It comes as a surprise to some people that the word “privacy” never appears in the United States Constitution.
In fact, America is almost unique amongst western democracies in not having a comprehensive national privacy law that protects personal information.
Sure, we have piecemeal, industry-specific legislation like the Gramm-Leach-Bliley Act, which prohibits disclosure of financial information, and the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule that protects our personal health information. Some states have passed more general laws, too, but none compares with the European Union’s Privacy Directive that mandates that each member state enact a comprehensive personal data privacy law and create a government agency to enforce it.
I’m not passing judgment one way or the other. I’m just pointing out that we are a little schizophrenic here when it comes to personal privacy. (Is that a nice way of saying “hypocritical”?)
On one hand, we share intimate details of our life on social media.
On the other, we are outraged that the NSA has accessed our phone records.
Privacy in the workplace
The issue comes quickly to the foreground in the employment arena with background checks.
• Credit checks and bank employment. There is a strong movement to restrict the use of credit checks in hiring. Some states have already passed laws outlawing such checks, although to the best of my knowledge all have exceptions for jobs in financial services. There are two current proposals in Congress which would bar discriminating against a candidate or employee on the basis of their credit record. Although neither seems likely to pass, they are notable in not containing an exception for banking.
How do you use credit checks?
• Criminal checks and bank employment. The Equal Employment Opportunity Commission (EEOC) issued guidelines in 2012 strongly discouraging any inquiry about criminal convictions and banning questions about criminal arrests. The guidance recognizes that other federal laws, such as the Federal Deposit Insurance Act (FDIA), require criminal record checks, but warns against any screening that goes beyond the bare legal minimum.
What steps do you take to comply with FDIA without overstepping?
An old law repurposed
The Fair Credit Reporting Act (FCRA) was originally passed in 1970 and substantially amended in the 1990s. It applies to any “consumer report” (not just credit checks) obtained on a candidate or employee from a consumer reporting agency, such as TransUnion, Equifax, or Experian.
Compliance with the FCRA requires three steps:
1. A release. Before seeking the report, the employer must obtain a release from the applicant or employee. This release should be standalone, not wrapped into boilerplate on the application form.
2. Notice to the applicant. If adverse information is received and is being considered in connection with the application, the bank must notify the applicant, and send a copy of the report together with a statement of FCRA rights.
3. Notice after action on adverse data. If, after “a reasonable period,” the bank decides not to hire or continue employment, based in whole or in part on the adverse information, a further notice must be sent.
Recently, these technicalities have tripped up several large companies which have found themselves the object of FCRA class-action lawsuits, and have paid substantial settlements. Although this new wave of litigation has yet to hit banking, it demonstrates again the need for care when gathering employee information.
Employees on Facebook
“Social media” and “privacy” seem to me to be contradictory concepts. However, this is the most active area in the struggle to balance the bank’s need to gather information about its applicants and employees, and the individual’s right to keep personal information private.
Some states have gone as far as to ban would-be employers from asking to access applicants’ social media accounts. Where such bans are not in place, studies have indicated that being asked for Facebook passwords and the like, is a turn-off to candidates who may then choose to look elsewhere.
My advice to those hiring managers who just can’t resist perusing social media sites is to use the information gathered carefully and consistently.
It is possible that you will discover all kinds of information that is not relevant to the individual’s ability to perform the job. For example, posts, blogs, and tweets may reveal membership in a legally protected category. If employment is denied, the bank may be vulnerable to a claim of discrimination.
NLRB: Not just for union shops anymore
Several recent National Labor Relations Board (NLRB) cases have addressed the issue of employees making negative comments about the employer in social media posts. The general conclusion is that when these posts, no matter how disrespectful, concern the terms and conditions of employment—pay, hours, etc.—and are read by other employees, they constitute “concerted protected action,” and may not be the cause for discipline. In the NLRB’s eyes, this is distinct from “mere griping” which is not protected.
Crafting an adequate social media policy that protects the bank’s confidential information and reputation in the community is a thankless task, given the fast-changing technology as well as these recent somewhat ambiguous rulings.
I advocate a broad written policy (something like: “Don’t be a jerk”) backed up with regular, meaningful, ethics training. (See my previous post, “Doing the right thing: Training moves tone from compliance to culture.”)
Medical information and privacy protection
Several statutes protect the privacy of personal health information: the Americans with Disabilities Act (ADA), the HIPAA Privacy Rule, and the Genetic Information Non-Discrimination Act (GINA), for example.
Yet the Office of Federal Contract Compliance Programs recently passed a rule requiring all banks with more than 50 employees to ask all applicants and employees whether they have a disability. This data is now needed to fulfill new Affirmative Action Plan mandates. (See my earlier blog on this, “Big changes coming in affirmative action: Effective March 2014, new rules hit banks with over 50 employees.”)