Recent developments in Michigan and California may be a sign of a larger, nationwide (and global) shift toward increased protection of personal data. This can help shield individual members of the public from undue invasions of privacy, however background checks are likely to become more complicated, time-consuming, and well beyond the capacity of most employers.
What is Personally Identifiable Information (PII)?
Personally identifiable information (PII) is any data that could potentially identify a specific individual. No one rule determines what is considered PII versus what is not. PII is a set of data, but any one piece of information could be considered PII.
The Department of Labor defines PII as:
Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.
State Court Rules That Restrict Use of PII
The California Consumer Privacy Act (CCPA), which passed in 2018 and took effect in 2020, is an early example of legislation addressing data privacy. CCPA gives consumers the right to request that a business that collects their personal information disclose the categories and specific pieces of personal information collected. Under the CCPA, companies that request PII should have a policy for securely handling such information and be transparent with their vendors. If they have a third party review that info, then a policy disclosure from that company should also be included.
In December of 2021, the Michigan Supreme Court amended a previous amendment of MCR 1.109 regarding the redaction of the date of birth (DOB) from court records, which are used as identifiers by background screening companies when preparing background check reports. The amendment took effect on April 1, 2022. Also in April, the Michigan State Court Administrative Office (SCAO) released updated Frequently Asked Questions (FAQs) about “Personal Identifying Information in Court Filings” that addressed the general rules, orders, and standards regarding the protection of PII. The Michigan Court Rule (MCR) 1.109(D)(9)(a) provides that the following PII is protected: “i. Date of birth, ii. Social security number or national identification number, iii. Driver’s license number or state-issued personal identification card number, iv. Passport number, and v. Financial account numbers.”
Dates of birth contained in court records in Michigan are protected personal identifying information under MCR 1.109 and may not be accessed unless allowed by law or court rule. However, a person may provide written consent for another person or agency to access their DOB information in court records.
Background screening firms are regulated by the Fair Credit Reporting Act (FCRA), which requires them to match personal identifiers such as DOBs to the subject of a background check in order to ensure accuracy. If these identifiers cannot be matched, a background check report cannot be generated, and that raised concerns from the Professional Background Screening Association (PBSA), a non-profit organization representing the background screening industry.
Other states have recently introduced similar legislation, including Colorado and Virginia.
The Colorado Privacy Act gives consumers rights similar to the California law and imposes a duty on companies to safeguard consumer personal information and strengthen data protection practices. The Act also empowers the State’s Attorney General to evaluate a company’s data protection assessment and impose penalties on companies where violations occur.
The Virginia Consumer Act, which will take effect on January 1, 2023, imposes similar duties on businesses that collect personal data and requires businesses to create data protection programs to safeguard consumer information and reduce the risk of mismanagement.
This new legislation creates complications for background screening, but especially for employers who attempt to conduct these checks on their own. Background checks for new employees must be conducted according to the rules of each state in which candidates have lived or worked. The good news, however, is that many of these laws include exemptions for FCRA regulated information. This is why it’s critical that employers conduct background checks through a trusted and certified vendor partner.
As an accredited member of the PBSA, IntelliCorp can help your company promote compliance in your background check program. This means we can assist you in staying ahead of new background screening regulations that impact employers.