Top 5 Tips for Conducting Pre-Employment Medical Exams
In a recently filed lawsuit, the U.S. Equal Employment Opportunity Commission contends that Consolidated Edison Co. (“Con Ed”) violated the Americans with Disabilities Act (“ADA”) and the Genetic Information Non-Discrimination Act of 2008 (“GINA”) by its use of pre-employment medical examinations. According to the Complaint, Con Ed required applicants to submit to pre-employment medical examinations in which the company improperly sought disclosure of genetic information and used this information in deciding whether to hire certain applicants.
Employers should be aware of the following general requirements under the ADA and GINA:
- The ADA prohibits all disability-related inquiries and medical examination prior to a valid offer of employment
- If a valid conditional offer of employment has been issued, the ADA allows an employer to make disability-related inquires and conduct medical examinations as long as it does so for all entering employees in the same job category
- Once employment begins, the ADA only permits an employer to make disability-related inquiries and require medical examinations if they are job-related and consistent with business necessity
- GINA prohibits employers from requesting genetic information about applicants, such as family medical history, during the course of any pre-employment medical examination; and
- GINA prohibits employers from using genetic information in making employment decisions, such as hiring, firing, promotions and compensation
Employers found to have violated the ADA and/or GINA could be liable to aggrieved applicants and employees for back pay, compensation for economic losses, emotional pain and suffering, punitive damages, and attorneys’ fees. Consequently, employers are encouraged to review their hiring procedures and contact counsel with any compliance question that may arise.
Court Holds that Receiving an Updated Background Report May Require a Second Pre-Adverse Action Notice
Seyfarth Synopsis: In the last three years, employers have seen a sharp increase in the number of employment class actions under the Fair Credit Reporting Act (FCRA). Most of the reported cases involve challenges to the employer’s procedures before ordering a background report. More recently, however, we are seeing more cases against employers alleging a failure to follow the FCRA’s adverse action requirements, which must be followed any time an employer intends to take “adverse action” (revoking a job offer or terminating employment) against a job applicant or a current employee based, in whole or in part, on information contained in their background report.
A recent federal court decision demonstrates the importance of employers following these highly technical requirements when using background reports for hiring and other employment decisions. In Wright v. Lincoln Prop. Co., a judge in the Eastern District of Pennsylvania considered how an employer can comply with the adverse action process if it relies on an initial background report before revoking a job offer, but then receives a subsequent, corrected report. In Wright, the plaintiff received an employment offer that was contingent upon successful completion of a background check. The first background report, dated June 6, was a partial, in-progress report that revealed a misdemeanor conviction for driving under the influence and two separate drug-related felony convictions. A week later, on June 13, a more comprehensive, final report was provided to the employer, but it included the same substantive criminal information. The employer sent the partial June 6 report to the plaintiff but did not send the final, completed June 13 report. Both parties moved for summary judgment. In alleging the employer violated the FCRA, the plaintiff raised two arguments. First, he argued he never “received” a copy of the June 6 report. The court summarily rejected this argument, concluding the FCRA does not explicitly require an employer “to ensure that the consumer to whom the report relates actually received the notice.” Instead, the FCRA merely requires the employer to “provide” a copy of the report. Thus, the court concluded that a jury had to decide whether the employer satisfied its obligations under the FCRA based on its evidence that it did, in fact, “provide” him with a copy of the report. The plaintiff then argued the June 6 report did not satisfy the FCRA because it did “not contain the required information, including a summary of rights and advance notice of [the employer’s] intention to withdraw its job offer based on the report.” He also argued the employer relied on the June 13 report (which was never provided to him) and, thus, sending the June 6 report did not satisfy the FCRA. On the other hand, the employer argued in its motion that dismissal of the claim was appropriate because (a) it provided the plaintiff with a copy of the report and the FCRA summary of rights and (2) the convictions, which were listed in both reports, were not erroneous and, in fact, the plaintiff to admitted to them. The court concluded that a jury should resolve the dispute. In so doing, the court noted that the employer revoked the offer because of the convictions listed in both reports and that while there were no material differences between the criminal history included in the two reports, the final, June 13 report “contain[ed] a more thorough summary of other types of searches run by [the background check company], such as credit report” and the plaintiff “remained unable to contest the full information upon which [the employer] relied even if he indeed received the June 6th transmittal, given that it only included his criminal history.” Because a copy of the final report was not sent to the plaintiff, the court denied the employer’s motion for summary judgment. The court’s ruling does not equate to a blanket requirement that an employer provide all copies of background reports to rejected job applicants or terminated employees. It is possible the jury will find that, under these facts, a second pre-adverse action notice was not required. That said, employers that receive corrected or more comprehensive reports after sending the initial report should assess the new report to determine whether to send a subsequent pre-adverse action notice. As this case reflects, that both reports contained the same conviction information that caused the employer to revoke the offer did not spare the employer from the expense and burden of a jury trial.
Robins v. Spokeo, Inc.: Ninth Circuit Holds That a Materially Incomprehensive Report Is a Concrete Injury Even If the Inaccuracy Did Not Adversely Affect the Consumer
Seyfarth Synopsis: In Spokeo, Inc. v. Robins, the U.S. Supreme Court held that a plaintiff must have a concrete injury to sue for FCRA violations. Following Spokeo’s remand, courts have held that consumers have standing to sue if their reports are incomprehensive even if an inaccuracy did not adversely affect them. In Spokeo, the U.S. Supreme Court reaffirmed that plaintiffs seeking to sue in federal court must have a concrete, actual injury; a mere statutory violation is not enough. The U.S. Supreme Court remanded the case for the Ninth Circuit to determine whether the plaintiff had alleged a concrete injury.
The Ninth Circuit’s Ruling on Remand
On remand, in Robins v. Spokeo, Inc., the Ninth Circuit concluded that the plaintiff had sufficiently pled a concrete injury in fact and thus had standing to proceed with his FCRA claims. The court stated that, although a plaintiff may not show an injury-in-fact merely by pointing to a statutory violation, “some statutory violations, alone, do establish concrete harm.” To determine whether a statutory violation is itself a concrete injury, the court created a two-part test that asks (1) whether the statutory provision at issue was established to protect the consumer’s concrete interests (as opposed to purely procedural rights), and, if yes, (2) whether the specific procedural violation alleged actually harmed or presented a material risk of harm to those interests.
On the first question, the Ninth Circuit noted that the plaintiff had alleged a violation of the FCRA’s requirement that a consumer reporting agency have reasonable procedures in place to ensure the maximum possible accuracy in reporting. The court concluded that this provision “protect[s] consumers’ concrete interests” in comprehensive reporting and consumer privacy and that these interests are “‘real’ rather than purely legal creations.” The court reasoned that “given the ubiquity and importance of consumer reports in modern life—in employment decisions, in loan applications, in home purchases, and much more—the real-world implications of material inaccuracies in those reports seem patent on their face.” The court also noted that “the interests that FCRA protects also resemble other reputational and privacy interests that have long been protected in the law.” As to the second question, the Ninth Circuit stated that it required an “examination of the nature of the specific alleged reporting inaccuracies to ensure that they raise a real risk of harm to the concrete interests that the FCRA protects.” The court concluded that, while a benign inaccuracy may not be harmful, the plaintiff had raised a real risk of harm by alleging that the defendant had incomprehensively reported that he was married, had children, was in his 50’s, was employed, had a graduate degree, and was financially stable. The court reasoned that this information “is the type that may be important to employers or others making use of a consumer report.”
The Ninth Circuit held that whether an employer or other end user considered the incomprehensive information was irrelevant. Although the defendant argued that the plaintiff must show that the information actually harmed his employment prospects or presented a material or impending risk of doing so, the court disagreed. In the court’s view, “[t]he threat to a consumer’s livelihood is caused by the very existence of incomprehensive information in his credit report and the likelihood that such information will be important to one of the many entities who make use of such reports.” Thus, a materially incomprehensive report is itself a concrete injury. Although the Ninth Circuit spoke of harm and materiality, the crux of the opinion appears to be that any inaccuracy will provide standing if it involves information that a user of a report may consider even if no one ever does consider it. And that is how one court recently interpreted the ruling. In Alame v. Mergers Marketing, a judge in the Western District of Missouri held that a plaintiff had standing to sue because he alleged that the defendant’s reporting made it appear that he moved around a lot. The plaintiff’s background report included 22 address entries for him. Some of the address entries were for the same location but varied as to the formatting of the address. The plaintiff claimed that reporting formatting variations incomprehensively conveyed that he had lived at 22 different locations. The plaintiff did not allege that anyone had interpreted the report that way or that he had not lived at those locations. Nonetheless, quoting Robins, the court held that a plaintiff is injured by “‘the very existence of incomprehensive information in his credit report.’”
Potential Conflict with Spokeo and Dreher
The Ninth Circuit’s opinion is difficult to reconcile with Spokeo. In Spokeo, the U.S. Supreme Court held that, to be sufficient, an injury must “actually exist” and clarified that “not all inaccuracies cause harm or present any material risk of harm” to a plaintiff. Yet, the Ninth Circuit held that an incomprehensive report is itself a concrete injury even if the only people who received the report were the plaintiff and his lawyer. (The plaintiff did not allege that the defendant had furnished his report to anyone other than the plaintiff and his lawyer.)
The Ninth Circuit’s position also seems to conflict with the Fourth Circuit’s ruling in Dreher v. Experian Information Solutions. In that case, the plaintiff sued a consumer reporting agency for incomprehensively identifying the source of credit information in his report. The Fourth Circuit rejected the plaintiff’s argument that the inaccuracy itself was an injury. Instead, the court held that a plaintiff must show that he “was adversely affected by the alleged error on his report.” The court reasoned that an inaccuracy “work[s] no real-world harm” unless it has a negative impact on the consumer.
Implications for Businesses
Robins and Dreher indicate that the federal courts are still grappling with Spokeo’s meaning. We expect the issue will continue to percolate in the federal courts. If the divide on Spokeo’s application deepens among the federal courts of appeal, the U.S. Supreme Court may revisit the standing issue to provide more clarity. For now, under Robins, consumers may be able to bring FCRA claims in federal court whenever their reports contain incomprehensive information unless that information is truly benign, such as when an address contains a mistyped zip code. Even if a plaintiff lacks Article III standing under Dreher, he or she may be able to proceed in state court in jurisdictions that recognize broad standing to sue for any statutory violation. For this reason, companies preparing or obtaining credit checks, employment checks, or other background checks should be careful to comply with each of the FCRA’s highly technical requirements. Similarly, companies, such as financial institutions, that furnish information about customers to consumer reporting agencies should ensure that they have measures in place to ensure comprehensive reporting and to handle consumer disputes properly. Failing to comply with a FCRA requirement could expose a company to class action liability even if the violation did not affect the plaintiff or any class member.
District Court Dismisses Putative FCRA Class Action for Lack of Standing
The U.S. District Court for the Central District of California recently dismissed a putative class action alleging violations of the Fair Credit Reporting Act (“FCRA”), finding that the named plaintiff lacked standing to pursue her claims. Saltzbreg v. Home Depot, U.S.A., Inc., No. 17-cv-05798 (C.D. Cal. Oct. 18, 2017). The plaintiff filed a class action complaint against Home Depot U.S.A. (“Home Depot”) alleging that it violated the FCRA by: (i) failing to provide a compliant disclosure notifying her that a background check would be conducted; and (ii) failing to obtain proper authorization before conducting the background check. The plaintiff sought to represent a nationwide class of all persons who received Home Depot’s FCRA background check disclosure form during the five years preceding the filing of the complaint. Plaintiff claimed that, because this form included a liability waiver, it was not a standalone disclosure as required by FCRA. Because the disclosure form was defective, plaintiff alleged, her authorization for the background check was invalid. However, plaintiff did not allege that she was harmed as a result of her receipt of the allegedly non-compliant disclosure form. The court dismissed the complaint for lack of subject matter jurisdiction, finding that the plaintiff did not allege that she suffered an injury-in-fact to confer Article III standing. Citing the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016), the district court noted that the injury-in-fact requirement is not “automatically satisfie[d] … whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” Rather, Article III standing requires a concrete injury even in the context of a statutory violation. The court concluded that merely asserting a violation of FCRA’s standalone disclosure requirement is insufficient without connecting it to a concrete injury. This is another welcomed decision in the wake of Spokeo for employers defending FCRA class actions. However, given the stiff penalties employers face under this statute, it still is prudent for employers to revisit their background check policies and documentation to ensure compliance with the FCRA and related state and local laws.
Seattle Bans Landlords from Running Criminal Background Checks
Passed in Seattle in early August, the Fair Chance Housing ordinance will prohibit landlords from excluding prospective tenants because of their criminal history. The belief, according to the bill’s sponsor, is that if a criminal has done his time, he has paid his debt to society. Sean Martin, external affairs director of the Rental Housing Association of Washington, said landlords will respond to the risk the ordinance causes by toughening the screening requirements they are still allowed to use, such as credit score consideration.
Oregon’s Looming Pay History Ban: What Employers Should Do Now
Oregon’s new pay history inquiry ban becomes effective on October 6, 2017. This new prohibition, which is part of Oregon’s Equal Pay Act of 2017, restricts employers from obtaining or using pay history of applicants and employees until after making a job offer that includes compensation. This prohibition will radically change the way most Oregon employers recruit and hire. Below are Lane Powell’s best practices for avoiding pay discrimination claims:
- Revise Handbook Policies. Employers would be wise to revise handbook policies to expressly state that the company prohibits any inquiry into an applicant or employee’s pay history at former jobs. EEO policies should state that the company sets compensation based on bona fide factors related to the position. Under Oregon’s law, bona fide factors mean a seniority system; a merit system; a system measuring earnings by quantity or quality of production; workplace locations; travel if necessary and regular; education; training; experience; or a combination of the same factors that accounts for entire compensation differential.
- Modify Job Applications and Related Hiring Forms. Traditionally, job applications and/or related new hire packets require candidates to list past employers, positions held and supervisors, along with previous pay. Employers must modify applications and other forms to remove questions tied to pay history.
- Provide Training to HR and Hiring Managers. Employers should inform all employees involved in the recruitment and hiring process about the prohibition on inquiries related to pay history. This prohibition prevents recruiters and managers from asking applicants, their references and prior employers about pay history. The Oregon law contains a limited exception: Once the employer makes a job offer that includes compensation, the employer may confirm pay history if the applicant provides written authorization.
- Consider Implementing Similar Policies and Practices in Other States. Salary history bans and pay equity laws are sweeping the country. Other states and cities, including Massachusetts, Delaware, Philadelphia, New York City and San Francisco, have already enacted similar pay history bans, and other states (e.g. California, Illinois, New York, New Jersey and Pennsylvania) are in the process of drafting and passing them. Given the shifting legislative tide, employers with multistate workforces should seriously consider amending their policies and practices beyond Oregon.
- Potential Exposure for Noncompliance. Employees do not have a private right of action for violations of the pay history inquiry ban until January 1, 2024. In addition, the Oregon Bureau of Labor and Industries (BOLI) has stated that it will not enforce this provision until January 1, 2019. Nevertheless, an employer’s noncompliance with the pay history inquiry ban can be used as evidence to prove alleged pay discrimination in a subsequently filed claim. Accordingly, employers should act now to immediately comply with the Oregon pay history ban.
New California Law Bans Salary History Questions
California employers are now prohibited from asking applicants about their salary history information, including compensation and benefits. Under the new law Gov. Jerry Brown signed on Thursday, October 12, 2017, called Assembly Bill No. 168, such inquiries are no longer allowed. The bill passed the state Assembly with a 57-15 vote and the Senate with a 27-10 vote. The new law applies to all employers, including state and local government employers. Proponents of salary history bans argue that using workers’ prior history to set their new salary perpetuates lower pay for women and minorities. Opponents argue that such inquiry bans make it harder for employers to gauge the market price for workers. Specifically, the law prohibits an employer from relying on the salary history information of an applicant to determine whether to offer them employment or what salary to offer them. The law prohibits an employer from seeking salary history information directly and indirectly through intermediaries. The law also requires, upon reasonable request, that employers provide the pay scale for a position to an applicant for employment. The law does not prohibit an applicant from voluntarily and without prompting disclosing salary history information, and does not prohibit an employer from considering or relying on that voluntarily-disclosed salary history information. To comply with the new law’s requirements, employers should remove salary questions from any hiring forms (such as job applications, on-line applications, candidate questionnaires and background check forms), update interview and negotiation policies and procedures, and train hiring managers, recruiters and interviewers on the new provisions. Interviewers need to be particularly aware that this law applies to all conversations with applicants. Employers can discuss an applicant’s salary expectations, but interviewers need to be mindful of the law’s restrictions. If a hiring manager asks about salary expectations in a way that is intended to solicit salary history information or pressures an applicant to disclose such information, that could lead to allegations of a violation of the law’s requirements California isn’t the first government entity to implement a salary history ban. San Francisco banned salary history questions earlier this year, while New York City, Philadelphia, Delaware, Puerto Rico, Oregon and Massachusetts have adopted similar laws.
Employers Face New Hiring Requirements as California “Bans the Box”
California Governor Jerry Brown has signed Assembly Bill (AB) 1008, which prohibits most public and private employers with five or more employees from asking applicants about criminal conviction histories until after a conditional offer of employment has been made. The new law, which Governor Brown signed on October 14, 2017, will become effective January 1, 2018. AB 1008 repeals Labor Code section 432.9, which was enacted in 2013. Labor Code section 432.9 banned state agencies, cities, and counties from asking applicants about their conviction history until the public employer had determined that the applicant met the minimum qualifications for the job. AB 1008 has much broader restrictions than section 432.9. AB 1008 adds new provisions to California’s Fair Employment and Housing Act (FEHA), and prohibits criminal conviction history inquiries until after an employer has extended a conditional offer of employment. Additionally, AB 1008 prohibits employers from including any question seeking the disclosure of the applicant’s conviction history on any job applications, prior to a conditional offer.
In addition to restricting the timing of criminal conviction inquiries, AB 1008 requires employers to individually assess applicants and provide them with an opportunity to respond to the assessment before rejecting a candidate based on his/her criminal conviction history.
Employers must determine whether the applicant’s conviction history has a direct and adverse relationship with the specific duties of the job that justify denying the applicant the position. AB 1008 requires employers to consider:
- The nature and gravity of the offense or conduct
- The time that has passed since the offense or conduct and completion of the sentence
- The nature of the job held or sought
Following this individual assessment, if the employer makes a preliminary determination that the applicant’s conviction history disqualifies the applicant for employment, then the employer must notify the applicant in writing. The notification must provide:
- Notice of the disqualifying conviction that is a basis for the preliminary decision
- A copy of the conviction report, if any
- An explanation of the applicant’s right to respond before the decision becomes final
- The deadline by which to respond
After receiving written notification, the applicant shall have at least five business days to respond before the employer may make a final decision. The applicant’s response may include submission of evidence challenging the accuracy of the conviction history and/or evidence of rehabilitation or mitigating circumstances. If the applicant notifies the employer that the applicant disputes the accuracy of the conviction history and is obtaining evidence to support that assertion, then the applicant shall have five additional business days to respond to the notice.
Upon receipt of the applicant’s response, the employer may make a final decision to deny employment. However, to do so, the employer must notify the applicant in writing of:
- The final denial or disqualification
- Any existing procedure the employer has for the applicant to challenge the decision or request reconsideration
- The applicant’s right to file a complaint with the Department of Fair Employment and Housing
A Growing Trend
In passing AB 1008, California joins 29 states and at least 150 cities that have enacted some type of “ban the box” legislation.12 To date, nine other states and 15 municipalities, including San Francisco and Los Angeles, have banned private employers from inquiring into job applicants’ criminal history prior to extending conditional offers of employment.
Practical Steps for Employers
California employers can take a number of practical steps to ensure proper compliance with AB 1008. In particular, employers should:
- Revise employment applications to remove questions that ask applicants to disclose criminal history
- Consider adopting supplemental applications for employees who receive conditional offers of employment
- Review pre-offer interview and background check practices
- Train all persons interacting with applicants to avoid inquiring into criminal history during the hiring and interview process
- Revise company practices to obtain third party background checks after the company extends a conditional offer of employment
- Modify any policies automatically disqualifying candidates based on criminal conviction history, unless disqualification is required by law
- Develop a process for documenting individualized assessments of a candidate’s criminal conviction history, as well as forms of notice of preliminary and final disqualification based on a candidate’s criminal conviction history
California’s “ban-the-box” law comes on the heels of several other employment-related bills that the state has recently passed covering a range of policies. In light of these new requirements, California-based employers may wish to consider reviewing their hiring practices holistically.
California Public Utilities Commission Proposal
On October 4th, the California Public Utilities Commission (CPUC) released a proposal that would require transportation network companies (TNCs) to conduct background screenings on drivers using consumer reporting agencies approved by the National Association of Professional Background Screeners (NAPBS). Currently, TNCs are required to screen drivers but the CPUC maintained the authority to implement additional requirements. Under the rule, drivers would not be required to undergo a fingerprint-based background check. The proposal would require TNCs to: o Use background check companies accredited by NAPBS, including in-house screening services; o Receive proof that a company is accredited by NAPBS, and to provide proof of accreditation with any required CPUC reporting; and o Conduct background screenings prior to allowing drivers access to a TNCs’ platform. Screenings would have to be conducted at least once a year.
New York Provision Goes into Effect
On October 7th, a provision in New York’s “Raise the Age” law went into effect that allows individuals who have remained crime-free for 10 years to request that certain convictions be sealed. The provision allows “eligible individuals to petition the court to seal up to two misdemeanor convictions; one misdemeanor and one felony conviction; or one felony conviction.” Seal requests would apply to all public court records and those maintained by the Division of Criminal Justice Services.
Philadelphia Adopts Regulations Clarifying the Still-Stayed Ordinance Banning Salary History Inquiries
The Philadelphia Commission on Human Relations has adopted regulations interpreting portions of a City ordinance, which if upheld, would prohibit employers from seeking applicants’ wage and benefits history. The Wage Equity Ordinance remains stayed pending resolution of litigation about its constitutionality. Nevertheless, any employer currently evaluating a comprehensive approach to state and local restrictions on salary history inquiries should review the regulations as part of the analysis.
On January 23, 2017, Philadelphia’s mayor signed the Philadelphia Wage Equity Ordinance, joining a growing number of jurisdictions restricting employers’ ability to seek prior wage history from applicants to set job salaries. The Ordinance was to be effective in May 2017. However, the Chamber of Commerce for Greater Philadelphia filed a lawsuit questioning the validity of the law and filed a motion for preliminary injunction to stay its effective date. Thereafter, the City of Philadelphia agreed to stay the effective date of the Ordinance pending resolution of the injunction motion. The parties and various interested parties (“amici”) continue to file briefs related to the injunction motion.
The City recently noted in a brief it filed that the Philadelphia Commission on Human Relations had adopted regulations interpreting the Ordinance (“Regulation No. 7”). As of this writing, the new regulations are still not available on the portion of the Philadelphia Commission on Human Relations’ website dedicated to its regulations, which employers may have previously reviewed to see if any guidance for the law had been published.3 The regulations are available, however, on the general page for City of Philadelphia Regulations (which also encompasses non-employment related regulations). Under City procedure, there was no public hearing held on the proposed regulations before they became effective because no one specifically requested one after the City posted a notice about the regulations in the legal notices section of local newspapers.
Regulation No. 7 addresses the following issues:
- Definition of a Covered Employer and Applicant. The Regulation narrows the Ordinance’s coverage to those positions physically located within Philadelphia. Thus, presumably, employers based in Philadelphia with a multi-state presence do not have to comply with the Ordinance with respect to jobs located outside of Philadelphia, and a Philadelphia resident applying for a job outside of Philadelphia is not protected. Left undefined is exactly how to determine whether a job is located in Philadelphia or not—for instance, in the case of mobile workers.
- Current Employees Applying for New Positions. The Regulation also notes that if an individual seeks a new position with the same employer, in setting the pay for that new position, the employer cannot rely on salary history that the employer may have obtained from the applicant in connection with the (old) initial application for employment.
- Voluntary Salary Disclosures. The Regulation attempts to clarify when an applicant has “knowingly and willingly disclosed” prior salary information without unlawful coercion such that the employer can rely upon that information. It provides the following example: “a Prospective Employee ‘knowingly and willingly’ discloses the employee’s salary history in the context of an employment interview if the Prospective Employee voluntarily, and not in response to a question from the interviewer, makes the disclosure while knowing or having been informed that such disclosure may be used in determining any offered salary.” The Regulation does not, unfortunately, provide specific instructions or safe harbor language as to how an employer may adequately “inform” an applicant that disclosure “may be used in determining any offered salary” without being accused of coercing the disclosure.
- Clarification on Permissible Inquiries. The Regulation states that “An Employer shall not include a question on paper or electronic employment applications asking Prospective Employees to provide their salary history at any previous position.” It does not specifically address whether a “disclaimer” directing applicants for Philadelphia not to answer is sufficient to meet this requirement. (In contrast, the City’s Fair Criminal Record Screening Standards Ordinance specifically states that disclaimers are insufficient to comply with the prohibition on employers seeking applicants’ criminal record histories). However, the Regulation does clarify that other inquiries relevant to salary for the position sought are permitted, such as “the applicant’s salary requirements or expectations, skill level and experience relative to the position for which the applicant is being considered.”
If the Philadelphia Wage Equity Ordinance is upheld, it will join the following jurisdictions in banning salary history inquiries:
Effective Date: 03/08/17 Jurisdiction: Puerto Rico
Effective Date: 10/06/17 Jurisdiction: Oregon
Effective Date: 10/31/17 Jurisdiction: New York City
Effective Date: 12/14/17 Jurisdiction: Delaware
Effective Date: 01/01/18 Jurisdiction: California
Effective Date: 07/01/18 Jurisdiction: Massachusetts
Effective Date: 07/01/18 Jurisdiction: San Francisco
The laws in these jurisdictions differ with respect to such key issues as whether salary can be set based on a voluntary disclosure, whether applicants can be asked about unvested equity or deferred compensation, and whether salary history can be verified post-offer.
What can employers do with regard to background checks and inquiries in New York?
Criminal records and arrests: Employers may not inquire about, or take any adverse action with respect to, any arrest or criminal accusation not currently pending, or any youthful or sealed conviction (N.Y. Exec. Law § 296(16)). New York City passed the Fair Chance Act, which became effective on October 27, 2015, prohibiting employers from inquiring about an applicant’s criminal history before making a conditional offer of employment.
Moreover, employers may not take adverse employment actions based on any prior conviction, unless:
- there is a direct relationship between one or more of the previous criminal offenses and the employment sought or held by the individual; or
- the granting or continuation of the employment would involve an unreasonable risk to property or to the safety or welfare of specific individuals or the general public (N.Y. Correct. Law § 752, N.Y. Exec. Law § 296(16) (providing a private right of action)).
Enumerated factors to be considered in determining if an adverse employment action is appropriate are found in N.Y. Correct. Law § 753.
Medical history: Employers may not discriminate against employees and applicants on the basis of any actual or perceived disability under the New York State Human Rights Law and the New York City Human Rights Law. Employers are also prohibited from administering or requiring applicants to undergo genetic testing, as well as soliciting for such information, except in limited circumstances relating to an employee’s susceptibility to a disease which relates to the job in question (N.Y. Exec. Law § 296(19)). Where a background check reflects medical history or a prior adverse employment action due to medical history, such facts may be disclosed only to a “physician designated by the [employee]” (N.Y. Gen. Bus. Law § 380-q).
Drug screening: New York does not have a statute governing drug and alcohol screening of employees or applicants (other than for transportation providers, 17 N.Y.C.R.R. § 720.0 and following).
Drug addiction (actual or perceived) qualifies as a protected disability under the New York State Human Rights Law and employers should thus be wary of potential discrimination claims arising from decisions based on drug testing where drug use does not interfere with the employee’s ability to perform his or her job (Doe v. Roe, Inc., 160 A.D.2d 255 (1st Dep’t 1990)). As explained by the appellate division, any pre-hiring procedures which implicate a disability must bear “a rational relationship to” and be “a valid predictor of employee job performance” (Id. at 256). Further, the appellate division held that:
“while [an employer] may be legitimately entitled to discriminate against users of controlled narcotic substances, when challenged it must come forward with evidence establishing that its testing method comprehensively distinguishes between [narcotic] users and consumers of lawful foodstuffs or medications.” (Id.)
This issue will be further complicated once New York State implements the Compassionate Care Act legalizing medical marijuana, which protects medical marijuana recipients as “disabled” under the New York State Human Rights Law.
Credit checks: In addition to federal limitations, New York employers may obtain credit information on current or potential employees pursuant to consumer reports, which may be used in decision making only with respect to “employment, promotion, reassignment or retention” (N.Y. Gen. Bus. Law § 380-a). Employers must provide notice to employees and obtain authorization from an employee before seeking a consumer report (N.Y. Gen. Bus. Law § 380-b, c).
Except for limited exemptions, New York City’s Fair Chance Act bans employers from requesting or using consumer credit history in connection with employment applications (N.Y.C. Admin. Code § 8-107(24)).
Immigration status: The New York State Human Rights Law and New York City Human Rights Law prohibit discrimination against applicants based on their actual or perceived alienage or citizenship status.
Social media: New York law does not address whether an employer may use social media in making an employment decision. However, employers are prohibited from taking adverse actions based on certain off-duty conduct which could be discovered through social media (N.Y. Labor Law § 201-d). New York is also considering legislation regarding the use of social media by employers in employment decisions (N.Y. Senate-Assembly Bill S. 3927, N.Y. Assembly Bill A. 2891).
Other: Employers generally cannot fingerprint applicants or employees (N.Y. Labor Law § 201-a). Employers cannot request that an applicant or employee undergo a polygraph test (N.Y. Labor Law §§ 734 and 735).
Privacy in the workplace
A comparative guide to privacy in the workplace in North America. See attached guide for employees’ rights with regard to privacy and monitoring within specific states the US.
Ontario PHI Data Breach Reporting Guidelines
In September, Ontario’s Information and Privacy Commissioner released guidance entitled, “Reporting a Privacy Breach to the Commissioner: Guidelines for the Health Sector.” The guidance is intended to inform healthcare organizations and information officers about data breach notification requirements for protected health information (PHI) under the amended law. The law took effect on October 1st. Under the law, organizations must notify the Privacy Commissioner of a data breach under certain circumstances, including when: • The individual who caused the breach “knew or ought to have known” that they were using or disclosing PHI without authority; • PHI was stolen; • Following an initial privacy breach, stolen information was or will be further used without authority; • There is a pattern of similar breaches that may reflect “systemic issues that need to be addressed.” • There is disciplinary action against a college member; • There is disciplinary action against a non-college member; and • The breach is significant.
First Annual Review of the EU-U.S. Privacy Shield
The Commission is publishing its report on the first annual review of the EU-U.S. Privacy Shield. Officials from across the United States Government, the European Commission, and EU data protection authorities gathered in Washington D.C. to conduct the first annual review on 18 and 19 September 2017. The report reflects the Commission’s findings on the implementation and enforcement of the EU-U.S. Privacy Shield framework in its first year of operation.
Doubts cast on the validity of personal data transfers to the US under the standard contractual clauses
Doubts cast on the validity of personal data transfers to the US under the standard contractual clauses Bridget Ellison Oksana Oleneva 2 The Schrems – Facebook litigation While the European Data Protection Commissioners are expected to publish in November their first annual review of the Privacy Shield, the system created by agreement between the US and the EU to legitimate, subject to specific conditions, EU to US personal data transfers pursuant to Directive 95/46/EC (“Directive”), doubts have been cast as to the validity of another frequently used means of legally transferring personal data from the EU to the US, the standard contractual clauses (“SCC”). In fact, last week the Irish High Court handed down a long-awaited decision in the context of the complex litigation between Austrian privacy activist, Max Schrems (“Schrems”) and Facebook Ireland Ltd (“Facebook”), which led to the 2015 ruling of the CJEU which found invalid the previous Safe Harbor system for EU-US data transfers. This particular case was brought by the Data Protection Commissioner in Ireland (“the DPC”) against both Facebook and Schrems in the course of her investigation of Schrems’ complaint, in order to apply for a preliminary ruling of the CJEU as to the validity of the SCCs now used by Facebook to transfer personal data of its subscribers to the US. Irish Court refers to CJEU for a ruling on the validity of the Commission decision on standard contractual clauses Ms. Justice Costello pointed out in the decision that the matter raises important issues impinging on basic and important values such as “respect for private and family life” and “protection of personal data” stated as fundamental rights in the provisions of Article 7 and Article 8 of the Charter of Fundamental Rights of the European Union (“the Charter”). She considered well-founded the DPC’s concerns that the SCCs may not guarantee respect of these values and rights and afford adequate protection to EU data subjects whose personal data is wrongly interfered with by the US intelligence services once it has been transferred to the United States, and referred the matter to the CJEU for a preliminary ruling as to the validity of Commission decision 2010/87/EU (which approved the SCCs in question). Does surveillance by US intelligence agencies fall outside the scope of the European Directive? In the course of the DPC investigation, Facebook acknowledged that it continues to transfer data relating to its subscribers in the European Union to its US established parent and that it does so, in large part, on the basis that it has adopted the SCCs, claiming that it thus respects the privacy and fundamental rights and freedoms of EU resident subscribers to the Facebook platform and the exercise of such rights. It claimed that surveillance of data by US intelligence agencies on grounds of national security was outside the scope of the Directive. The judge rejected this view on the basis that the actual transfer of the data by Facebook Ireland to Facebook Inc. was for commercial reasons; furthermore, according to the EU Agency for Fundamental Rights any limitations to rights of privacy shall be interpreted in accordance with Art. 13 of the Directive and Art. 52(1) of the Charter and such limitations are subject to narrow interpretation and proper justification. Art. 13 of the Directive provides that Member States may adopt legislation to restrict data protection rights where necessary to safeguard national security, whereas Art. 52(1) of the Charter provides that “Any limitation on the exercise of the rights and freedoms recognized by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others” [our emphasis]. 3 Does US law afford “essentially equivalent” protection of privacy rights to EU citizens? Ms. Justice Costello recalled the earlier Schrems judgment of the CJEU which emphasized that the criteria for assessing the adequacy of protection provided in the event of the transfer of personal data to a non-EU country was that it must offer “essentially equivalent” protection to that under the Directive. So, she went on to examine whether in the context of applicable US law the transfer of the data of EU citizens according to the SCCs in fact enjoys “essentially equivalent” protection of the privacy and fundamental rights and freedoms of EU citizens; she focused in particular on whether EU citizens could actually exercise their rights and use the remedies available in US law for breach of data protection rights. The Judge raised doubts as to the proportionality of the surveillance carried out by US intelligence agencies (which is subject to the general rule that surveillance is legal unless it is forbidden) and found both specific and general deficiencies in the remedial mechanisms available under US law for EU citizens whose data is transferred to the US. Her doubts concerned particularly the breadth of the surveillance carried out by US intelligence agencies (i.e. not targeted), which failed both the proportionality test and the strictly necessary test provided in Art. 52(1) of the Charter; the absence of any duty of notification of the surveillance, making it difficult for any plaintiff to establish a standing to bring a case and obtain a remedy; and the fact that it was recognized by experts that the most effective protection against unauthorized government surveillance is under the Fourth Amendment to the US Constitution and not available to most EU citizens. Does the Privacy Shield Ombudsperson mechanism remedy the problem? Finally, Ms. Justice Costello examined whether the new Privacy Shield framework for transatlantic data transfers, introducing the figure of an Ombudsperson, which – according to the US Department of State website – is “a position dedicated to facilitating the processing of requests from EU individuals relating to national security access to data transmitted from the European Union to the United States”, remedied the inadequacies of US law she had identified. While confirming that the Ombudsperson, although it is a position created in the context of the Privacy Shield, can be used in relation to SCCs, she was nevertheless of the view that, as the Ombudsperson is an executive position, the mechanism does not respect the requirement of EU law (emphasized in the earlier Schrems decision of the CJEU) to respect the essence of the fundamental right to effective judicial protection as enshrined in Art. 47 of the Charter. So, she concluded that even the introduction of the Privacy Shield Ombudsperson “does not eliminate the well-founded concerns raised by the DPC in relation to the adequacy of the protection afforded to EU data subjects whose personal data is wrongfully interfered with by the intelligence services of the United States once their personal data has been transferred for processing to the United States”. No effective remedies available to EU citizens for some US data breaches Consequently, the Judge shared the DPC’s concern that an effective remedy in US law compatible with the requirements of high EU standards is lacking where “the data may be at risk of being accessed and processed by US State agencies for national security purposes”, because “the safeguards purportedly constituted by the standard contractual clauses do no more than establish a right in contract to a remedy in favor of data subjects”, while from a specific perspective, the remedies provided by US law were deemed “fragmented and subject to limitations that impact on their effectiveness to a material extent”, because available “only in particular factual circumstances, and 4 not sufficiently broad and scoped to guarantee a remedy in every situation in which there has been an interference with the personal data of an EU data subject”. Necessity of uniform application of the EU Commission decision on SCCs Under Art. 28(3) of the Directive, as referred to in the amended text of the Commission decision authorizing the transfer of personal data on the basis of the SCCs in question (2010/87/EU), the DPC may exercise discretional powers to prohibit transfer “in those exceptional cases where it is established that a transfer on contractual basis is likely to have a substantial adverse effect on the warranties and obligations providing adequate protection for the data subject”. In order to ensure uniform application throughout the EU, which can only be obtained by a ruling of the CJEU as to the validity or otherwise of that Commission decision, the Irish DPC had not exercised the powers in question but brought the case before the High Court for the purpose of obtaining such a preliminary ruling. What does this mean for the future of EU-US personal data transfers? The practical impact of the Irish High Court decision is hard to evaluate, and it should immediately be emphasized that a large number of US personal data importers will not be subject to surveillance by the US intelligence agencies in the same way as Facebook. Until the CJEU rules otherwise, Commission decision 2010/87/EU remains valid and SCCs can continue to be used. But the broad issues raised by the decision, including as to the role of the Ombudsperson under the Privacy Shield mechanism, could potentially have significant repercussions on EU-US data transfers, and it will be interesting to see if the annual review of the Privacy Shield now under way will take into consideration the issues raised by the Irish High Court in particular with regard to the Ombudsperson. It may be noted that the general principles provided by the General Data Protection Regulation applicable to transfers of personal data from the EU to non-EU/non-EEA countries are broadly similar to those of the Directive. The full text of the decision is available at
What can employers do with regard to background checks and inquiries in Ireland
Criminal records: Criminal record checks are permitted in Ireland in very limited circumstances. All searches must be performed by the National Garda Vetting Unit (NGVU) of the national police service (An Garda Síochána). However, the NGVU will conduct such a search only where it relates to a person who will be working in certain limited areas (e.g. childcare, with vulnerable adults or in private security services).
In addition, it is an offence under data protection legislation to require an individual to submit a data subject access request to the NGVU in respect of his or her criminal record—save for requests in respect of the limited roles set out above.
Candidates may be asked to declare that they have no criminal convictions on their employment application, subject to questions being asked consistently of all applicants for a particular role so as not to discriminate. In practice, however, the employer cannot reliably verify the answers given as—unlike many other countries—Ireland does not have a publicly available database to perform such checks. If it is subsequently discovered that any declaration given by the employee is false, it may be addressed under the company’s disciplinary procedure. Any possible adverse action should be made clear to the candidate at the outset. Self-declaration for previous criminal convictions is required only where it is relevant to the specific role, for a specified and legitimate purpose and not excessive in relation to that purpose. Such information must not be used for any other purpose.
Medical history: Pre-employment medical checks may be justified where health or fitness is relevant to the role. However, employers should be aware that an employee’s medical history constitutes sensitive personal data under the Data Protection Acts 1988 and 2003; therefore, the employee’s express written consent to obtaining this information should be sought.
Drug screening: Although there are no express or statutory restrictions against drug and alcohol screening of job applicants, there are risks associated with such tests due to the various restrictions and duties under data protection and employment equality legislation.
A drug or alcohol addiction could be considered as a disability for the purposes of disability discrimination protection. Thus, depending on the results obtained and whether these influence the employer’s decision to hire, it could raise a potential disability discrimination claim. Such information also constitutes sensitive personal data and should be processed in accordance with the requirements of data protection legislation.
Credit checks: Credit checks are permissible, but only to the extent reasonably required for the nature of the role. The information should be obtained and processed in accordance with data protection legislation. For example, while checks of this nature are unusual in Ireland, where the candidate will be in a position with financial responsibility, an employer may wish to ensure that the candidate has no history of poor financial management skills.
Immigration status: Employers may request immigration status verification where this is necessary to ensure that the candidate has the right to work in Ireland. Employers must ensure that such verification is relevant and proportionate to the legitimate aim of ensuring that the prospective candidate has the right to work in Ireland. Any job offer should be made conditional upon the provision of immigration status verification. An employer must retain the particulars of an employee’s employment permit on file in the event of a Workplace Relations Commission workplace inspection.
Social media: Employers may use social media to screen prospective employees and this practice is becoming increasingly common in Ireland. However, employers should be cautious about how they conduct social media checks. The prudent course of action is to notify prospective employees that their social media profiles might be checked. Prospective employees should be given the opportunity to comment on the information obtained before a decision is made in relation to their recruitment. Again, employers should be mindful of their duties under data protection legislation and employment equality legislation in conducting such screening.
Other: Employer verification and references it is common practice for prospective employers in Ireland to:
- ask candidates to provide the names and contact details of one to two previous employers for references; and
- notify candidates that such referees may be contacted where a job offer is being made.
Education verification: It is common practice for prospective employers to request proof of a candidate’s education. Therefore, most candidates are required to provide copies of qualifications (e.g. degrees), following a job offer. It is uncommon for prospective employers to request such information directly from the institution; however, in the event that an employer does so, notice must be provided to the candidate explaining the specific purpose for which such information will be used. The employer must ensure that such verification is relevant and proportionate to the aim of ensuring that the prospective candidate has the relevant qualifications to perform the role and such information must be requested consistently from all candidates for a particular role so as not to discriminate.
Identity verification: In relation to identity verification, an employer may request visual review of a candidate’s passport. However, data protection legislation regarding the retention of such records should be considered. Guidance from the data protection commissioner states that employers need not keep a copy of an employee’s passport on file; this may also apply by extension to other proof of identification documents. Individuals in Ireland have a personal public service (PPS) number—similar to an employee’s social insurance number—for taxation and payroll purposes. An employer cannot request an individual’s PPS number until the individual has been offered or has commenced employment.
What can employers do with regard to background checks in Israel
Criminal records: Criminal record checks are forbidden, expect for government security employers specified by law. Employers providing services to children and disabled or mentally ill people must require that all male candidates provide a police confirmation that they have not been convicted of a sex crime.
Medical history: This is a legal requirement in some industries and occupations. It may be allowed in other occupations, if relevant to the position and subject to the employee’s consent.
Drug screening: Drug screening may be allowed in some cases, if relevant to the position and subject to the employee’s consent.
Credit checks: Credit checks are uncommon in Israel. A new law that was introduced very recently forbids credit checks for employment purposes and labor courts may award compensation for breach of such breach clause.
Immigration status: Immigration status can be checked, as the employer must issue a work permit for the employee to be able to employ the employee legally and it will affect some tax and national security payments.
Social media: Almost no case law is available regarding social media. In general, any background check is subject to the general principles and provisions of the law (e.g. the candidate’s basic right to dignity and privacy, non-discrimination provisions and general good-faith obligations).
Other: Employers cannot ask employees for their military medical classifications, indicating their medical condition, as well as any genetic information.
What can employers do with regard to background checks and inquiries in the United Arab Emirate:
Criminal records: Good conduct certificates can be obtained from the police and employment is often conditional on a clean police record.
Medical history: As a pre-condition to the issuance of a UAE residency visa (and as part of the general visa sponsorship application process), all expatriates must undergo a medical test at a local government-approved medical testing center. This test is intended to screen for certain infectious diseases (e.g. HIV, AIDS and tuberculosis). A UAE residency visa will not be granted if an expatriate fails this test.
Drug screening: There are no general restrictions in Federal Law 8/1980, as amended, regarding employer screening for drugs or the implementation of drug testing measures as part of the pre-employment stage. The United Arab Emirates adopts a zero-tolerance approach to the possession and misuse of narcotic drugs. In practice, such pre-employment checks are rare.
Credit checks: In November 2014, the Central Bank established the Al Ittihad Credit Bureau to check the creditworthiness of individuals. Timelines for credit check reports vary depending on the bank.
Immigration status: Expatriate employees require a UAE work permit and residency visa issued through a locally licensed and registered entity to lawfully reside and work in the United Arab Emirates. The Emirates ID Authority will also issue a unified identification card, which residents should carry at all times.
Social media: There are a number of laws in place (e.g. the Penal Code and the Cybercrimes Law) that establish an overarching framework for protecting privacy and punishing the misuse of information or data breaches. However, depending on a candidate’s user privacy settings, certain information may be publicly available. It is common for employers to utilize professional social media sites, such as LinkedIn, as part of the general pre-employment and recruitment stage.
Guide about Consent under the GDPR
The IAPP publishes a GDPR guide about consent under the GDPR for the user interface “UX”
On October 10th, TransUnion announced that it acquired data analytics company eBureau on October 2nd. According to TransUnion, the acquisition will allow for greater accuracy of consumers’ personal data, promote safer lending, and decrease identity fraud.
G-7 Releases Guidance on Cybersecurity in the Financial Sector
On October 13th, the G-7 Cyber Expert Group published the “Fundamental Elements for Effective Assessment of Cybersecurity for the Financial Sector.” The guidance is intended to provide organizations with a set of outcomes that demonstrate good cybersecurity practices such as considering cybersecurity in organizational decision-making and adapting to cyber risks. The guidance provides five components for organizations to use when assessing their level of cybersecurity:
- Setting clear goals for cyber assessments;
- Establishing measurable expectations;
- Using a diverse range of tools;
- Clearly reporting findings and remedial actions; and
- Ensuring that assessments are reliable and fair