Global Screening often involves a lot of acronyms. When I first started in global, I had no idea what most of these meant. And I didn’t want to look uneducated in the eyes of the world, so I muddled through.
Here is a list of the more the more often used global acronyms in use today, so that you don’t have to wonder as I did.
BCR: This stands for Binding Corporate Rules. If you have been following anything about data transfer restrictions from the EU to the US, you may have come across the BCR term. It’s an inter-company contractual arrangement for data protection and is one of the few mechanisms left currently to legitimize the transfer of data from the EU to the US. See the European Commission’s description for more details: http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/index_en.htm
CDGDC: This one doesn’t roll off of a tongue very easiliy, does it? This is the China Academic Degrees and Graduate Education Development Center. It is under the joint leadership of the Ministry of Education and the Academic Degrees Committee of the State Council (ADCSC). This is one of several sources of education history, specifically degree verification, in China. www.chinadegrees.cn/en
DPA: Data Protection Authority. This is the regulator in a country that governs that country’s data protection. To find a country’s DPA search the web for “<country name> data protection authority>. Many DPAs have excellent websites with guidance on how to follow the country’s privacy regulation. They may even have items specific to hiring and even screening.
Here are some additional resources to find a country’s data protection authority:
- EU list of national data protection authorities including those outside of the EU: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm
- Asia Pacific Privacy Authorities: http://www.appaforum.org/members/
- DLA Piper Data Protection Laws of the World: https://www.dlapiperdataprotection.com/index.html#handbook/world-map-section
EEA: This is the European Economic Area. It is the EU countries plus Iceland, Liechtenstein and Norway. The last three countries are allowed to be part of the EU’s market without being full members of the EU. https://www.gov.uk/eu-eea
EMEA: This stands for the region covered by Europe, Middle East, Africa.
EU: European Union. Currently 28 member countries in Europe. http://europa.eu/index_en.htm. A list of the member countries is at: http://europa.eu/about-eu/countries/member-countries/index_en.htm
FCRA: Global screening also includes the United States. Remember, to a company located in Asia, Europe, Africa, Canada, … the United States is an “international” location. The FCRA stands for the Fair Credit Reporting Act. Regardless of the name, this is not just something pertaining to credit reports. It pertains to information provided by a Consumer Reporting Agency. It’s riveting reading and if you are processing background screens in the US, you should be familiar with it. Here is the FCRA text: https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/fair-credit-reporting-act. And the companion document 40 Years of Experience with the Fair Credit Reporting Act: https://www.ftc.gov/opa/2011/07/fcra.shtm. If you are a background screening company, then review the information on the FTC’s business blog: https://www.ftc.gov/news-events/blogs/business-blog/2016/05/i-screen-you-screen-we-all-screen-new-fcra-brochure
FTC: The FTC goes hand in hand with the FCRA, as they are one of the entities regulating background screeners. They are in active enforcement mode, in addition to providing helpful information to candiates (aka “consumers”), employers, and background screeners (aka “CRA”). www.ftc.gov.
GDPR: General Data Protection Regulation: This is the new data protection regulation for the EU that will come into force May 2018; http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679. It will replace the current EU Data Protection Directive (http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=en). See the European Commission’s web page for more information: http://ec.europa.eu/justice/data-protection/reform/index_en.htm. Several web pages from EU DPAs also have infomration related to the GDPR. The Information Commissioner’s Office from the UK is a good resource for English speakers: https://ico.org.uk/for-organisations/data-protection-reform/,
ICO: Information Commissioner’s Office. This is the data privacy regulator for the UK. The ICO has a lot of great support information for employers that even covers background screening. The main website for the ICO is: https://ico.org.uk/. Screening guidance is found here: https://ico.org.uk/for-organisations/guide-to-data-protection/employment/. There are several DPAs with websites but the ICO is one that provides a great deal of helpful information, especially for English speakers. It’s a good intro if you need to understand data protection in the EU. Be aware that each EU member has their own data protection regulation, which may differe significantly from the UK’s regulations. What you learn from the ICO applies specifically to the UK and may help you to understand other EU member’s requirements but will not pertain 100% to all EU members.
OPC: Office of the Privacy Commissioner of Canada. https://www.priv.gc.ca/index_e.asp. This is Canada’s Federal privacy regulator. Note that Provinces and Territories may have their own regulators: https://www.priv.gc.ca/resource/prov/index_e.asp. As with so many privacy regulators, the OPC and many of the Provinces and Territories have excellent guidance on their websites for help with adhering to the local privacy regulations and even cover topics such as screening.
PDPA: Personal Data Protection Act. This could refer to several country’s privacy regulations but often it refers to Singapore’s privacy regulation (https://www.pdpc.gov.sg/home). Another great resource if you are processing background checks in or from Singapore.
PII: Personally Identifiable Information. This is information that identifies an individual. Different privacy regulations have different definitions. In some cases it is not only information that identifies an individual but it may information that CAN identify an individual. Information identifying an individual would be something that points to a specific individual, such as a person’s person’s name and identity number together. It directly identifies that person. Identifiable information would be information that indirectly identifies an individual. This could be through referenences that allow you to put “two and two together” or by combining two individual forms of information, such as two files. The OPC has a good discussion on the topic: https://www.priv.gc.ca/leg_c/interpretations_02_e.asp. Also see the OPC’s discussion on Personal Information (Section 1.1) in their Leading by Example publication: https://www.priv.gc.ca/information/pub/lbe_080523_e.asp. The US Department of Labor also has a nice explaination: https://www.dol.gov/general/ppii.
PIPEDA: This is the Canadian Federal privacy regulation: The Personal Information Protection and Electronic Documents Act. https://www.priv.gc.ca/leg_c/leg_c_p_e.asp. Provincial regulations may apply if they are considered substantially similar to PIPEDA. These are currently:
British Columbia’s Personal Information Protection Act.
- Alberta’s Personal Information Protection Act (printable version from the Alberta Queen’s Printer Web site.)
- Québec’s An Act Respecting the Protection of Personal Information in the Private Sector.
- Ontario’s Personal Health Information Protection Act, with respect to health information custodians.
- New Brunswick’s Personal Health Information Privacy and Access Act, with respect to personal health information custodians.
- Newfoundland and Labrador’s Personal Health Information Act, with respect to health information custodians.
SNAFU: Systems Normal, All Fouled Up. Couldn’t resist adding this as it seems so appropriate to data protection and global these days.
SPII: Sensitive Personally Identifable Information. Outside of the US it may be referred to as Special Personally Identifiable Information. This is PII that requires extra protection because it can be especially damaging to the individual. What is categorized as sensitive will vary by country and is quite different in the US than outside of the US. In the US, sensitive PII involves information most involved in identity theft, such as the combination of a person’s name, date of birth, and social security number. In the EU, and in countries who have privacy regulations modeled after the EU Data Protection Directive, sensitive data elements are those involved in high levels of discrimination, such as criminal history, religion, ethnicity. Some countries also add ID numbers and documents to their definition of sensitive PII. The ITLawWiki does a nice job of explaining SPII as it pertains to the US: http://itlaw.wikia.com/wiki/Sensitive_PII.
SSN: For readers outside of the United States, the SSN is usually referring to the US Social Security Number. This is our Tax ID number. It was never meant to be a country identification number but in many cases that is how it is used. The SSN is issued by the Social Security Administration (SSA): www.ssa.gov. Interesting information about the history of SSA and the SSN is at: https://www.ssa.gov/history/index.html
| Kerstin Bagus – Director, Global Initiatives|
Kerstin Bagus supports ClearStar’s Global Screening Program as its Director of Global Initiatives. She has more than 30 years of background screening industry experience, working for a variety of firms, large and small. Kerstin is one of the few individuals in the industry who is privacy-certified through the International Association of Privacy Professionals (IAPP) for Canada, the EU, and the U.S.
Kerstin is a passionate participant in the National Association of Professional Background Screeners (NAPBS) and is a current member of the Board, in addition to participating on several committees. She also participates on IFDAT’s Legal Committee, with a primary focus on global data privacy.
At ClearStar, we are committed to your success. An important part of your employment screening program involves compliance with various laws and regulations, which is why we are providing information regarding screening requirements in certain countries, region, etc. While we are happy to provide you with this information, it is your responsibility to comply with applicable laws and to understand how such information pertains to your employment screening program. The foregoing information is not offered as legal advice but is instead offered for informational purposes. ClearStar is not a law firm and does not offer legal advice and this communication does not form an attorney client relationship. The foregoing information is therefore not intended as a substitute for the legal advice of a lawyer knowledgeable of the user’s individual circumstances or to provide legal advice. ClearStar makes no assurances regarding the accuracy, completeness, or utility of the information contained in this publication. Legislative, regulatory and case law developments regularly impact on general research and this area is evolving rapidly. ClearStar expressly disclaim any warranties or responsibility or damages associated with or arising out of the information provided herein.