Are firms flouting data protection laws during background checks?
Bengaluru: Background checks of prospective employees by companies is fast catching up in India. However, more and more companies are asking background verification firms to conduct checks without obtaining the consent of the candidate, thereby flouting data protection laws, according to these firms.
Background verification firms such as AuthBridge, First Advantage India, HireRight, IDfy and KPMG India say these instances are on the rise, especially as newer industries start embracing background checks.
“More and more companies want to conduct background checks, but they are not aware of the best practices and are not sensitive to privacy of the candidates,” said Ajay Trehan, founder of AuthBridge, who in the last quarter alone saw around seven instances of companies asking for checks without consent from the candidate.
Background verification as a practice became more prevalent around a decade ago when third-party verification agencies set shop in India. They catered mostly to multinational companies, who followed the best practices similar to those in the countries they were headquartered in.
Unlike in the West, background verification in India is not regulated, and there are no specific laws to govern it. In the US, companies need to be compliant with regulations such as the Fair Credit Reporting Act (FCA), which has provisions for background screening by employers.
Under FCA, employers need to get written consent to access employee details and tell the candidate how they intend to use the information.
Now, firms in industries like e-commerce, and even in traditional industries like manufacturing, are warming up to the idea of third-party agencies conducting background checks, say the screening firms.
But these first-timers are not very keen on following the best practices, and the screening agencies eventually have to turn them down.
While everyone from blue-collar to white-collar employees can be subject to this, curiously enough, it is the senior-level employees who are most likely to be screened without consent.
“These requests usually involve screening of senior hires, where the organization wants it to be conducted with discretion. This could be due to the perception that telling a senior-level executive that they have to be screened would seem to undermine their credibility or be an inconvenience to them,” said Camilla de Villiers, managing director, Asia Pacific at US-based HireRight.
Organizations also want to carry out checks without consent assuming that a senior hire who is unhappy with the hiring experience could be detrimental to the employer brand, she said.
Some of the blame for this lies with potential candidates, too.
Organizations also conduct probity checks without employee consent when they have doubts regarding the claims made by the applicant, especially in the initial phase of the background check, says Purushotam Savlani, managing director, First Advantage.
In many instances, screening firms find that companies want to be discreet about checks even with their own employees.
“When companies want to promote people within the organization, they want to do a thorough check on the person, especially on educational backgrounds. And because they are old-timers in the company and they don’t want to antagonize them, companies ask firms like us to do discreet checks,” said Maneesha Garg, head of verifications, KPMG India.
At KPMG, Garg says about 10% of their client base ask for such discreet checks to be made.
Social media has also compounded the issue.
“The rise of social media has enabled organizations to conduct their own checks easily, without the candidate’s knowledge. Hence, they expect background screening providers to be able to do the same,” said de Villiers.
So where does the law stand on this?
Even though the right to privacy is a fundamental right, action for infringement against it can only be taken against the state and not against a private company, says Pooja Ramchandani, head ofemployment laws at law firm Shardul Amarchand Mangaldas.
“However it is still a wrongful act under the law of torts (civil wrongs) and employees can sue for damages, if there is an intrusion into privacy,” she said.
Accessing public information such as court records and criminal records, does not need consent as these records are public information.
However, the sharing of private information such as medical records, financial information such as bank records, and biometric information needs consent from the individual, as per the sensitive data rules under the data protection laws, said Ramchandani.
Penalties for disclosure of private information can range from a few lakh rupees in fines to a jail term of two to three years, says Ramchandani. Still, companies have been able to get away with it as there is no clear regulation around background screening.
“The risk in not arresting this practice is we will end up seeing more and more companies engaging in this,” said Trehan.
Companies like Urban Ladder said they obtain consent from candidates, before screening them.
“We tell our field staff that subject to a positive background check they will be given an offer,” said Geetika Mehta, HR head for Urban Ladder. “ Even when we do reference checks on our corporate staff, we explicitly tell the candidate that we will be checking with their references.”