introduction - careers @ sutherland global – just...
TRANSCRIPT
Background Check Policy
Updated February 20, 2014
SGS Confidential Page 1
Table of Contents
Introduction.............................................................................................................................................................3
Purpose....................................................................................................................................................................3
Catering for Levels....................................................................................................................................................4
Average cost of basic criminal check:.......................................................................................................................6
Contractual Requirements.......................................................................................................................................7
United States:.......................................................................................................................................................7
Canada:................................................................................................................................................................7
Latin America:......................................................................................................................................................8
Philippines:...........................................................................................................................................................8
PCI / HIPAA Compliance...........................................................................................................................................9
Appendix................................................................................................................................................................14
Geo Consideration..............................................................................................................................................14
United States:.................................................................................................................................................14
Canada:...........................................................................................................................................................19
Mexico:...........................................................................................................................................................21
Bulgaria:.........................................................................................................................................................21
United Kingdom:.............................................................................................................................................22
India:...............................................................................................................................................................23
Philippines:.....................................................................................................................................................27
Colombia:.......................................................................................................................................................27
Jamaica:..........................................................................................................................................................30
United Arab Emirates:....................................................................................................................................30
Risks....................................................................................................................................................................33
Sources...................................................................................................................................................................36
SGS Confidential Page 2
IntroductionThis policy covers employees of Sutherland Global Services across all geographies regarding
background checks.
PurposeThe purpose of this document is to highlight current policies as well as laws and regulations in the
current countries where Sutherland Global Services is represented. This is a summarization of current
background check policy as well as recommendations for future practices.
SGS Confidential Page 3
Catering for Levels
Entry-Level Background Screening
Entry-level employees are often overlooked when it comes time to develop a company’s screening
program. At the lower end of the pay scale and high end of the turnover statistics, many companies
assume screening of entry-level employees will not provide them enough return on their investment.
GOAL: Best practice for Consultant-level positions appears to be a National Social Security Search (or
local equivalent), Criminal History, Multi-State Criminal History Search (or local equivalent), Multi-State
Sex Offender Search (or local equivalent, where permissible) and a Drug Test (where permissible) while
complying with the FCRA per below.
Management Background Screening
Management-level hires can pose risks touching all areas of the business – from public relations to
employee productivity. At the top of the payroll scale, the cost of a bad management hire may be
tough to absorb. Background check and drug testing services can help vet your management
candidates long before they write their first corporate memo or lead their first meeting. Doing a
criminal history search will help ensure that the hire poses no physical risk, while verification services
ensure that your new manager has the credentials and relevant experience necessary to do the job.
GOAL: Best practice for Management level positions appears to be all background checks, besides the
MVR. If some crime was committed while driving, it would show up in the Criminal History search
while complying with the FCRA per below.
Complying With the FCRA
Generally speaking, the Fair Credit Reporting Act (FCRA) requires employers to ensure that
applicants/employees are:
(1) Aware that consumer reports are being obtained for employment purposes;
SGS Confidential Page 4
(2) In agreement to disclose these reports and
(3) Receiving notifications when an employer takes action based on information gathered from the
consumer reports. These requirements are broken down into the following four different steps that the
employer must take for every consumer report it obtains:
Notice: The employer must provide written notice to the applicant/employee of the intent to obtain a
consumer report. The notice must be a separate document and not part of an application.
Consent: The employer must obtain written consent from applicant/employee acknowledging he/she
has been provided with a notice of the employer’s intent to obtain a report, and that the
applicant/employee read/understands all terms and consents to any and all background checks and
reports on employee/applicant. Employer may include notice and consent on one form.
Certification to Reporting Agency: Before the employer obtains a consumer report, he or she shall also
send written notice to the consumer reporting agency certifying its compliance with FCRA in
connection with the background checks of applicants/employees.
SGS Confidential Page 5
Average cost of basic criminal check:
Jamaica: $75: 7-10 days
United States: $35: 1-3 days
Bulgaria: $185: 7-10 days
Canada: $59: 3-5 days
Mexico: $78: 10-15 days
India: $95: 7-15 days
UK: $75: 3-5 days
Philippines: $125: 7-10 days
Colombia: $215: 15-25 days
Egypt: $185: 7-30 days
Overall opinion: The cost per hire is around $2,000 for companies this size. To pay for the extra service,
it makes sense to reduce turnover. Building that brand and trust of an organization is so vital and this
can be a positive first step. New hire orientations would just need to be adjusted to comply with the
new standard.
SGS Confidential Page 6
Contractual Requirements
United States:The “Standard” check includes the following:
Identity and Credit Services
SSN Trace
SMART CRIMS
Criminal: All Areas-SSN trace 7 years – AKA County Criminal Search
Federal Statewide: All Areas-SSN Trace 7 years
NCRD (National Criminal Records Database)
ProofPoint – We use the Al La Carte here and cover the following:
SSN Trace
County, state and federal background check
National Sex Offender Registry check
Education check
Employment reference check
Global watch alert check
Driving record check
International screening check
Credit check
Stub Hub Sales – Standard check plus the credit check (This line of business is no longer active.)
ADP – Standard check, ADP also conducts an internal, mandated check
Canada:
Not Available.
SGS Confidential Page 7
Latin America:
Not Available.
Philippines:
Not Available.
SGS Confidential Page 8
PCI / HIPAA Compliance
Common HIPAA Practices: These can be translated over to geo specific Health Information rules.
Practices must provide an up-to-date training program on the handling of Protected Health
Information (PHI) for employees performing health plan administrative functions.
Make sure not to share sensitive PHI with others who shouldn’t have access, including co-
workers or personal acquaintances.
Avoid accessing a patient’s record unless needed for work or with written permission from the
patient.
Minimize occurrences of others overhearing patient information. Do not use a patient’s whole
name within hearing distance of others.
Secure all paperwork containing PHI by placing in a drawer or folder when not in use. Cover
charts so patient names are not visible. Never leave records and other PHI unattended.
Close computer programs containing patient information when not in use. Practice
management systems with automatic time out settings can be valuable in this regard.
Limit e-mail transmissions of PHI to only those circumstances when the information cannot be
sent another way.
Always use a cover sheet when faxing PHI.
Back up all disks that contain PHI. Storing your patients’ information in a HIPAA compliant cloud
server is safer than using a localized server or paper documents, according to recent findings from the
US Department of Health and Human Services.
Assign different levels of security clearance to specific people. Role-based security prevents
employees from accidentally changing or seeing information that does not pertain to their specific
duties.
Never share passwords between staff members. The HIPAA champion should assign passwords
to all employees who are allowed access to PHI. Single sign-on PM systems use voice recognition or
fingerprint detection along with user specific passwords to secure logins.
Properly dispose of information containing PHI by shredding paper files.
SGS Confidential Page 9
Make sure computers have updated anti-virus scanning software installed. This guarantees your
practice is reasonably guarded against malicious software.
It’s also important to make sure any vendors or other businesses associated with your practice
are properly following HIPAA standards as well
Most common Protected Health Information violations
Unauthorized access by a member of the care team or administration
To avoid, take these steps:
Lock down your security to all medical records
Set up a password-protected central system for accessing the information
Set up administrative safeguards to protect access and prevent non-authorized personnel from
viewing or receiving PHI
Lack of patient access to their PHI
Improperly using the Internet
Make your staff aware that posting of any protected patient information on a social-media site
—however innocuously—is a violation of their privacy, prohibited and subject to review by you
Failure to secure and/or shred paper documents
Being overheard discussing PHI
Failing to provide the patient with a notice of privacy practices.
Summary:
It is tough to pinpoint what Protected Health Information practices take place in each country. In some
countries such as Canada, laws and policies are different per area and not consistent throughout the
country. Listed above are practices and steps needed to enforce PHI.
SGS Confidential Page 10
GOAL: To perform the proper background checks for all potential personnel that will be hired for
positions who will have access to cardholder data or the cardholder data environment. This should be
done globally to ensure globally to protect Sutherland Global Services from individuals with
questionable or criminal backgrounds.
Payment card industry (PCI) compliance is adherence to a set of specific security standards that were
developed to protect card information during and after a financial transaction. PCI compliance is
required by all card brands.
There are six main requirements for PCI compliance. The vendor must:
1. Build and maintain a secure network
- Install and maintain a firewall configuration to protect cardholder data.
- Not use vendor-supplied defaults for system passwords and other security parameters.
2. Protect cardholder data
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
3. Maintain a vulnerability management program
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
4. Implement strong access control measures
SGS Confidential Page 11
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
5. Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
6. Maintain an information security policy
- Maintain a policy that addresses information security.
Why should you, as a merchant, comply with the PCI Security Standards? At first glance, especially if
you are a smaller organization, it may seem like a lot of effort, and confusing to boot. But not only is
compliance becoming increasingly important, it may not be the headache you expected.
Compliance with data security standards can bring major benefits to businesses of all sizes, while
failure to comply can have serious and long-term negative consequences. Here are some reasons why.
Compliance with the PCI DSS means that your systems are secure, and customers can trust you
with their sensitive payment card information:
Trust means your customers have confidence in doing business with you
Confident customers are more likely to be repeat customers, and to recommend you to
others
Compliance improves your reputation with acquirers and payment brands -- the partners you
need in order to do business
Compliance is an ongoing process, not a one-time event. It helps prevent security breaches and
theft of payment card data, not just today, but in the future:
As data compromise becomes ever more sophisticated, it becomes ever more difficult
for an individual merchant to stay ahead of the threats
The PCI Security Standards Council is constantly working to monitor threats and improve
the industry’s means of dealing with them, through enhancements to PCI Security Standards and by
the training of security professionals
SGS Confidential Page 12
When you stay compliant, you are part of the solution – a united, global response to
fighting payment card data compromise
Compliance has indirect benefits as well:
Through your efforts to comply with PCI Security Standards, you’ll likely be better
prepared to comply with other regulations as they come along, such as HIPAA, SOX, etc.
You’ll have a basis for a corporate security strategy
You will likely identify ways to improve the efficiency of your IT infrastructure
But if you are not compliant, it could be disastrous:
Compromised data negatively affects consumers, merchants, and financial institutions
Just one incident can severely damage your reputation and your ability to conduct
business effectively, far into the future
Account data breaches can lead to catastrophic loss of sales, relationships and standing
in your community, and depressed share price if yours is a public company
Possible negative consequences also include:
Lawsuits
Insurance claims
Cancelled accounts
Payment card issuer fines
Government fines
You’ve worked hard to build your business – make sure you secure your success by securing your
customers’ payment card data. Your customers depend on you to keep their information safe – repay
their trust with compliance to the PCI Security Standards.
SGS Confidential Page 13
Appendix
Geo Consideration
United States:What Can Be Included in a Background Check:
Driving records
Vehicle registration
Credit records
Criminal records
Social Security no.
Education records
Court records
Workers' compensation
Bankruptcy
Character references
Neighbor interviews
Medical records
Property ownership
Military records
State licensing records
Drug test records
Past employers
Personal references
Incarceration records
Sex offender lists
What Cannot Be Included in a Background Check:
The federal Fair Credit Reporting Act (FCRA) sets national standards for employment screening.
However, the law only applies to background checks performed by an outside company, called a
SGS Confidential Page 14
"consumer reporting agency" under the FCRA. The law does not apply in situations where the
employer conducts background checks in-house.
Your state may have stronger laws, such as California's Investigative Consumer Reporting Agencies Act
(Civil Code §1786) and the California Consumer Credit Reporting Agency Act (Civil Code §1785). In
addition, many state labor codes and state fair employment guidelines limit the content of an
employment background check. (For more on the FCRA, see Part 5.)
Under the FCRA, a background check report is called a "consumer report." This is the same "official"
name given to your credit report, and the same limits on disclosure apply. The FCRA says the
following cannot be reported:
Bankruptcies after 10 years.
Civil suits, civil judgments, and records of arrest, from date of entry, after seven years.
Paid tax liens after seven years.
Accounts placed for collection after seven years.
Any other negative information (except criminal convictions) after seven years.
However, the above reporting restrictions do not apply to jobs with an annual salary of $75,000 or
more a year. (FCRA §605(b) (3).
The most recent change to the FCRA made criminal convictions reportable indefinitely. California still
follows the seven-year rule (CA Civil Code 1786.18) as do some other states. To find the limit for
reporting criminal convictions in your state, contact your state employment agency or office of
consumer affairs. Other laws that should be considered:
Arrest information. Although arrest record information is public record, in California and other states
employers cannot seek from any source the arrest record of a potential employee. However, if the
arrest resulted in a conviction, or if the applicant is out of jail but pending trial, that information can be
used. (California Labor Code §432.7).
In California, an exception exists for the health care industry where any employer who has an interest
in hiring a person with access to patients can ask about sex related arrests. And, when an employee
may have access to medications, an employer can ask about drug related arrests.
SGS Confidential Page 15
Criminal history. In California, criminal histories or "rap sheets" compiled by law enforcement agencies
are not public record. Only certain employers such as public utilities, law enforcement, security guard
firms, and child care facilities have access to this information. (California Penal Code §§11105, 13300)
With the advent of computerized court records and arrest information, however, there are private
companies that compile virtual "rap sheets."
Employers need to use caution in checking criminal records. Information offered to the public by web-
based information brokers is not always accurate or up to date. This violates both federal and
California law when reported as such. Also, in California, an employer may not inquire about a
marijuana conviction that is more than two years old.
Workers' compensation. In most states including California, when an employee's claim goes through
the state system or the Workers' Compensation Appeals Board (WCAB), the case becomes public
record. An employer may only use this information if an injury might interfere with one's ability to
perform required duties. Under the federal Americans with Disabilities Act, employers cannot use
medical information or the fact an applicant filed a workers' compensation claim to discriminate
against applicants. (42 USC §12101).
In California, employers may access workers' compensation records after making an offer of
employment. To gain access, employers must register with the WCAB and confirm that the records are
being accessed for legitimate purposes. Although the agency may not reveal medical information and
the employer may not rescind an offer due to a workers' compensation claim (California Labor Code
132a), employers sometimes discover that applicants have not revealed previous employers where
they had filed claims. In such situations, employers often terminate the new hire because it appears
they falsified the application.
Bankruptcies. Bankruptcies are public record. However, employers cannot discriminate against
applicants because they have filed for bankruptcy. (11 USC §525)
Although these laws should prevent an employer from considering certain information, there is no
realistic way for the applicant to determine whether such information will be revealed in a background
SGS Confidential Page 16
check. This is particularly true for investigations conducted online where the information obtained
from online information brokers might not be verified for accuracy or completeness.
For example, if you were arrested but never convicted, a data search could reveal the arrest, but the
investigator who compiled the information might not delve further into the public records to
determine that you were acquitted or the charges were dropped. Reputable employment screening
companies always verify negative information obtained from data base searches against the actual
public records filed at the courthouse.
Can an employment application ask about things that should not be reported?
The FCRA does not prohibit an employer from asking questions in an employment application. See FTC
letters to Nadell and Sum:
www.ftc.gov/os/statutes/fcra/nadell.htm
www.ftc.gov/os/statutes/fcra/sum.htm
For example, an employment application might ask if you have "ever" been arrested. The FCRA says a
consumer reporting agency cannot report an arrest that from date of entry was more than seven years
ago. It does not say the employer cannot ask the question.
How to handle such questions on an employment application is of real concern to many people,
especially those concerned with a youthful mistake from the distant past.
To learn about employment laws in your state, search the Internet for “employment inquiries”
followed by the name of your state. State and local equal employment opportunity agencies, along
with federal EEO field offices, may also be located through the US Equal Opportunity Commission
website, http ://www.eeoc.gov/field/index.cfm . State employment laws may limit the questions that an
employer includes on a job application. So- called "Ban the Box" laws in a few states and municipalities
may prohibit employers from inquiring into criminal history in a job application. These laws can be
complex and varied. For examples, see http://www.littler.com/workplace-privacy-counsel/san-
franciscos-board-supervisors-bans-box-and-further-complicates-criminal.
The California Labor Code says an employer cannot ask about:
Any arrest or detention that did not result in a conviction.
Any arrest for which pretrial diversion has been completed.
SGS Confidential Page 17
As of January 1, 2014, employers are prohibited from asking job applicants about criminal
records that have been expunged, sealed or dismissed.
As of July 1, 2014, public sector employers (California state and local agencies, cities and
counties) are prohibited from asking about criminal records on employment applications. Public sector
employers must review an applicant's qualifications before inquiring about their conviction history.
Provisions of the Labor Code are reinforced in regulations of the California Department of Fair Housing
and Employment. (See: 2 Cal. Codes Regs Sec. 7287.4(d) (1) (Register 95, No. 29: 7-21-95) A
Department publication lists questions that are inappropriate for a California job applicant.
Aren't some of my personal records confidential?
The following types of information may be useful for an employer to make a hiring decision. However,
under the federal Fair Credit Reporting Act, the employer is required to get your permission before
obtaining the records. (See PRC Fact Sheet 11, "From Cradle to Grave: Government Records and Your
Privacy,"www.privacyrights.org/fs/fs11-pub.htm)
Education records. Under both federal and California law, transcripts, recommendations, discipline
records, and financial information are confidential. A school should not release student records
without the authorization of the adult-age student or parent. However, a school may release "directory
information," which can include name, address, dates of attendance, degrees earned, and activities,
unless the student has given written notice otherwise.
Military service records. Under the federal Privacy Act, service records are confidential and can only be
released under limited circumstances. Inquiries not authorized by the subject of the records must be
made under the Freedom of Information Act. Even without the applicant's consent, the military may
release name, rank, salary, duty assignments, awards, and duty status. (5 USC §§552, 552a) For more
on military records, visit the National Archives and Records Administration web site:
www.archives.gov/facilities/mo/st_louis/military_personnel_records.html
SGS Confidential Page 18
Medical records. In California and many states, medical records are confidential. There are only a few
instances when a medical record can be released without your knowledge or authorization. The FCRA
also requires your specific permission for the release of medical records. If employers require physical
examinations after they make a job offer, they will have access to the results. The Americans with
Disabilities Act allows a potential employer to inquire only about your ability to perform specific job
functions. (42 USC §12101)
There are other questions such as age, marital status, and certain psychological tests that employers
cannot use when interviewing. These issues are beyond the scope of this fact sheet. If you have further
questions, contact the resources at the end of this fact sheet. The federal Equal Employment
Opportunity Commission and the fair employment agencies in the states handle these issues.
What can my former employer say about me?
Often a potential employer will contact an applicant's past employers. A former boss can say anything
truthful about your performance. However, most employers have a policy to only confirm dates of
employment, final salary, and other limited information. California law prohibits employers from
intentionally interfering with former employees' attempts to find jobs by giving out false or misleading
references. (California Labor Code §1050)
Under California law and the laws of many other states, employees have a right to review their own
personnel files and make copies of documents they have signed. If you are a state or federal employee,
your personnel file is protected under the California Information Practices Act or the federal Privacy
Act of 1974 and can only be disclosed under limited circumstances (California Civil Code §56.20;
California Labor Code §§432, 1198.5; 5 USC §552a).
Jobs such as truck driver positions fall under regulations of the federal Department of Transportation.
Employers are required to accurately respond to an inquiry from a prospective employer about
whether you took a drug test, refused a drug test, or tested positive in a drug test with the former or
current employer (49 CFR §40.25, 49 CFR §382.413).
SGS Confidential Page 19
Canada:What Can Be Included in a Background Check:
Indication of criminal record searches
Individual credit reports
Education and employment verifications
Professional licenses and certification verifications
Reference interviews
Driver record abstracts (except Alberta)
Civil and bankruptcy record searches
Lien and property searches
Internet and media presence searches
Corporate registration searches
International terrorism, financial, and political sanctions searches
Ontario Bill 168:
Bill 168, which amends Ontario's Occupational Health and Safety Act (OHSA) and went into force in
June 2010, requires Ontario employers with more than five employees to take specific steps to address
the issues of workplace violence and workplace harassment.
OSFI Guideline E-17
The Canadian Office of the Superintendent of Financial Institutions (OSFI) issued Guideline E-17 in
2009, mandating that all Responsible Persons of Federally Regulated Entities (FREs), most notably
members of boards of directors and senior management, be subject to a thorough background check
upon initial appointment to their position. These individuals must likewise undergo routine, ongoing
assessments during the tenure of their positions. Such assessments are used to gauge the continued
suitability and integrity of these Responsible Persons. OSFI expects every FRE to have a written policy
regarding the performance of assessments of their Responsible Persons.
Guideline E-17 applies to all FREs, including:
Banks and bank holding companies
SGS Confidential Page 20
Insurance companies and insurance holding companies
Trust and loan companies
Co-operative credit associations
Retail associations
More detailed definitions may be found in the full text of OSFI Guideline E-17.
Mexico:The Mexican Federal Law was published on July 5, 2010 for the Protection of Personal Data in Control
of Private Persons, by the Mexican Ministry of the Interior. The Data Protection Law came into effect
on July 6, 2010. The Regulation of the Data Protection Law was published in the Official Gazette by the
Ministry on December 21, 2011.
The Data Protection Law requires a lawful basis (consent from the individual or legal obligation) in
order to collect, process, use or disclose personal data on an individual. Companies must also provide
notice to individuals when they intend to handle their personal information. The notice should state
what personal information is being collected and how it will be used. Individuals have rights to access
the information collected on them as well as rights to correct and object.
The Data Protection Law states that individuals or corporations handling personal data must ensure
that they have appropriate security measures in place to keep the personal data secure and protected
from loss. If there is a security breach with regard to an individual's personal data, the individual must
be notified of the breach immediately. They must be informed of the type of breach, what personal
data was involved in the breach, what steps they can take to protect themselves and any corrective
actions the company has taken regarding the security breach.
When personal data is communicated inside or outside of Mexico to someone other than the data
subject or data handler a data transfer occurs. When a data transfer occurs the recipient of the
personal data has an obligation to handle the data as agreed in the privacy notice and assumes the
responsibilities of safeguarding the personal data as stated in the Data Protection Law.
Bulgaria:The “Bulgarian Data Protection Authority (DPA)” is the authority/commission that oversees and
enforces data protection in Bulgaria. Bulgaria follows the data protection Directive 95/46/EC that was
SGS Confidential Page 21
put in place by the European Union. Bulgaria has implemented the provisions of the data protection
directive through their Personal Data Protection Act of January 2002 and their amendments. These
laws protect the way that personal data is collected and handled. It states that individuals should
provide consent prior to the collection of data, unless the law suggests otherwise.
Data can only be collected if it is done so for relevant reasons and not in excess;
Data that is collected may only be used for the purpose for which is was collected;
Data must be up to date and accurate;
If the data is found to be inaccurate, it needs to be discarded and replaced with accurate data;
Once you are finished with the information collected, and it has fulfilled its purpose, the data
must be destroyed;
Data that is collected must be stored in a safe location with very limited and relevant access.
Data Protection restrictions are in place for countries within the European Union (EU). They do not
allow for the transfer of data to countries outside of the European Union. Due to this restriction, the
Safe Harbor was created. When a company becomes Safe Harbor certified, they agree and certify that
they will meet the privacy and data protection requirements set forth by the Safe Harbor Directive.
Info Cubic is Safe Harbor certified, which allows us to obtain information from the EU.
United Kingdom:The UK is one of the twenty-seven member countries in the European Union (EU). The EU setup a Data
Directive that seeks to provide framework regarding how and when information can be collected on
individuals. The Directive outlines seven quality principles and some additional criteria that must be
met to legally obtain information on individuals in the UK. The seven quality principles include:
Fairness – Data must be obtained fairly and lawfully.
Specific purpose – Data must be processed, collected and stored for a specific, explicit and
legitimate purpose.
Restricted – Data that is collected on the individual must be adequate and relevant to the
purpose.
SGS Confidential Page 22
Accurate – Data that is being collected should be accurate and up-to-date. Any errors to the
information must be corrected.
Destroyed when obsolete – Once you are finished with the data that was collect is should be
destroyed.
Security – Data that is collected must be kept securely.
Automated Processing – You cannot make a decision solely on reviewing the information
using an automated process.
Example: scanning a resume for keywords.
In order to legally obtain information on an individual the above principles must be met. In addition,
you need have the individuals consent prior to obtaining information on them. The individual then has
the right to see what information was collected on them and for what specific purpose.
When conducting background checks on individuals according to the quality principles, keep in mind
that credit checks are usually not considered relevant to an employment decision. Other information
on an individual such as sexual orientation and other facts that make up a person's general reputation
are also not considered relevant.
Data Protection restrictions are in place for countries within the European Union (EU) that do not allow
for the transfer of data to countries outside of the European Union. Due to this restriction the Safe
Harbor was created. When a company becomes Safe Harbor certified they agree and certify that they
will meet the privacy and data protection requirements set forth by the Safe Harbor Directive. Info
Cubic is Safe Harbor certified, which allows us to obtain information from the EU.
India:There is currently no comprehensive privacy law in India. Background checks are permitted however
the consent form is often required based on the culture in India.
SGS Confidential Page 23
The Right to Information Act 2005 relates to all States and Union Territories in India except for the
State of Jammu and Kashmir. Jammu and Kashmir have their own act called Jammu and Kashmir Right
to Information Act, 2009. The Right to Information Act 2005 states that citizens are allowed to request
information from a public authority and they must reply within thirty days.
In India Education and Employment checks are a very common practice, and normally the
responsibility the candidate will potentially hold will determine the depth of the background check
India has a large pool of educated and talented candidates, there is also high incidences of
resume fraud
Verifying past employment history requires employee ID number or an equivalent unique
identifier as there is a non-standardization of name writing/common names
Requirements for types of background checks in India
Education – copy of degree and transcript, and authorization
Employment – Copy of work experience/relieving letter, employee id number, and authorization
Criminal Record – Local address to search, and authorization
India - Background Check by Program
Location Program Drug Test Education Employment Address Criminal
Malad AT&T UCSDC Yes Yes Yes Yes NoAiroli AT&T Click2chat Yes Yes Yes Yes NoAiroli AT&T U-Verse Airoli Yes Yes Yes Yes NoThane CITI_Fulfillment Yes Yes Yes Yes Yes Thane SCB_LOAN No Yes Yes No NoMalad Dell Portable Mumbai No Yes Yes Yes NoMalad Dell DOC - PPM No Yes Yes Yes NoMalad Dell India Technical Support No Yes Yes Yes NoMalad Dell SMB Voice India No Yes Yes Yes NoMalad Symantec EH No Yes Yes Yes NoMalad Symantec India 4 IndiaHindiSup No Yes Yes Yes NoMalad Shutterfly No Yes Yes Yes NoMalad Clear Trip CS No Yes Yes Yes NoMalad DELL PLE No Yes Yes Yes NoMalad Schlumberger_NA No Yes Yes Yes NoMalad AT&T ConnecTech Mumbai No Yes Yes Yes No
SGS Confidential Page 24
Airoli Schlumberger_JMS No Yes Yes Yes NoAiroli Symantec EH Chat No Yes Yes Yes NoThane Bank_Axis_CASA No Yes Yes Yes NoThane Yes_Bank_CASA No Yes Yes Yes NoThane Fullerton_TP No Yes Yes Yes NoThane Bankops Common No Yes Yes Yes NoThane Bharti Axa - Fixed No Yes Yes Yes NoThane DHL No Yes Yes Yes NoThane iCollect Cards - Chennai No Yes Yes Yes NoThane iCollect Cards - Mumbai No Yes Yes Yes NoThane iCollect TOP 92 No Yes Yes Yes NoThane iCollect Variable - Chennai No Yes Yes Yes NoThane iCollect EMCT No Yes Yes Yes NoThane iCollect Top 92 - Variable No Yes Yes Yes NoThane Lodha No Yes Yes Yes NoThane Reliance No Yes Yes Yes NoThane ICICI Cards Mum 180+ variable No Yes Yes Yes NoThane BAFL_TW No Yes Yes Yes NoThane SBI Life_Coll No Yes Yes Yes NoThane FutureCap_TP No Yes Yes Yes NoThane IPru_Mum No Yes Yes Yes NoThane SBI_LifeColl_Chn No Yes Yes Yes NoThane Federalbank_loan_coll No Yes Yes Yes NoThane DVO Common No Yes Yes Yes NoThane End-to-End Origination No Yes Yes Yes NoThane Kuoni Business Travel No Yes Yes Yes NoThane Cleartrip_Airoli No Yes Yes Yes NoThane Air India BIDT No Yes Yes Yes NoThane Air India Audit No Yes Yes Yes NoThane Etihad Audit No Yes Yes Yes NoThane Gulf Air FDS No Yes Yes Yes NoThane Malaysian FDS No Yes Yes Yes NoThane Oman FDS No Yes Yes Yes NoThane Oman Pax Audit No Yes Yes Yes NoThane Oman PRA No Yes Yes Yes NoThane Qatar CRA No Yes Yes Yes NoThane Qatar FDS No Yes Yes Yes NoThane Qatar Pax Audit No Yes Yes Yes NoThane Qatar PRA No Yes Yes Yes NoThane Qatar Revenue Integrity No Yes Yes Yes NoThane SAS FDS No Yes Yes Yes NoThane FD_Srilanka No Yes Yes Yes NoThane DNATA_Westjet_Audit No Yes Yes Yes No
SGS Confidential Page 25
Thane Travel_NACIL_FDS No Yes Yes Yes NoThane Jet Airways No Yes Yes Yes NoThane Travel_WY_BIDT No Yes Yes Yes NoThane Travel_MH_Audit No Yes Yes Yes NoThane Travel_Misc_Project No Yes Yes Yes NoThane Travel_JAL_Audit No Yes Yes Yes NoThane Rak Airways_PRA No Yes Yes Yes NoThane Travel_ZI_Audit No Yes Yes Yes NoThane Travel_EY_FDS No Yes Yes Yes NoThane Air India CS No Yes Yes Yes NoThane Travel Common No Yes Yes Yes NoThane F&A Outsourcing No Yes Yes Yes No
Chennai AT&T Click2chat Yes Yes Yes Yes Yes Chennai Intuit No Yes Yes Yes Yes Chennai Intuit - FSG No Yes Yes Yes Yes Chennai Intuit Common No Yes Yes Yes Yes Chennai CITI_Fulfillment No Yes Yes Yes Yes Chennai CITI Underwriting No Yes Yes Yes Yes Chennai PHH Loan Star 3C No Yes Yes Yes Yes Chennai PHH Title Review No Yes Yes Yes Yes Chennai PHH HOI No Yes Yes Yes Yes Chennai Argo UK – F&A Yes Yes Yes Yes Yes Chennai Argo US – F&A Yes Yes Yes Yes Yes Chennai Argo US - Insurance Yes Yes Yes Yes Yes Chennai ARGO Cat Modeling Yes Yes Yes Yes Yes Chennai Argo Internal Audit Support Yes Yes Yes Yes Yes Chennai Harlandclark No Yes Yes Yes Yes Chennai Cisco Center of Excellence No Yes Yes Yes Yes Chennai Cisco India for India Support No Yes Yes Yes Yes
Chennai Cisco SBSC NA Chat Support-Ind No Yes Yes Yes Yes
Chennai Verizon Dataservices Yes Yes Yes Yes Yes Chennai Telephonica O2 No NA Yes NA YesMalad India AT&T U-Verse Yes Yes Yes Yes NAMalad Hughes No Yes Yes NA Yes Malad AT&T OMC Yes Yes Yes Yes NAAiroli AT&T Uverse Yes Yes Yes Yes NAAiroli AT&T Uverse Click to Chat Yes Yes Yes Yes NAAiroli India AT&T U-Verse Airoli Yes Yes Yes Yes NAAiroli AT&T Uverse ClicktoChat Airoli Yes Yes Yes Yes NAAiroli Schlumberger_JMS No Yes Yes Yes YesAiroli Symantec EH Chat No Yes Yes Yes Yes
Cochin Equifax Yes Yes Yes Yes Yes
SGS Confidential Page 26
Cochin PHH E2E IND No Yes Yes Yes Yes Cochin PHH HOI No Yes Yes Yes Yes Cochin PHH Loan Star 3C No Yes Yes Yes Yes Cochin PHH Title Review No Yes Yes Yes Yes Cochin PHH - Pricing e Mail Phase 4&5 No Yes Yes Yes Yes Cochin PHH – Common No Yes Yes Yes Yes Cochin Argo P&C Lloyd’s Ins Yes Yes Yes Yes Yes Cochin Argo US - Insurance Yes Yes Yes Yes Yes Cochin ARGO US - Claims Yes Yes Yes Yes Yes Cochin ARGO Cat Modeling Yes Yes Yes Yes Yes Cochin MCS BO&CS(IB/OB Voice) No Yes Yes Yes Yes Cochin Harland Clarke FAO Yes Yes Yes Yes Yes Cochin CITI Underwriting Yes Yes Yes Yes Yes Cochin CITI Pre-Purchase Audit Yes Yes Yes Yes Yes Thane CITI_Fulfillment Yes Yes Yes Yes Yes Thane Citi Re-engineering Yes Yes Yes Yes Yes
Philippines:Taguig:
Program Audit Name Vendor Vendor Requirement
PaypalGlobal Data Set Search First Advantage Complete name and birthday 2 Panel Drug Test Medicard Complete name and birthday
eBay UKGlobal Data Set Search First Advantage Complete name and birthday 2 Panel Drug Test Medicard Complete name and birthday
eBay NAGlobal Data Set Search First Advantage Complete name and birthday 2 Panel Drug Test Medicard Complete name and birthday
IntuitGlobal Data Set Search First Advantage Complete name and birthday 2 Panel Drug Test Medicard Complete name and birthday
SGS Confidential Page 27
Clark:
Program Audit Name Vendor Vendor RequirementCost (Php) TAT
Iron Mountain
OFAC including Office of Inspector General and General Services
Admin
CIBI Complete name and birthday 100 7 days
PH Criminal Check - Name Search CIBI Complete name and birthday 500 7 days
US Court -Criminal - Felony Misdemeanor
County Search
First Advantage
US SSS #; US Add w/postal code; Consent form 650.4 7 days
US Court -Criminal - National Criminal Database Search
First Advantage
US SSS #; US Add w/postal code; Consent form 271 7 days
5-Panel Drug Test MaxicareWe have to make the coordination
with Maxicare at least 2 weeks before the actual date of Drug Testing.
1,135 1-2 days
Fiserv
OFAC including Office of Inspector General and General Services
Admin
First Advantage Scanned LOA 100 7 days
10 Panel Drug Test MaxicareWe have to make the coordination
with Maxicare at least 2 weeks before the actual date of Drug Testing.
TBD 1-2 days
PHH - Title Review
Educational & Employment Check CIBI Scanned LOA , school doc and COE 1500 5-15
days
PHH MBS Underwriti
ng Educational &
Employment Check CIBI Scanned LOA , school doc and COE 1500 5-15 days
Microsoft Negative Records Check CIBI Complete Name 1751-2
days
The Data Privacy Act of 2012 went into effect on September 8, 2012. This new data privacy law is the
first of its kind for the Philippines and was enacted to protect personal data privacy. The National
Privacy Commission was created to implement the law, investigate complaints and monitor
compliance. The Data Privacy Act puts regulations on the processing of the personal information of
Philippine residents and those currently residing in the Philippines. The Act further requires that
personal information collected by organizations and individuals must be protected and fair practices
must be established with regard to the notification, consent, access and correction of personal data.
SGS Confidential Page 28
For further information on the Data Privacy Act of 2012 click on the link:
http://www.gov.ph/2012/08/15/republic-act-no-10173/
Colombia:
Campaign BGC requirements Medical test requirements Are we doing BGC and MT?
Nice No No Yes
McAfee No No Yes
Account Now No No Yes
SLB No No Yes
ATT Uverse Green No
Sections 10.3.2 and 10.3.3 discuss background check and Drug Screening as an
ATT no additional charges association for the Price Per Billable but there is not an
specific requirement about it.
Yes
ATT ConsumerSpanish No Yes
ATT UverseTech Support No Yes
Mobility - IRU No Yes
Lenovo YES All agents must have successfully passed Yes
SGS Confidential Page 29
drug screening and criminal and background check processes. Is such written request is
made, Service Provider will provide requested documentation within One Business Day from receipt by Service
Provider of such written Request.
It is required that the employees go through an MT prior to starting his/her contract with the company. To conduct a drug test and to not hire the employee because of this result is not legal.
In October 2012, Colombia enacted Law 1581 to regulate the protection of personal data and
safeguard the constitutional right of privacy in the midst of the challenges posed by globalization and
new technologies that enable the easy electronic transfer of personal data.
On June 27, 2013, Colombia’s executive branch issued a decree to implement various provisions of the
law. Decree 1377 went into effect immediately.
Important Provisions of the Privacy Law
The privacy law imposes various obligations on any “responsible party” that directly or indirectly
processes personal data about the data owner. Law 1581 defines the “responsible party” as the public
or private individual or entity that processes the personal data or decides how the data should be
processed or the database safeguarded. The data owner is the individual whose personal data is
processed. The processing of personal data encompasses the collection, processing, storage, use,
transfer or suppression of any information that can be associated with an identified or identifiable
individual.
Since employers, as part of their normal course of business, typically collect and process the personal
data of their prospective, current or former employees, employers should be especially mindful of the
following important provisions under the law:
Privacy notice. Either in writing, verbally or electronically, the responsible party must notify the data
owner about: the purpose driving the data collection or processing; the intended use of the personal
data; the data owner’s privacy rights; and how the data owner can access the responsible party’s
policies that regulate the processing of personal data. To avoid any contention that an employee
received, but did not understand, the notice, we recommend that the privacy notice be made in
Spanish and in simple, clear and understandable language.
SGS Confidential Page 30
Consent requirements (generally). The responsible party must obtain the data owner’s unequivocal
consent prior to processing the personal data. As such, for the consent to be valid, it must be
accompanied by a privacy notice that contains all of the information described above. The consent
must be expressly stated and can be provided in writing, verbally or through methods that would
advise the responsible party that the data owner has expressly consented to the processing of his or
her personal information. However, in no way can silence be deemed as consent. We recommend that,
where possible, the employer obtain a signed consent, to be able to establish the data owner’s express
consent.
The law requires the responsible party preserve proof of the data owner’s unequivocal consent.
Concerning this recordkeeping requirement, the privacy law is unclear as to the length of time that a
responsible party is required to preserve the proof of consent. Nonetheless, it would be prudent for
employers to implement procedures whereby data owners provide unequivocal consent, as well as to
retain proof of such consent for at least three years from the date the employment relationship ends,
so as to align it with the statute of limitations period for any employment-related claim.
Consent can be revoked at any time, except that such revocation will be deemed invalid if it is made to
avoid a legal or contractual obligation. At all times, the responsible party must provide a procedure for
the data owner to revoke the consent easily and at no charge. If the processing of the personal data
exceeds the purpose for which it was collected, the data owner shall have the right to petition the
Superintendency of Industry and Commerce (SIC), the regulatory agency in charge of enforcing this
law, to order the revocation or suppression of the personal data.
Consent for processing and protection of sensitive personal data. Except in limited circumstances,
processing of sensitive personal data is prohibited. Sensitive personal data refers to information
intimately tied to the data owner’s personal characteristics, such as race, ethnicity, medical condition,
sexuality, political association, religious or philosophical beliefs, and membership in a union or human
rights organization or biological data. Because such data can be improperly used to discriminate
against individuals, the privacy law provides that no action or activity can be made contingent upon the
data owner providing his or her sensitive personal data for processing. This means that an employer is
not allowed to require that a current or prospective employee provide his or her sensitive personal
data for hiring or continued employment, unless the employer is required by law to collect this
SGS Confidential Page 31
information, as it is in the case, for example, where a current or prospective employee is required to
undergo a medical exam for a legitimate business reason. Assuming the collection or processing of the
sensitive personal data is allowed, the responsible party nonetheless must ensure that the data is
adequately protected and kept confidential.
International and other types of transfer of personal data. Whenever the responsible party transfers
personal data to a third party, such as a data processor (for example, an employer that transfers
personal data to a vendor for purposes of conducting a background check), the responsible party must
enter into an agreement where the third party agrees to process the personal data only for the
purposes for which the personal data was collected. This means that, in no way can the personal data
be processed for any other purpose without the data owner’s express consent.
The law is stringent regarding international transfers of personal data, such as when a subsidiary
corporation located in Colombia transfers personal data to its parent corporation in the U.S. In such
cases, the transfer is prohibited, unless the personal data will be transferred to a country with equal or
higher standards for the adequate protection of personal data than those required by Law 1581. This
prohibition does not apply where the SIC has determined that the third country provides an adequate
level of protection or when the transfer has been made in accordance with an international treaty to
which Colombia is a signatory.
As of this writing, no guidance has been provided as to whether Colombia will recognize the U.S.-E.U.
Safe Harbor Framework as meeting the adequacy standard. This prohibition notwithstanding, the
privacy law provides various exceptions to the adequacy requirement. Two potentially relevant
exceptions for employers are:
When the data owner has provided his or her express and unequivocal consent to the transfer.
Where the transfer is necessary for the fulfillment of a legal or contractual obligation.
Internal policies available to data owner. The responsible party must establish and implement
policies and methods to adequately protect the privacy and confidentiality of the personal data. It is
recommended that employers adopt policies that provide guidance to human resources and IT
employees on the proper handling of personal data.
Enforcement and sanctions for noncompliance. Decree 1377 establishes that the SIC is authorized to
enforce Law 1581 and impose sanctions for noncompliance. Specifically, the SIC may impose a fine in
SGS Confidential Page 32
the amount of 2,000 times the general minimum salary in effect at the time of the fine. At the time of
this publication, the maximum fine would amount to $627,411 USD. Other sanctions that may be
imposed include suspension of operations for up to six months, a temporary (but indefinite) shut down
of operations if the company has not corrected its practices to fully comply with the law, or permanent
closure of operations if the company refuses to comply with its obligations under the law.
Jamaica:
Currently a Data Protection Act is being developed and no restrictions on what data can be obtained in
a background check exists.
United Arab Emirates:Federal laws
The United Arab Emirates (UAE) does not have any specific federal laws on data privacy, but various
pieces of legislation may have an impact on businesses that engage in data processing activities. These
include the following:
The UAE Constitution of 1971, which guarantees the right to secrecy of communications.
Federal Law No. 5 of 1985 regarding Civil Transactions, which provides that a person is liable for
acts causing harm generally. This could include harm caused by unauthorized use or publication of the
personal or private information of another.
Federal Law No. 9 of 1987, as amended (Penal Code), which is the primary source of criminal
law in the UAE. In articles 378 and 379, it sets out statutory offences and punishments for publication
of private matters or the unauthorized disclosure of private information (although private information
is not clearly defined).
There are also rules regarding the handling and storage of specific types of data, such as employee
information (which must be maintained under the UAE Federal Labour Law) and personal credit
information.
Consequently, businesses must be aware of the combination of potentially applicable laws (including
regulations specific to their sector) in order to ensure that data is being processed in a lawful manner.
Where a UAE entity imports personal data from another country, it may also be subject to the rules of
another jurisdiction governing the export of that data from the originating country. This is a particularly
SGS Confidential Page 33
important consideration for intra-group transfers where, for example, under European legislation the
exporting group entity would retain primary liability as a data controller.
Free zones
The economic free zone areas of Dubai International Financial Centre (DIFC) and Dubai Healthcare City
(DHCC) have their own comprehensive legislative regimes, which apply to companies established in
those zones:
The processing of personal data by DIFC entities is regulated by DIFC Data Protection Law No.1
of 2007, which aligns closely with the European Data Protection Directive.
DHCC Regulation No. 7 of 2008 is the Health Data Protection Regulation for entities operating in
DHCC. This is intended to establish certain principles for collecting, using, disclosing and giving access
to patient health information. This includes any information about a patient – whether spoken, written
or in the form of an electronic record – that identifies the patient and relates to his physical or mental
health or condition.
There are also restrictions on transferring personal data or patient health information to recipients
located in jurisdictions outside the DIFC or DHCC, respectively. Broadly, these require that – unless the
individual to whom the data relates has given his consent – such transfers may take place only if there
is an adequate level of protection for the data or information, or if a permit has been obtained from
the relevant regulator.
SGS Confidential Page 34
RisksPros for doing a background check:
Better safeguarding organizational assets – the people you hire potentially have access to property of
great value, from physical assets to valuable information. Background screening can help minimize the
possibility of theft or corporate espionage.
Helping promote safety – background screening helps minimize the possibility of violence at your
workplace or campus by checking for past criminal behavior and better clarifying the history and
character of prospective employees, vendor personnel, and/or academic program applicants.
Hiring the best employees or selecting the ideal applicants – background screening helps establish
that candidates are qualified for the positions for which they’ve applied. It can also weed out any
candidates that were dishonest in their resumes or CVs, helping you bring in trustworthy
individuals.
Maintaining your good reputation – with the latest news now available at the touch of a button,
organizations today need to take every step to ensure that a hiring mistake doesn’t turn into a
public relations disaster. Just one employee who wasn’t qualified or had a criminal history can
tarnish a carefully built reputation. Background screening helps protect your organization’s good
name.
Building trust within your organization – performing background checks means that you are
committed to integrity and safety, important values that help underscore your current employees’
faith in your organization.
Note: Ties into our values of ECLIPS.
Protecting you from negligent hiring/retention litigation – in some countries, employers are at risk if
they knew, or should have known, that an employee presented a foreseeable risk of harm. For
example, if one of your employees attacked a co-worker, your organization could potentially be held
liable if that employee had a known history of such behavior. Performing pre-employment
background checks can be of major importance in demonstrating proper due diligence and further
safeguarding your organization.
SGS Confidential Page 35
Cons for doing a background check:
Expensive
Background checks can be costly, and the more detailed the background check, the more it costs the
company. Prices can range from $10 for a basic background check to $300 for a comprehensive check
for an executive candidate. Most quality background checks include criminal record investigations and
are $25 to $30. Depending on the number of candidates you screen, costs can accumulate quickly.
Note: The prices for an average background check in each geo is listed below.
Mistakes
It is possible for the company conducting the research to make a mistake in verification of bureau
records, and it is also possible for bureau data to be incorrect. Names can be misspelled, birthdates can
be miss-typed, and similar names and/or the distinction between senior/junior within families can
inadvertently flipped. Mistakes of this nature can cause serious problems for the employer and the
employee, and these problems can be difficult to reverse.
Note: This should not be a deterrent. Just something to point out.
Offensive
Some people find the use of background checks a violation of their personal liberties, and companies
run the risk of offending highly qualified candidates by undertaking them. They may also offend
candidates of they fail to face to undertake background checks in a uniform manner; offenses of this
kind can lead to lawsuits, including discrimination charges.
Note: Most major companies in the United States and other countries have some form of this. It is
not an uncommon practice.
Unfair Bias
Background checks can disqualify criminal offenders whose transgressions occurred many years
previously--perhaps in their youth--but who have since developed to be responsible, experienced and
highly qualified candidates for the position being offered. The revelations of a background check can
elicit biased judgment of a candidate based on the stigma of the activities documented in their report,
SGS Confidential Page 36
rather than considerations of the relevance of their transgressions to the position. If you are going to
conduct comprehensive background checks, it is a good idea to come up with specific grounds for
disqualification before you review the report.
Note: This has to be consistent across all Geos for it to work.
Timing Issues
Background checks can take anywhere from 24 hours to a week or more depending on the details
being sought, and this can delay the hiring process, which may affect production. Many companies will
only screen a short list of candidates, or their final choice, so if the background check does not elicit
positive results, the whole hiring process will have to start again.
Note: An average return for each Geo is listed below.
SGS Confidential Page 37
Sourceshttp://www.infocubic.net
www.ftc.gov/os/statutes/fcra/nadell.htm
www.ftc.gov/os/statutes/fcra/sum.htm
http ://www.eeoc.gov/field/index.cfm
www.dfeh.ca.gov/res/docs/publications/dfeh-161.pdf
www.privacyrights.org/fs/fs11-pub.htm
www.ed.gov/offices/OM/fpco/ferpa/index.html
www.archives.gov/facilities/mo/st_louis/military_personnel_records.html
https://www.privacyrights.org/employment-background-checks-jobseekers-guide#2
http://www.hireright.com/canada.aspx?apsi=3
http://www.infocubic.net/international/india.asp
http://www.justifacts.com/services/background-checks-in-india/
http://www.nortonrosefulbright.com/knowledge/publications/54334/key-data-privacy-and-intellectual-property-issues-in-the-uae
http://www.poweryourpractice.com/practice-management/14-best-practices-hipaa- compliant-staff/
http://searchcompliance.techtarget.com/definition/PCI-compliance
https://www.pcisecuritystandards.org/security_standards/why_comply.php
http://smallbusiness.chron.com/disadvantages-background-check-2561.html http:// theundercoverrecruiter.com/background-check-info/
SGS Confidential Page 38