What can employers do with regard to background checks and inquiries in the U.S. under Federal Law?
Criminal records: Federal law does not prohibit employers from asking about applicants’ criminal history. However, state and local laws may prohibit or regulate such checks – many such laws were recently enacted as ‘ban the box legislation. Also, federal equal employment opportunity laws prohibit employers from discriminating when they use criminal history information. Using criminal history information to make employment decisions may violate Title VII of the Civil Rights Act of 1964.
Medical history: The Genetic Information Non-discrimination Act of 2008 prohibits employers and health insurers from discriminating on the basis of genetic information, including family medical history. Medical history inquiries are also regulated by the Family and Medical Leave Act and the Americans with Disabilities Act. State and local laws may provide broader coverage than the Genetic Information Non-discrimination Act.
Drug screening: Private employers generally may test job applicants and employees for drugs, alcohol and other controlled substances. Several states have enacted statutes or regulations that restrict these tests, including with respect to medical and recreational marijuana.
Before testing anyone, an employer should establish and follow reasonable testing procedures and policies. Employers in specific industries (e.g. transportation) and employers that do business with certain government agencies may be required by federal law to establish a drug-free policy and, in some cases, to test applicants and employees for the presence of certain drugs. Employers with employees represented by a union must bargain for the right to test before testing such employees.
Credit checks: An employer may incur liability under the Fair Credit Reporting Act by procuring or causing to be prepared consumer reports or investigative consumer reports on present or prospective employees if the individuals are not advised in writing and do not give their written consent that information about their character, general reputation and personal characteristics may be disclosed in the report. If an employer rejects an applicant either wholly or in part because of the information contained in a consumer report or investigative consumer report, the employer must advise the applicant of this fact prior to making the decision and his or her rights under the act, and supply the name, address and toll-free phone number of the consumer reporting agency that made the report. A willful violation can result in actual damages, punitive damages and attorneys’ fees. An employer that negligently fails to comply with the act will be liable for actual damages and attorneys’ fees. Several states have enacted similar legislation that may impose additional requirements.
Immigration status: The Immigration Reform and Control Act of 1986, as well as Title VII of the Civil Rights Act, penalize employers for discriminating against employees or applicants because of national origin or citizenship status. Similar prohibitions exist in various state laws.
Social media: There are no specific federal laws pertaining to social media. However, there are a variety of federal and state laws dealing generally with social media issues (e.g. data privacy issues).
Additionally, the National Labor Relations Act protects employees who engage in concerted activity involving wages, hours and working conditions, and limits employers’ ability to conduct surveillance or monitoring of employees. The National Labor Relations Board has taken the position that social media usage may constitute protected concerted activity and has also frowned on employers’ attempts to curtail or control employees’ social media use.
Back to the Drawing Board: Employer Wellness Program Uncertainty in Light of AARP v. EEOC
Despite a rapidly growing and changing compliance landscape, employers have continued to offer wellness programs in an effort to control rising health-care costs and improve employees’ overall health and productivity. In 2016, the Equal Employment Opportunity Commission (“EEOC”) issued final wellness program regulations (“EEOC Wellness Program Regulations”) providing a framework for complying with certain aspects of this complex regulatory environment. However, on December 20, 2017, the U.S. District Court for the District of Columbia created new uncertainty in its most recent ruling in AARP v. EEOC (Civil Action No. 16-2113) by vacating the EEOC Wellness Program Regulations effective as of January 1, 2019. Pending issuance of further guidance, the court’s ruling returns the wellness program compliance landscape to its pre-2016 status, leaving many employers wondering whether their wellness programs remain compliant. Employers can continue to rely on the EEOC Wellness Program Regulations with respect to their wellness programs in 2018. However, the court’s ruling calls into question whether and to what extent employers can continue to use incentives in 2019 and future years to encourage participation in wellness programs that involve features such as biometric screenings and health risk assessments. To assist employers with analyzing continued wellness program compliance, the discussion below summarizes the recent court ruling and related background, describes the impact of the ruling on employer-sponsored wellness programs, and highlights several design considerations in light of the ruling.
Title I of the Americans with Disabilities Act of 1990 (“ADA”) generally prohibits an employer from requiring a medical examination or making a disability-related inquiry unless such examination or inquiry is job-related and consistent with business necessity or is voluntary and part of an employee health program. Title II of the Genetic Information Nondiscrimination Act of 2009 (“GINA”) generally prohibits employers from requesting, requiring, or purchasing genetic information with respect to an employee or a family member of the employee unless the employee agrees to provide such information as part of a voluntary wellness program (among other limited exceptions and requirements). The EEOC is the federal agency with administrative authority to enforce these ADA and GINA requirements.
Prior to the issuance of the EEOC Wellness Program Regulations, the meaning of the “voluntary” requirement under the ADA and GINA was unclear. Specifically, it was unclear whether and to what extent incentives could be used as part of a wellness program that included a medical examination (e.g., biometric screening), disability-related inquiry (e.g., as part of a health risk assessment (“HRA”)), and/or genetic information (e.g., family medical history questions on an HRA). The EEOC Wellness Program Regulations provided clarity on this issue by describing how employers could provide incentives of up to 30% of the cost of self-only coverage in connection with these types of wellness programs, without violating the “voluntary” requirement.
AARP v. EEOC
In August 2016, AARP filed a lawsuit in the U.S. District Court for the District of Columbia challenging the EEOC Wellness Program Regulations under the Administrative Procedure Act. AARP claimed that permitting incentives of up to 30% of the cost of self-only coverage is inconsistent with the “voluntary” requirements of the ADA and GINA and that the EEOC failed to adequately explain and support its adoption of the 30% incentive level. In August 2017, the court ruled that the EEOC had not provided a reasoned explanation for its interpretation of the “voluntary” requirement and that the EEOC Wellness Program Regulations were therefore arbitrary and capricious. In that ruling, the court remanded the EEOC Wellness Program Regulations back to the EEOC for reconsideration. However, in an effort to avoid widespread disruption and confusion among employers sponsoring wellness programs and their employees, the court did not vacate the EEOC Wellness Program Regulations at that time. AARP then asked the court to reconsider its decision not to vacate the EEOC Wellness Program Regulations, and the EEOC provided a status report to the court indicating that new proposed regulations would not be issued until August 2018, would not be finalized until October 2019, and would not be effective until 2021. In response to AARP’s request for reconsideration and in light of the EEOC’s anticipated timeline, the court issued another ruling in late December 2017 vacating the EEOC Wellness Program Regulations effective January 1, 2019.
Consequences for Employer Wellness Programs
Under the court’s most recent ruling in AARP v. EEOC, the EEOC Wellness Program Regulations will remain effective for 2018 but will become null and void beginning on January 1, 2019. As a result, there will likely be an element of uncertainty within the compliance landscape for employer wellness programs under the ADA and GINA beginning in 2019. If the EEOC publishes proposed regulations in 2018 that employers can rely on until the regulations are finalized, compliance with the proposed regulations may help to mitigate that uncertainty but only if the proposed regulations are issued before employers finalize their wellness program designs for 2019. If the proposed regulations are not timely published and/or do not permit reliance pending issuance of the final regulations, the compliance landscape will return to what it was before the EEOC Wellness Program Regulations were issued in May 2016. This means that employers will once again be in the uncomfortable position of not knowing with certainty whether and to what extent they can use incentives as part of a wellness program that involves medical examinations, disability-related inquiries, and/or genetic information. It is important to note that the court’s ruling does not impact the compliance landscape for wellness programs under HIPAA (e.g., the rules regarding participatory and health-contingent wellness programs) and is limited only to the ADA and GINA. As a result, the main types of employer wellness program features impacted by the court’s ruling are:
- Biometric screenings (and any other medical examinations) for employees and spouses;
- Disability-related inquiries directed at employees (which might include some questions on an HRA, depending on how questions are worded);
- Family medical history questions (HRA questions that ask about the manifestation of disease or disorder in an employee’s family member and/or HRA questions that ask an employee’s spouse about his or her own manifestations of disease or disorder); and
- Any other features that involve genetic information (i.e., an employee’s genetic tests, the genetic tests of the employee’s family members, biometric screening results of the employee’s spouse).
Design Considerations for Employers
Based on the developments described above and pending the issuance of further EEOC guidance, the following are several design considerations for employers analyzing their wellness programs in light of the new compliance landscape:
- No incentives (most conservative approach) – Wellness programs that do not provide any incentives in connection with the wellness program features listed above will continue to comply with the “voluntary” requirement under the ADA and GINA; these types of wellness programs can still include biometric screening and HRA features that employees and spouses are encouraged to complete, but no rewards or penalties would be associated with whether the employee or spouse participates in the biometric screening or completes an HRA.
- Modest incentives (middle ground approach) – Wellness programs that provide only modest incentives in connection with the wellness program features listed above will present incremental risk in the absence of the EEOC Wellness Program Regulations but may still be considered “voluntary” under the ADA and GINA. Given that the court found that the EEOC did not provide adequate justification for an incentive level up to 30% of the cost of self-only coverage, the definition of “modest” in this context is likely significantly less than 30%. Wellness programs that provide smaller incentives will present less risk than wellness programs that provide larger incentives.
- Up to 30% incentives (more aggressive approach) – Wellness programs that provide incentives at or near the full 30% incentive level permitted under the EEOC Wellness Program Regulations in connection with the wellness program features listed above are unlikely to be considered “voluntary” under the ADA and GINA given the court’s ruling. Although the court did not rule that a 30% incentive level would definitely cause a wellness program to be considered involuntary, continuing to offer incentives at this level after 2018 will expose employers to incremental risk in the form of participant lawsuits and EEOC enforcement actions (similar to the actions taken by the EEOC in the fall of 2014 against Orion Energy Systems, Flambeau, and Honeywell).
EEOC Wellness Regulations Vacated Beginning in 2019
The U.S. District Court for the District of Columbia required the EEOC to reconsider its wellness regulations under the Americans with Disabilities Act (the “ADA”) and the Genetic Information Non-Discrimination Act (“GINA”). The court recently granted a motion filed by the American Association of Retired Persons (“AARP”) to amend that judgment and vacate the permitted 30 percent incentive level under the applicable ADA and GINA regulations, effective as of January 1, 2019. Generally, the ADA and GINA regulations permitted wellness programs to provide incentives of up to 30 percent of the cost of coverage under an employer group health plan without such programs being considered “involuntary.” Employers should be aware that new guidance regarding permitted incentives under the ADA and GINA may be issued later this year to be effective as of January 1, 2019.
District Court Rejects Technical Adverse Action Claim Where Plaintiff Had Sufficient Chance to Dispute Background Report
The Moore v. Rite Aid Headquarters Corp. case has a long history of addressing significant questions regarding an employer’s adverse action responsibilities under the Fair Credit Reporting Act. That history recently ended in the District Court for the Eastern District of Pennsylvania, with a dismissal of Moore’s claims and a denial of her motion for class certification. In its December 21 opinion, the court found that Moore could not show that she had suffered an injury-in-fact stemming from her claim that Rite Aid failed to provide her with adequate notice before declining her employment. Moore had applied for employment with Rite Aid and, as part of the application process, Rite Aid obtained a background check on her. Based on this background check, Moore was initially determined to be “ineligible for hire,” which triggered the mailing of a pre-adverse action letter to her. In this letter, Rite Aid informed Moore that she would not be offered employment if Rite Aid did not hear from her within five business days from the date of receipt of the letter. After receiving the pre-adverse action letter, Moore contacted Rite Aid to discuss her background. Despite this conversation, Moore was mailed an adverse action letter exactly five business days after the date of the pre-adverse action letter. This adverse action letter informed Moore that she would not be hired. In her lawsuit, Moore alleged that Rite Aid violated the pre-adverse action provision of the FCRA (15 U.S.C. § 1681b(b)(3)) by taking adverse action against her without waiting the “full five-day period” set forth in the pre-adverse action letter. The court dismissed her claim, finding that Moore had not suffered any injury-in-fact based on Rite Aid’s conduct. According to the court, the FCRA’s pre-adverse action requirements are designed to “afford employees time to discuss reports with employers or otherwise respond before adverse action is taken.” That is exactly what happened here. In the court’s view, Moore was able to discuss her background report with Rite Aid after she received the pre-adverse action letter and before Rite Aid made the final decision not to hire her. According to the court, even if Rite Aid had failed to wait the full five-business-day period referenced in the pre-adverse action letter, the retailer did not violate Moore’s rights under the FCRA. She exercised her right to dispute her background report, Rite Aid heard her version of events, and it did not act unreasonably “in making a final employment decision prior to the expiration of the five days referenced in the Pre-Adverse Action Notice.” Based on its analysis, the court concluded that Moore had “not suffered a concrete harm to her procedural rights under the FCRA.” As a result, it dismissed her claim for lack of standing. In doing so, the court advanced a reasonable reading of the FCRA. Its dismissal stands for the proposition that a defendant should not be held liable in federal court for a technical FCRA violation where the plaintiff experienced no actual negative consequences as a result.
California’s Statewide “Ban the Box” Law Went into Effect January 1, 2018
Effective January 1, 2018, California joins a number of other states and major cities in prohibiting private employers from making pre-offer inquiries regarding an applicant’s criminal history (so-called “ban the box” laws). The new statewide law makes it unlawful for a California employer with five or more employees to:
- Include on employment applications any questions that seek disclosure of an applicant’s conviction history;
- Inquire into or consider an applicant’s criminal history before the employer has made a conditional employment offer; and
- Consider, distribute or disseminate information relating to arrests that did not result in a conviction, referral to or participation in a diversion program, or convictions that have been sealed, dismissed, expunged or statutorily erased.
Under the new law, inquiries into criminal history are permissible only after a conditional offer of employment has been made. Further, once apprised of an applicant’s conviction history, California employers may rescind an employment offer based solely or in part on criminal history only after following a specified process. The employer must first conduct an individualized assessment of the relationship between the conviction and the specific duties of the position. This requires consideration of: (1) the nature and gravity of the offense or conduct, (2) the time that has passed since the offence and completion of the sentence, and (3) the nature of the job. The employer “may, but is not required to, commit the results of this individualized assessment to writing.” If this assessment results in a preliminary decision to deny employment, the employer must provide written notice to the employee. The employer is not required to explain or justify its reasoning. The notification must, however, contain: (1) notice of the disqualifying conviction(s) that are the basis for the preliminary decision to rescind the offer, (2) a copy of the conviction report, if any, and (3) an explanation of the applicant’s right to respond before the employer’s decision becomes final (including the right to challenge the accuracy of the conviction history report or provide information about mitigating circumstances). Applicants must be given at least five days to respond (or up to 10 if the applicant disputes the accuracy of the report and is obtaining evidence to support that assertion). Employers are then required to consider any information submitted by the applicant in his or her response. If after this consideration period, an employer makes a final decision to rescind an offer to an applicant, the employer must send a second written notice to the applicant, which: (1) includes the final denial or disqualification, (2) explains the procedures or processes, if any, the employer allows to challenge the decision, and (3) explains that applicants have the right to file a complaint with the Department of Fair Employment and Housing. The requirements of the new ban-the-box law do not apply to: (1) positions for which a state or local agency is required by law to conduct a conviction history background check, (2) criminal justice agencies, (3) farm labor contractors, and (4) employers required by state, federal or local law to conduct background checks or restrict employment based on criminal history. California employers should remove from their employment applications any questions or boxes that ask applicants to disclose criminal convictions and train managers not to ask about criminal history during the interview process. Employers should also continue to be mindful of the various laws that impact the use of criminal records in the hiring process, including the California Fair Employment & Housing Council’s regulations on criminal history and adverse impact, other state fair employment laws, municipal ban-the-box ordinances (such as those in Los Angeles and San Francisco), and federal and state fair credit reporting laws, such as the Fair Credit Reporting Act.
Pre-Adverse Action Letters – New California Law Goes into Effect
On January 1, 2018, California Government Code § 12952 goes into effect. § 12952 is yet another state law that regulates how employers can use criminal background checks in the hiring process. Although state laws governing this practice have become commonplace, § 12952 is unique in that it contains new requirements as to what a potential employer must include in a pre-adverse action letter to job applicants – beyond what the federal Fair Credit Reporting Act (“FCRA”) already mandates. California employers should review their forms to ensure they comply with this new California requirement. When a potential employer is considering not hiring a job applicant based on information the employer learns from a criminal background check (among other types of background checks), the employer must follow the FCRA’s pre-adverse action protocol. Under this protocol, the employer must provide the applicant with a copy of the background check and an FCRA summary of rights before making a final employment decision regarding the applicant. This gives the applicant the opportunity to review the background check and point out any errors he or she believes exist. Employers often deliver this information to applicants with a pre-adverse action letter, which typically informs the applicant about the possibility of adverse action. Importantly, the FCRA does not require any specific content in the pre-adverse action letter. The FCRA does not even require a letter at all. California Government Code § 12952 changes that for Californians. Under this new code section, the employer must provide the applicant with specific written notifications regarding the potential adverse action. These notifications include the following:
Notification that the employer has made a “preliminary decision that the applicant’s conviction history disqualifies the applicant from employment;”
- Notification of the disqualifying conviction or convictions that are the basis for the preliminary decision to rescind the offer of employment;
- A copy of the conviction history report, if any; and
- An explanation of the applicant’s right to respond to the notice of the employer’s preliminary decision before that decision becomes final and notification of the deadline by which the applicant may respond. This explanation must inform the applicant that the response may include the submission of evidence challenging the accuracy of the conviction history report that is the basis for rescinding the offer, evidence of rehabilitation or mitigating circumstances, or both.
The employer may also explain its reasoning in making the preliminary decision, but that statement of reasoning is not required.
These pre-adverse action mandates are only a sampling of § 12952’s new requirements. The legislation includes specific restrictions on when an employer can use criminal record information in the employment process, restrictions on the type of information an employer can use, and restrictions on the way an employer can use such information. The statute also includes specific requirements for the adverse action letter (as opposed to the pre-adverse action letter) above and beyond what the FCRA requires. With the new requirements poised to take effect, multistate employers should pay close attention to their pre-adverse action and adverse action letters to ensure they comply with this new California law. That is especially true here, as § 12952 is one of the first state laws to regulate the content of these letters.
State Data Breach Laws
On December 29th, HealthITSecurity published an article reviewing updated state data breach notification laws from 2017. States that updated their data breach notification laws in 2017 included Delaware, Maryland, and Tennessee. New Mexico also passed its first-ever data breach notification law. The article also highlighted legislative proposals on the state and national level related to data breaches.
New Jersey Ban-the-Box Law Limits Inquiries into Job Applicants’ Expunged Criminal Records
New Jersey has amended its “ban-the-box” law to prohibit inquiries into a job applicant’s expunged criminal record during the initial employment application process. The New Jersey Opportunity to Compete Act (commonly known as the “Ban-the-Box Law”) already restricts employers from asking a job applicant about his or her criminal history during the initial employment application process. Senate Bill S-3306, signed by Governor Chris Christie on December 20, 2017, amended the Act to include an applicant’s expunged criminal record in the restriction. S-3306 also clarifies that an employer may not utilize an “online” application that requires disclosing a criminal record or expunged criminal record during the initial employment application process. The rest of the Ban-the-Box Law is unchanged. (For details of the Ban-the-Box Law, see our articles, How to Comply with the New Jersey ‘Ban the Box’ Law and New Jersey Issues New Ban-the-Box Regulations.) Most New Jersey employers likely interpreted the original Ban-the-Box Law’s prohibition on inquiries into criminal records during the initial application process to already include inquiries into expunged criminal records. The text of the Ban-the-Box Law, however, limits the prohibitions to oral and written inquiries into an applicant’s criminal background. To the extent confusion existed as to whether an employer could lawfully inquire into an applicant’s expunged criminal history or whether an “online” application qualifies as a “written” or “verbal” inquiry under the original law, the amendment should clarify such confusion.
Governor Murphy Issues First Executive Order Imposing Salary History Ban on State Entities
On January 16, 2018, newly-elected New Jersey Governor Phil Murphy signed his first executive order, which prohibits state government entities from inquiring into job applicants’ salary histories. Specifically, state employers will not be allowed to ask prospective employees about their prior compensation and benefits until a job offer has been made. Governor Murphy’s action is a significant step towards promoting equal pay for women. Information about pay history is viewed by many as a mechanism that perpetuates gender-based salary disparity.
Proposed legislation that would have made it unlawful for all New Jersey employers to screen prospective job candidates by inquiring about their salary history was previously introduced but was vetoed by Governor Christie. The legislation, which would have amended the New Jersey Law Against Discrimination (NJLAD), also contained an anti-retaliation provision. Several states and municipalities, including California, New York City and Philadelphia, have already enacted such legislation.
Governor Murphy’s executive order signals a radically different approach to important employment issues such as equal pay, minimum wage and paid leave laws, possibly foreshadowing the future enactment of legislation that would make it unlawful for all New Jersey employers to inquire about, or make decisions based upon, a job candidate’s salary history.
Vermont’s Governor Signs Recreational Marijuana Law
Vermont’s Governor Phil Scott signed a recreational marijuana law on January 22, 2018. The law is the first recreational marijuana law to be enacted by a state legislature without a ballot initiative. It will take effect on July 1, 2018.
The law eliminates all penalties for possession of one ounce or less of marijuana and permits a person who is 21 years of age or older to grow up to two mature and four immature marijuana plants. However, marijuana may not be consumed in a public place, such as streets, parks, public buildings, places of public accommodation and places where the use of tobacco products is prohibited. The law also does not protect individuals from prosecution for being under the influence while operating a motor vehicle or consuming marijuana while operating a motor vehicle.
The law does not create a retail marketplace for marijuana.
- Importantly for employers, the law provides that it shall not be construed to do any of the following:
- Require an employer to permit or accommodate the use, consumption, possession, transfer, display, transportation, sale or growing of marijuana in the workplace;
- Prevent an employer from adopting a policy that prohibits the use of marijuana in the workplace;
- Create a cause of action against an employer that discharges an employee for violating a policy that restricts or prohibits the use of marijuana by employees; or
- Prevent an employer from prohibiting or otherwise regulating the use, consumption, possession, transfer, display, transportation, sale or growing of marijuana on the employer’s premises.
The Governor’s Marijuana Advisory Commission has been directed to report on adopting a comprehensive regulatory structure for legalizing and licensing the marijuana market on or before December 15, 2018, in order to revise drug laws that have a disparate impact on racial minorities, help prevent access to marijuana by youths, better control the safety and quality of marijuana being consumed by Vermonters, substantially reduce the illegal marijuana market, and use revenues to support substance use prevention and education and enforcement of impaired driving laws. https://www.lexology.com/library/detail.aspx?g=93e5bcc6-09d9-486d-b065-21c9c41f1a8e&utm_source=lexology+daily+newsfeed&utm_medium=html+email+-+body+-+general+section&utm_campaign=acc+newsstand+subscriber+daily+feed&utm_content=lexology+daily+newsfeed+2018-01-26&utm_term
What can employers do with regard to background checks and inquiries Massachusetts?
Criminal records and arrests: An employer cannot make a criminal records inquiry in an initial application for employment. Thereafter, the employer may make inquiries regarding conviction of felonies (for any time period) or misdemeanors (within five years). An employer must conduct criminal record searches in a non-discriminatory manner. Employers cannot pick and choose which candidates to perform criminal records checks on. Further, any criminal records checks that utilize state criminal history records must comply with state law.
Medical history: Most pre-employment medical inquiries and examinations are barred by the state’s Disability Discrimination Law. An employer can condition employment on a post-offer medical exam.
Drug screening: Pre-employment drug tests are permissible if conducted with adequate procedural and privacy protections and in a non-discriminatory manner. Post-employment, reasonable suspicion and post-accident testing is also permitted. Random testing is permitted for employees in “safety sensitive” positions, and for those subject to random testing under federal law.
Credit checks: Massachusetts has its own version of the federal Fair Credit Reporting Act (FCRA). In most situations, compliance with the FCRA will equal compliance with state law.
Immigration status: No inquiries are stipulated beyond those allowed or required by federal law.
Social media: There are no statutory restrictions. Legislation has been introduced to prohibit employers from requesting applicants’ social media passwords, but it is yet to be enacted.
Other: Massachusetts prohibits employers from requesting or requiring applicants and employees to take lie detector tests. A notice to this effect must be included on employment applications. Further, effective as of July 1, 2018 as part of the pay equity law, employers will not be permitted to ask the wage and salary history of job applicants.
What can employers do with regard to background checks and inquiries in Nevada?
Criminal records and arrests: Nevada law does not restrict an employer’s use of criminal history records for arrests and convictions. However, the Nevada Equal Rights Commission pre-employment guidelines discourage inquiries regarding arrests that did not result in conviction.
Medical history: It is unlawful for a Nevada employer to:
- ask or encourage an employee or job applicant to submit to a genetic test;
- require or administer a genetic test to a person as a condition of employment;
- deny employment based on genetic information;
- alter the terms, conditions or privileges of employment based on genetic information; or
- terminate employment based on genetic information (Nev. Rev. Stat. § 613.345).
Drug screening: Nevada has no state law regulating drug and alcohol testing by private employers. However, employers should note that Nevada’s medical marijuana statute provides that employers may need to accommodate the medical use of marijuana outside the workplace, so care should be exercised when denying employment due to a positive drug test for marijuana. Covered public employers must comply with alcohol and drug-testing procedures set forth in Nev. Rev. Stat. § 284.406 et seq.
Credit checks: Nevada restricts the use credit reports by employers. Generally, employers cannot require, request, suggest, or cause employees or applicants to submit to a credit report as a condition of employment, unless an exception exists. In addition, employers may not discipline, discharge, or discriminate against an employee or applicant on the basis of a credit report, or the failure to provide a credit report. Exceptions that allow the use of credit reports in the employment context include:
- when required or authorized by state or federal law;
- when based on reasonable belief, the individual has engaged in specific activity that may constitute a violation of law; and
- when credit information is reasonably related to the position for which the employee or applicant is being considered.
The information in the consumer credit report or other credit information shall be deemed reasonably related to such an evaluation if the duties of the position involve:
- the care, custody and handling of, or responsibility for, money, financial accounts, corporate credit or debit cards, or other assets;
- access to trade secrets or other proprietary or confidential information;
- managerial or supervisory responsibility;
- the direct exercise of law enforcement authority as an employee of a state or local law enforcement agency;
- the care, custody and handling of, or responsibility for, the personal information of another person;
- access to the personal financial information of another person;
- employment with a financial institution that is chartered under state or federal law, including a subsidiary or affiliate of such a financial institution; or
- employment with a licensed gaming establishment (Nev. Rev. Stat. § 613.520 et seq.).
Immigration status: There is no Nevada law regarding immigration or employment eligibility verification. However, if the U.S. Attorney General finds that a person who holds a state business license has engaged in the unlawful hiring or employment of an unauthorized alien, the Nevada Tax Commission will hold a hearing to determine whether to take action against the person, which may include administrative fines. Evidence that the business attempted to verify the social security number of the unauthorized alien within six months of the hire date may be used as prima facie evidence that the violation was not willful, flagrant or otherwise egregious (Nev. Rev. Stat. § 360.796).
Social media: Nevada employers may not directly or indirectly require, request, suggest, or cause any employee or applicant to disclose the user name, password, or any other information that provides access to the individual’s personal social media account. Employers also may not discharge, discipline, or discriminate against any employee or applicant for refusing or failing to disclose such information (Nev. Rev. Stat. § 613.135).
Other: Under Nevada Law, employers cannot discriminate based on an employee’s use of a lawful product outside the employer’s premises during non-working hours, as long as the use does not affect the employee’s ability to perform his or her job or the safety of others (Nev. Rev. Stat. § 613.333). Consequently, employers should be careful when inquiring about off-duty use of lawful products, such as tobacco.
Working Towards GDPR Compliance – Practical Steps for U.S.-Headquartered Life Sciences Companies
The European Union is replacing its current privacy laws with a new, comprehensive General Data Protection Regulation, which takes effect May 25, 2018. The essential principles of the EU’s privacy laws are unchanged, but the new Regulation imposes many new obligations on many more entities – all backed up by a structure for fining violations modeled on European antitrust laws. US Life Sciences companies are likely to find that the GDPR applies to their use of personal information that originated in the EU. This note suggests some pragmatic steps companies can take to assess and begin to meet their GDPR obligations.
Step 1 – Confirm That the GDPR Applies
- Directly subject to the GDPR:
- The company has an “establishment” in the EU 1 (e.g. a corporate affiliate, branch office, or an ongoing sales or consulting presence). An “establishment” exists when an entity has “stable arrangements” in place in the EU enabling “the effective and real exercise of activity” (GDPR Rec. 22). The establishment does not need to be a formal legal entity.
- The company is not established in the EU but offers goods or services to people in the EU (e.g., sponsoring clinical studies, marketing pharmaceuticals, or providing diagnostic services).
- The company is not established in the EU but profiles or otherwise monitors the behavior of people in the EU (e.g., tracking users of the company’s websites and building up a profile of them over time or conducting long-term healthcare outcome studies involving building profiles of EU individuals).
- US companies that are not directly subject to the GDPR, but whose customers, research collaborators or contractors are subject to the GDPR, will be indirectly affected.
- Collaborators and (in some cases) contractors (such as CROs running clinical studies) are likely to seek contractual commitments to help them achieve compliance with the GDPR.
Step 2 – Brief Stakeholders on the Expansive Notion of Personal Data Under the GDPR
- “Personal data” is defined extremely broadly as “any information relating to an identified or identifiable natural person.”
- Indirect identification counts (e.g., an iPhone IMEI number is personal data because it indirectly identifies its user). The EU considers static IP addresses to be personal data, and per recent case law, dynamic IP addresses are likely to constitute personal data.
- Pseudonymized personal data (including key-coded clinical study data) is still considered personal data, although pseudonymization provides some benefits such as a potentially reduced burden in the event of a data breach.
- Personal data includes things that a person writes or creates (like social media posts and photos) as well as information about a person.
- The GDPR covers all sectors (consumer, financial, medical, education, etc.) except policing, which is covered by a separate directive. Even business contact information is included, such as a research collaborator’s work e-mail address that contains his or her name.
Step 3 – Personal Data Inventory
Ask stakeholders to check what personal data they hold. (In this note, “personal data” means personal data that originated from the EU.) Try to get as much information as possible about the following:
- What category does the personal data fall into? (e.g., human resources data, medical records, directly identifiable clinical study data, or key-coded clinical study data)
- Flag any data that fall within the “sensitive” or “special” categories per the GDPR (health/medical, race, or criminal convictions, among others).
- What is the source of the personal data?
- If the personal data were collected directly from the individual, was a privacy notice provided or consent obtained as part of the collection process?
- For what purposes were the personal data collected?
- Are there any additional purposes for which the personal data are now used?
- Where are the personal data stored?
- Who has access to the personal data?
- Were the personal data obtained from a third party? If so, were there any contracts associated with the transfer of the data?
- Have the personal data been transferred by the company to any third parties? If so, were there any contracts associated with the transfer of the data?
- Have the personal data been transferred outside the EU? (Typically, this will be “yes” for US life sciences companies, but you may find that some personal data is kept within a program/unit within the EU.)
- What security measures apply to the personal data?
- Is there a data retention policy (i.e., is there a specific time frame for deleting the personal data)?
- Are the personal data pseudonymized in any way (e.g., key-coded clinical study data)?
- Are the personal data traceable as they move through the company’s systems?
- Are the personal data maintained in manual or electronic files?
Step 4 – Steps Towards Compliance
- Identify the basis for processing for each category of personal data. Processing personal data is essentially banned unless you can identify a specific basis for the processing that is allowed under the GDPR. You need to be able to articulate the basis for processing (and you may need to explain the basis in your privacy notices).
- If you are relying on consent as the basis for processing any personal data, evaluate whether you can continue to do that under the GDPR, which has tougher standards for consent. Update consent language as needed. Consider whether you need to “re-consent” any data processing activities. You may need to help stakeholders understand that consent is no longer the “easy path” to compliance.
- Review the company’s privacy notices. The GDPR contains extensive provisions covering fair notice requirements.
- Evaluate whether the company needs to appoint an EU representative.
- Evaluate whether the company needs to appoint a data protection officer.
- Identify data processing activities that require data impact assessments.
- Review contracts under which the company receives or transfers personal data. Do the contracts contain terms that enable both parties to meet their obligations under the GDPR? As part of this review, ensure that contracts with contractors who provide services to the company meet the GDPR’s specific controller-to-processor contract requirements.
- Review the legal basis for transfers of personal data from the EU to the US or other countries. As with processing, the GDPR sets out a limited menu of “legal bases” for data transfers.
- Review the company’s procedures for dealing with data subject requests. Check that IT systems are set up to make compliance with requests as efficient as possible. Data subjects have substantial rights to find out what data you hold, how it is used, and who you have transferred it to. Data subjects have extensive rights relating to correcting, deleting and transferring their personal data. (Informed Consent Forms should address these issues for clinical studies – additional considerations apply, and the data subjects’ rights are more limited in comparison to the general rule.)
- Set up a system to help you meet the accountability requirements of the GDPR. The GDPR enshrines the principle of accountability – you need to show that you have worked through any issues and taken steps to address privacy risks.
- Review security procedures and assess whether they meet the GDPR’s requirements. Security measures must be appropriate in light of the potential harm that would arise from a breach.
- Review data breach reporting procedures and modify as needed. Consider whether contractors are involved and review the relevant contract terms. Many data breaches need to be reported to the DPAs, and in some instances directly to data subjects. Breach reporting has tight time frames (generally 72 hours).
- Brief stakeholders involved in designing (or procuring) new products, services and data processing systems regarding the GDPR’s “privacy by design” requirements. This could potentially apply to the design of research projects as well as IT systems.
- Start thinking about the new ePrivacy Regulation. Review the company’s direct marketing activities in the EU, including web or in-app advertisements based on profiling (also known as targeted advertising or behavioral advertising). The GDPR will work in tandem with the new ePrivacy Regulation (currently in draft form), which covers personal data in the context of virtually any form of online service, including online advertising and other forms of marketing.
European Commission Launches GDPR Website
On January 24th, the European Commission launched a website with guidance for stakeholders regarding the implementation of the General Data Protection Regulation (GDPR). The website includes a number of tools including rules for businesses and organizations, rights for citizens, and steps organizations can take to comply with the GDPR.
Notifiable Data Breaches Scheme: Getting Ready to Disclose a Data Breach in Australia
Australia’s Notifiable Data Breaches (NDB) scheme comes into effect on February 22, 2018, and as the legislative direction is aimed at protecting the individual, there’s a lot of responsibility on each organization to secure the data it holds. The NDB scheme falls under Part IIIC of the Australian Privacy Act 1988 and establishes requirements for entities in responding to data breaches
What can employers do with regard to background checks and inquiries in Angola?
Criminal records: For anti-discriminatory reasons, criminal record checks are permitted only for specific positions (e.g. security staff, people working with vulnerable individuals or regulated roles in the financial sector). The treatment of such information is protected under the Data Protection Law. Employers cannot demand this information from job applicants and only an employee can obtain his or her criminal reports from the relevant authorities. Criminal records should be requested from foreign non-resident employees, as a clean criminal record is legally required for such employees.
Medical history: Medical examinations are mandatory for job applicants under 18 years old. Job applicants over the age of 18 do not need to undertake a medical examination. However, from a personal data standpoint, the results of medical examinations are deemed to be sensitive. Thus, an authorization from the Data Protection Authority is required in order to allow employers to collect a job applicant’s data. Further, the job applicant must consent to such a medical examination. In any case, after an employee has been hired, a medical examination must be carried out by an occupational doctor in order to ascertain whether he or she is fit to perform the role.
Drug screening: As a rule, drug screening is prohibited in Angola and there are no rules governing the matter.
Credit checks: Credit checks are prohibited, as they deal with privileged personal data.
Immigration status: Employers must ensure that applicants are allowed to work in Angola and hold a legitimate title to do so (i.e. a visa or work permit), as hiring illegal immigrants is a crime.
Social media: This type of background check is not specifically regulated. In principle, researching candidates via social media is not prohibited by law, provided that the information is retrieved from freely accessible public sources.
What can employers do with regard to background checks and inquiries in Denmark?
Criminal records: There are three kinds of criminal record:
- public; and
- a statement of no previous convictions in respect of children.
A private criminal record is the only criminal record and must be requested by a private person. If the employer wishes to obtain an applicant’s private criminal record, the applicant must give consent. Only the police and public authorities can order a public criminal record. If it is required for a job application, a public criminal record can be issued only with the applicant’s consent. Public authorities, private companies and other institutions that want to employ a person who will work with children under the age of 15 can order a child record.
Medical history: Applicants may be asked to disclose medical conditions if the information is relevant to the position in question. For example, a pilot or firefighter may be asked to undergo a medical examination.
According to the Salaried Employees Act and the Health Information Act, the employee must inform the employer of his or her medical situation at his or her own initiative if it affects job performance.
Drug screening: Drug screening is permitted only if the employer has a legitimate interest in a medical examination and the candidate or employee consents. Collective bargaining agreements may also contain rules on drug screening.
Credit checks: Credit checks are legitimate only if the employer has a legitimate interest in knowing the candidate’s financial circumstances, typically if the position qualifies as a position of special trust and involves money matters (e.g. in a bank or heading a bookkeeping department).
Immigration status: For non-EU and non-EEA residents, the employer must check whether the candidate has a valid work and residence permit allowing him or her to work in Denmark. The employer will be fined if this is not the case.
Social media: Researching candidates via social media sites such as LinkedIn and Facebook is permitted, under the assumption that the information is retrieved from freely accessible public sources.
Other: Inquiries made by an employer are legitimate and permissible only if the answers are necessary for the employer to assess whether the candidate is capable of properly performing his or her duties with regard to the position in question. This means that, as a rule, the employee cannot be asked about pregnancy, among other things.
What can employers do with regard to background checks and inquiries in Portugal?
Criminal records: Companies are allowed to request a job applicant’s criminal record only when there are grounds to do so (e.g. because of the nature of the activity or the specific duties to be carried out by the applicant). In addition, a written request justifying the need for such information must be provided to the employee. That said, requests for criminal records should still be assessed on a case-by-case basis, as the information contained is not always essential to verify the ability of the job applicant to perform certain professional activities. In addition, the information contained in a criminal record is deemed sensitive data and, therefore, an authorization from Data Protection Agency is required in order to allow the company to collect the job applicant’s personal data. The consent of the job applicant must also be obtained.
Medical history: From a labor law standpoint, as a general rule companies cannot require job applicants to undertake medical examinations. However, this rule has two exceptions:
- if such an examination is intended for the protection and safety of the job applicant or third parties; or
- if it is justified by the particular requirements of the activity.
In any case, it is mandatory that companies justify, in writing, the need for such an examination. The physician responsible for any medical examination cannot inform the company of the specific results of such exams, but only of whether the job applicant is fit for the job or not. From a personal data standpoint, the results of medical examinations are deemed to be sensitive and, therefore, an authorization from the Data Protection Agency is required in order to allow the companies to collect the job applicant’s personal data.
Drug screening: Drug screening of applicants and employees is generally not allowed. An examination can only be carried out by an occupational doctor and only in order to assess whether the employee is fit for work.
Credit checks: Credit checks are not allowed, since they involve privileged personal data.
Immigration status: Employers must ensure that applicants are allowed to work in Portugal and that they hold legitimate entitlement to do so (visa or work permit).
Social media: This type of background check is not specifically regulated. Researching candidates via social media is not prohibited by law, provided that the information is retrieved from freely accessible public sources.
Other: The possibility of conducting backgrounds checks on employees is very limited. However, employers are allowed to request for referrals directly from the applicants, as well as for their authorization to collect certain information.
What can employers do with regard to background checks and inquiries in Spain?
Criminal records: As a general rule, employers in Spain cannot require a prospective employee to supply a certificate of convictions. However, if the employer is a Spanish public body (e.g. the Bank of Spain or the Spanish Parliament) it can require an employee to supply a certificate. Otherwise, the certificate can be supplied only with the consent of the employee. Only private citizens aged over 18, acting individually or through an authorized representative, may request a certificate of convictions for themselves and they must also state the purpose of the request. Employers cannot make an up-to-date certificate of convictions a condition of being considered for a job unless:
- the company’s activities involve regular contact with minors as the employer is required to check that the job candidate has no sexual criminal record (under Article 13.5 of the Organic Law on Minor Protection); or
- the position has specific characteristics (e.g. those of a security guard), in this case the employee must provide the potential employer with a certificate from the public authorities evidencing the absence of any criminal record.
Medical history: Medical conditions constitute ‘specially protected data’ under Article 7.3 of the Constitutional Law on Data Protection 15/1999. Therefore, if the employer seeks to collect data relating to the health of the potential employee, the employee must expressly consent beforehand. The consent must be in writing. Article 4 of the Workers’ Statute prohibits discrimination and harassment on the grounds of disability both when applying for and during employment. Employers should not ask candidates to disclose whether or not they suffer from any disability or require candidates to undergo a prior medical examination, as this could violate the Workers’ Statute. However, there are exceptions for jobs where fitness is essential to the individual’s ability to perform the job (e.g. pilots, drivers or any other profession which requires a specific level of fitness) and jobs that involve a risk of occupational diseases.
Drug screening: Employers are only authorized to carry out drug screening:
- with the employee’s consent;
- to prove the existence of a habitual drug addiction; or
- to prove the existence of a risk to other employees or third parties.
Credit check: Employers are not allowed to obtain creditworthiness information that is not related to the job being recruited for, unless the employee gives his or her consent. Examples of where an employer could seek such information might include banking staff or employees working in an accounts department. However, employers can access public registers and other official information that is accessible to the general public.
Immigration status: Before allowing a job applicant to commence work, employers must check and ensure that he or she has the residence and work authorization that confers the right to work in Spain. The specific requirements for a non-European Economic Area or Swiss national to obtain an appropriate visa are:
- a valid passport or travel document;
- evidence of sufficient financial means – including for any accompanying family – for the duration of the assignment;
- a police records certificate from the country of origin or place of residence covering the previous five years, which has been endorsed in accordance with the Hague Convention or has been duly notarized; and
- an original doctor’s medical certificate verifying that the applicant is free from any contagious diseases, drug addictions and mental illnesses.
Social media: It is increasingly common for employers to carry out pre-employment vetting of potential employees by researching their social media and general internet profile. For employers to use such data lawfully, the data must be in the public domain. Employee consent is not required, although it is generally regarded as best practice to notify job applicants that this will take place. Employers need to be careful that the data which they obtain and rely on in making their decisions does not have a potentially unlawful discriminatory element, such as evidence of religious affiliations or sexual orientations.
Other: Employers are free to conduct other background checks, including but not limited to:
- identity verification;
- resume verification; and
- reference checks.
However, such checks must be completed within the limitations imposed by the Constitutional Law on Data Protection.
What can employers do with regard to background checks and inquiries in Sweden?
Criminal records: The use of different background checks as a part of the recruiting process has become more common in recent years in Sweden, both for public and private sector employers. In general, employers are not prohibited from carrying out background checks on applicants if there is a legitimate reason to do so or from requesting that the applicant present a copy of his or her criminal record. In some sectors (e.g. financial sector or working with children), providing a copy of a criminal record may also be a pre-condition of the commencement of employment. However, applicants are not obliged to provide a copy of their criminal record if they know that doing so will definitely result in their application being dismissed. The Swedish Personal Data Act (1998/204) limits employers’ rights to process data collected in the course of any recruitment procedure. Essentially, employers are prohibited from keeping records of applicants’ and employees’ criminal activities and records.
Medical history: The Personal Data Act also limits employers’ rights to carry out background checks in respect of an applicant’s or employee’s medical history and to process data collected in the course of any recruitment procedure. However, an employer may process sensitive personal data (e.g. medical history) if such data is required to fulfil the employer’s obligations in relation to the employee – for instance, to calculate sick pay, examine the employee’s right to sick leave or as part of a rehabilitation investigation.
Drug screening: Employers are allowed to screen employees for drugs if there is a legitimate reason to do so – for instance, if the employee’s work involves major risk of serious accidents.
Credit checks: Employers have a right to carry out credit checks on applicants if there is a legitimate reason to do so – for instance, if the applicant is seeking a chief financial officer position or equivalent.
Immigration status: The general rule is that a foreign applicant must have a work permit before entering Sweden. In certain circumstances, applicants may apply for and obtain a permit after entering Sweden. Employers have a duty to check that applicants hold work permits or equivalent documentation entitling them to work in Sweden.
Social media: Employers are not prohibited from carrying out background checks based on information that applicants post on social media and that is therefore part of the public domain. However, the use and processing of data collected in this way must be done in accordance with the Swedish Personal Data Act.
Tenant Rent Payment Database
Experian launched a rent payment database to help tenants build credit history (YourMoney).