conducting compliance checks or doing them in a noncompliant way can be very expensive, as some of the following examples show:
IKEA France was found guilty in 2021 of spying on some of its workers and improperly gathering information on employees. The company was given a $1.2 million fine, and IKEA fired several managers.
After one day in office, the CFO of Moderna departed immediately after his previous employer reported an investigation into financial misreporting. Cost to Moderna equals the $700,000 severance package plus the cost of finding a new hire.
The CEO of Yahoo had to leave the company after it was discovered that he had padded his educational credentials.
Dollar General agreed to pay $6 million to close a lawsuit in which the EEOC alleged that the company’s criminal background check policy discriminated against a nationwide class of Black job applicants.
This article aims to provide an update on what background checks are, listing common mistakes in conducting background checks, and highlighting laws that restrict conducting full-blown background checks.
What is the purpose of a “background” check?
As hiring employees—especially in senior management or executive positions—is very expensive, companies want to ensure they hire the right candidate. Therefore, they want to make sure that the employment history, certifications, educational records are complete and accurate, and that employees do not have a criminal history.
In addition, background checks might reveal conflicts of interests, such as an employee being on the board of a competing company or an employee having their own company providing services that compete with those of the company.
What is included in a background check?
A background check can mean different things to different companies. Most companies will include a criminal record search, verification of employment history, proof of academic degrees, reviewing reference letters, or contacting reference persons mentioned in job applications. Some companies will additionally screen for credit records, check social media profiles or postings, or even conduct drug screenings.
1. Not conducting any (criminal) background checks
Some companies and/or human resources (HR) departments believe that (criminal) background checks are not worth the effort. This is in sharp contradiction with the annual Association of Certified Fraud Examiners study that finds that the average organization loses 5% of its revenue because of fraud.
In addition, the cost of cybercrime and industrial espionage is at an all-time high. One of the best defenses against industrial espionage is conducting background checks, which might reveal connections to competitors.
2. Applying background checks only to full-time employees
Besides full-time employees, the company has temporary workers, interns, volunteers, and contractors who enter the company premises and have access to certain (confidential) information. Companies should not limit their background checks to only full-time employees but should apply a risk-based methodology as to what sort of background checks would be needed for the other categories.
3. Not adapting the background check for the position involved
Background checks on board members, board advisory committee, and/or senior management should be different than for junior employees with limited professional experience.
4. Not conducting any verification on employment history or degrees/diplomas
From my perspective, this is very nave. In tight labor markets with several hundred job applicants for a position, some candidates will try to stand out by exaggerating their responsibilities on their résumés, augmenting their accomplishments, hiding employment gaps, and/or inventing degrees with diploma mills.
In some countries (e.g., Switzerland or Germany), employers must provide employees with a reference letter that includes a summary of the work done, position title, reporting line, time at the company, and some paragraphs on social or managerial skills. Not asking for such information or not reaching out to some of the reference contacts is a missed chance to get additional assurance on a candidate.
5. “Outsourcing” (criminal) background checks without standards being defined
Companies use headhunters and external recruiters to identify top-notch candidates and assume these external recruitment agencies conduct a (criminal) background check and verify the accuracy of candidate’s résumé and academic degrees. A best practice is to have clear roles and responsibilities between the company and the external recruiter and request complete supporting documentation for tasks carried out by external recruiters.
6. Conducting social media checks that violate data privacy laws
Employers are interested in how future employees conduct themselves on social media. Looking at a candidate’s social media posts or comments helps the HR department evaluate whether the candidate might fit the company culture. Reviewing a LinkedIn professional profile is generally acceptable; asking for and checking social media profiles on Facebook or Twitter is not. Employers must recognize that because certain profiles are publicly visible on social media, it does not mean that they can all be used for due diligence reasons. Data privacy principles must still apply.
7. Not obtaining consent
Conducting background checks without obtaining employee consent is a common mistake.
What are some restrictions concerning background checks?
It is essential to understand that laws and regulations are different country by country or in the United States even state by state, so the same approach for background checks cannot be applied across the board. Background checks must be adapted to follow local legislation.
In Europe, when conducting background checks, employers process personal data and must comply with the General Data Protection Regulation (GDPR), the European Union data privacy and protection directive. This directive imposes several limitations to conducting background checks, described below.
1. Legal basis
Article 5 of GDPR says that personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
As a result, prior to collecting credit history, criminal records, and drug screening information from candidates or employees, companies must have a legal basis or a legitimate interest in processing such personal data.
2. Limited and necessary
Article 5 also says that processed personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” For companies, credit history or criminal records cannot be requested from all future employees, but such information must be relevant to the job for which they apply. Here you can think of employees in managerial positions or positions of trust (e.g., compliance officers).
3. Retention period
Unless needed by local labor law, any personal data, such as credit history, criminal records, etc., must not be stored longer than needed. Companies must define retention periods and implement processes to delete personal data exceeding the retention period.
In the United States, EEO guidelines allow companies to conduct background checks, but they should not discriminate against employees from certain groups (gender, race, age, etc.).
FCRA requires companies to provide certain disclosures to employees when background checks are being run.
Companies have a legitimate interest in preventing unethical people from entering the organization by conducting background checks. The information to be reviewed as part of a background check depends on the job position. The more senior the role and/or the more a prospective employee would obtain a “position of trust” in the company, the more thorough background checks will be.
A wealth of information is available to companies for background checks. However, to protect prospective employees from discrimination or irrelevant information being considered during the application process, companies must strictly follow data privacy, social labor law, consumer protection laws (i.e., credit score), and EEO laws.
Different countries, and states within the same country, have different legislation regarding what information can be requested from prospective employees and what kind of due diligence can be carried out. Employers must understand these differences in labor and data privacy laws; they cannot simply apply the same practices everywhere.
In some countries, additional restrictions on background checks apply. In the U.S., some states have legislation whereby background checks can only be done after a (conditional) initial job offer has been made. Moreover, companies must be aware of Equal Employment Opportunity laws to avoid lawsuits.
The type of background check conducted must be relevant and necessary for the recruited position. A criminal background check is more likely to happen for employees in position of trust and/or senior management and executive positions than for a marketing assistant or junior researcher.
In tight labor markets, candidates will try to stand out by exaggerating their responsibilities on their résumés, augmenting their accomplishments, hiding employment gaps, and/or inventing degrees by using diploma mills. Companies should be aware of these practices and set up a process to validate some of the documents provided by prospective employees during the application process.
Humans leave digital footprints on social media and the internet. Because such information is accessible or available, it does not mean it can all be used for background checks.