Introduction - Careers @ Sutherland Global – Just …sutherland-careers.com/.../1394562319-Background_C… · Web viewProperty ownership Military records State licensing records

Background Check Policy

Updated February 20, 2014

SGS Confidential Page 1

Table of Contents

Introduction.............................................................................................................................................................3

Purpose....................................................................................................................................................................3

Catering for Levels....................................................................................................................................................4

Average cost of basic criminal check:.......................................................................................................................6

Contractual Requirements.......................................................................................................................................7

United States:.......................................................................................................................................................7

Canada:................................................................................................................................................................7

Latin America:......................................................................................................................................................8

Philippines:...........................................................................................................................................................8

PCI / HIPAA Compliance...........................................................................................................................................9

Appendix................................................................................................................................................................14

Geo Consideration..............................................................................................................................................14

United States:.................................................................................................................................................14

Canada:...........................................................................................................................................................19

Mexico:...........................................................................................................................................................21

Bulgaria:.........................................................................................................................................................21

United Kingdom:.............................................................................................................................................22

India:...............................................................................................................................................................23

Philippines:.....................................................................................................................................................27

Colombia:.......................................................................................................................................................27

Jamaica:..........................................................................................................................................................30

United Arab Emirates:....................................................................................................................................30

Risks....................................................................................................................................................................33

Sources...................................................................................................................................................................36


IntroductionThis policy covers employees of Sutherland Global Services across all geographies regarding

background checks.

PurposeThe purpose of this document is to highlight current policies as well as laws and regulations in the

current countries where Sutherland Global Services is represented. This is a summarization of current

background check policy as well as recommendations for future practices.


Catering for Levels

Entry-Level Background Screening

Entry-level employees are often overlooked when it comes time to develop a company’s screening

program. At the lower end of the pay scale and high end of the turnover statistics, many companies

assume screening of entry-level employees will not provide them enough return on their investment.

GOAL: Best practice for Consultant-level positions appears to be a National Social Security Search (or

local equivalent), Criminal History, Multi-State Criminal History Search (or local equivalent), Multi-State

Sex Offender Search (or local equivalent, where permissible) and a Drug Test (where permissible) while

complying with the FCRA per below.

Management Background Screening

Management-level hires can pose risks touching all areas of the business – from public relations to

employee productivity. At the top of the payroll scale, the cost of a bad management hire may be

tough to absorb. Background check and drug testing services can help vet your management

candidates long before they write their first corporate memo or lead their first meeting. Doing a

criminal history search will help ensure that the hire poses no physical risk, while verification services

ensure that your new manager has the credentials and relevant experience necessary to do the job.

GOAL: Best practice for Management level positions appears to be all background checks, besides the

MVR. If some crime was committed while driving, it would show up in the Criminal History search

while complying with the FCRA per below.

Complying With the FCRA

Generally speaking, the Fair Credit Reporting Act (FCRA) requires employers to ensure that

applicants/employees are:

(1) Aware that consumer reports are being obtained for employment purposes;


(2) In agreement to disclose these reports and

(3) Receiving notifications when an employer takes action based on information gathered from the

consumer reports. These requirements are broken down into the following four different steps that the

employer must take for every consumer report it obtains:

Notice: The employer must provide written notice to the applicant/employee of the intent to obtain a

consumer report. The notice must be a separate document and not part of an application.

Consent: The employer must obtain written consent from applicant/employee acknowledging he/she

has been provided with a notice of the employer’s intent to obtain a report, and that the

applicant/employee read/understands all terms and consents to any and all background checks and

reports on employee/applicant. Employer may include notice and consent on one form.

Certification to Reporting Agency: Before the employer obtains a consumer report, he or she shall also

send written notice to the consumer reporting agency certifying its compliance with FCRA in

connection with the background checks of applicants/employees.


Average cost of basic criminal check:

Jamaica: $75: 7-10 days

United States: $35: 1-3 days

Bulgaria: $185: 7-10 days

Canada: $59: 3-5 days

Mexico: $78: 10-15 days

India: $95: 7-15 days

UK: $75: 3-5 days

Philippines: $125: 7-10 days

Colombia: $215: 15-25 days

Egypt: $185: 7-30 days

Overall opinion: The cost per hire is around $2,000 for companies this size. To pay for the extra service,

it makes sense to reduce turnover. Building that brand and trust of an organization is so vital and this

can be a positive first step. New hire orientations would just need to be adjusted to comply with the

new standard.


Contractual Requirements

United States:The “Standard” check includes the following:

Identity and Credit Services

SSN Trace

SMART CRIMS

Criminal: All Areas-SSN trace 7 years – AKA County Criminal Search

Federal Statewide: All Areas-SSN Trace 7 years

NCRD (National Criminal Records Database)

ProofPoint – We use the Al La Carte here and cover the following:

SSN Trace

County, state and federal background check

National Sex Offender Registry check

Education check

Employment reference check

Global watch alert check

Driving record check

International screening check

Credit check

Stub Hub Sales – Standard check plus the credit check (This line of business is no longer active.)

ADP – Standard check, ADP also conducts an internal, mandated check

Canada:

Not Available.


Latin America:

Not Available.

Philippines:

Not Available.


PCI / HIPAA Compliance

Common HIPAA Practices: These can be translated over to geo specific Health Information rules.

Practices must provide an up-to-date training program on the handling of Protected Health

Information (PHI) for employees performing health plan administrative functions.

Make sure not to share sensitive PHI with others who shouldn’t have access, including co-

workers or personal acquaintances.

Avoid accessing a patient’s record unless needed for work or with written permission from the

patient.

Minimize occurrences of others overhearing patient information. Do not use a patient’s whole

name within hearing distance of others.

Secure all paperwork containing PHI by placing in a drawer or folder when not in use. Cover

charts so patient names are not visible. Never leave records and other PHI unattended.

Close computer programs containing patient information when not in use. Practice

management systems with automatic time out settings can be valuable in this regard.

Limit e-mail transmissions of PHI to only those circumstances when the information cannot be

sent another way.

Always use a cover sheet when faxing PHI.

Back up all disks that contain PHI. Storing your patients’ information in a HIPAA compliant cloud

server is safer than using a localized server or paper documents, according to recent findings from the

US Department of Health and Human Services.

Assign different levels of security clearance to specific people. Role-based security prevents

employees from accidentally changing or seeing information that does not pertain to their specific

duties.

Never share passwords between staff members. The HIPAA champion should assign passwords

to all employees who are allowed access to PHI. Single sign-on PM systems use voice recognition or

fingerprint detection along with user specific passwords to secure logins.

Properly dispose of information containing PHI by shredding paper files.


Make sure computers have updated anti-virus scanning software installed. This guarantees your

practice is reasonably guarded against malicious software.

It’s also important to make sure any vendors or other businesses associated with your practice

are properly following HIPAA standards as well

Most common Protected Health Information violations

Unauthorized access by a member of the care team or administration

To avoid, take these steps:

Lock down your security to all medical records

Set up a password-protected central system for accessing the information

Set up administrative safeguards to protect access and prevent non-authorized personnel from

viewing or receiving PHI

Lack of patient access to their PHI

Improperly using the Internet

Make your staff aware that posting of any protected patient information on a social-media site

—however innocuously—is a violation of their privacy, prohibited and subject to review by you

Failure to secure and/or shred paper documents

Being overheard discussing PHI

Failing to provide the patient with a notice of privacy practices.

Summary:

It is tough to pinpoint what Protected Health Information practices take place in each country. In some

countries such as Canada, laws and policies are different per area and not consistent throughout the

country. Listed above are practices and steps needed to enforce PHI.


GOAL: To perform the proper background checks for all potential personnel that will be hired for

positions who will have access to cardholder data or the cardholder data environment. This should be

done globally to ensure globally to protect Sutherland Global Services from individuals with

questionable or criminal backgrounds.

Payment card industry (PCI) compliance is adherence to a set of specific security standards that were

developed to protect card information during and after a financial transaction. PCI compliance is

required by all card brands.

There are six main requirements for PCI compliance. The vendor must:

1. Build and maintain a secure network

- Install and maintain a firewall configuration to protect cardholder data.

- Not use vendor-supplied defaults for system passwords and other security parameters.

2. Protect cardholder data

- Protect stored cardholder data.

- Encrypt transmission of cardholder data across open, public networks.

3. Maintain a vulnerability management program

- Use and regularly update anti-virus software.

- Develop and maintain secure systems and applications.

4. Implement strong access control measures


- Restrict access to cardholder data by business need-to-know.

- Assign a unique ID to each person with computer access.

- Restrict physical access to cardholder data.

5. Regularly monitor and test networks

- Track and monitor all access to network resources and cardholder data.

- Regularly test security systems and processes.

6. Maintain an information security policy

- Maintain a policy that addresses information security.

Why should you, as a merchant, comply with the PCI Security Standards? At first glance, especially if

you are a smaller organization, it may seem like a lot of effort, and confusing to boot. But not only is

compliance becoming increasingly important, it may not be the headache you expected.

Compliance with data security standards can bring major benefits to businesses of all sizes, while

failure to comply can have serious and long-term negative consequences. Here are some reasons why.

Compliance with the PCI DSS means that your systems are secure, and customers can trust you

with their sensitive payment card information:

Trust means your customers have confidence in doing business with you

Confident customers are more likely to be repeat customers, and to recommend you to

others

Compliance improves your reputation with acquirers and payment brands -- the partners you

need in order to do business

Compliance is an ongoing process, not a one-time event. It helps prevent security breaches and

theft of payment card data, not just today, but in the future:

As data compromise becomes ever more sophisticated, it becomes ever more difficult

for an individual merchant to stay ahead of the threats

The PCI Security Standards Council is constantly working to monitor threats and improve

the industry’s means of dealing with them, through enhancements to PCI Security Standards and by

the training of security professionals


When you stay compliant, you are part of the solution – a united, global response to

fighting payment card data compromise

Compliance has indirect benefits as well:

Through your efforts to comply with PCI Security Standards, you’ll likely be better

prepared to comply with other regulations as they come along, such as HIPAA, SOX, etc.

You’ll have a basis for a corporate security strategy

You will likely identify ways to improve the efficiency of your IT infrastructure

But if you are not compliant, it could be disastrous:

Compromised data negatively affects consumers, merchants, and financial institutions

Just one incident can severely damage your reputation and your ability to conduct

business effectively, far into the future

Account data breaches can lead to catastrophic loss of sales, relationships and standing

in your community, and depressed share price if yours is a public company

Possible negative consequences also include:

Lawsuits

Insurance claims

Cancelled accounts

Payment card issuer fines

Government fines

You’ve worked hard to build your business – make sure you secure your success by securing your

customers’ payment card data. Your customers depend on you to keep their information safe – repay

their trust with compliance to the PCI Security Standards.


Appendix

Geo Consideration

United States:What Can Be Included in a Background Check:

Driving records

Vehicle registration

Credit records

Criminal records

Social Security no.

Education records

Court records

Workers' compensation

Bankruptcy

Character references

Neighbor interviews

Medical records

Property ownership

Military records

State licensing records

Drug test records

Past employers

Personal references

Incarceration records

Sex offender lists

What Cannot Be Included in a Background Check:

The federal Fair Credit Reporting Act (FCRA) sets national standards for employment screening.

However, the law only applies to background checks performed by an outside company, called a


"consumer reporting agency" under the FCRA. The law does not apply in situations where the

employer conducts background checks in-house.

Your state may have stronger laws, such as California's Investigative Consumer Reporting Agencies Act

(Civil Code §1786) and the California Consumer Credit Reporting Agency Act (Civil Code §1785). In

addition, many state labor codes and state fair employment guidelines limit the content of an

employment background check. (For more on the FCRA, see Part 5.)

Under the FCRA, a background check report is called a "consumer report." This is the same "official"

name given to your credit report, and the same limits on disclosure apply. The FCRA says the

following cannot be reported:

Bankruptcies after 10 years.

Civil suits, civil judgments, and records of arrest, from date of entry, after seven years.

Paid tax liens after seven years.

Accounts placed for collection after seven years.

Any other negative information (except criminal convictions) after seven years.

However, the above reporting restrictions do not apply to jobs with an annual salary of $75,000 or

more a year. (FCRA §605(b) (3).

The most recent change to the FCRA made criminal convictions reportable indefinitely. California still

follows the seven-year rule (CA Civil Code 1786.18) as do some other states. To find the limit for

reporting criminal convictions in your state, contact your state employment agency or office of

consumer affairs. Other laws that should be considered:

Arrest information. Although arrest record information is public record, in California and other states

employers cannot seek from any source the arrest record of a potential employee. However, if the

arrest resulted in a conviction, or if the applicant is out of jail but pending trial, that information can be

used. (California Labor Code §432.7).

In California, an exception exists for the health care industry where any employer who has an interest

in hiring a person with access to patients can ask about sex related arrests. And, when an employee

may have access to medications, an employer can ask about drug related arrests.


Criminal history. In California, criminal histories or "rap sheets" compiled by law enforcement agencies

are not public record. Only certain employers such as public utilities, law enforcement, security guard

firms, and child care facilities have access to this information. (California Penal Code §§11105, 13300)

With the advent of computerized court records and arrest information, however, there are private

companies that compile virtual "rap sheets."

Employers need to use caution in checking criminal records. Information offered to the public by web-

based information brokers is not always accurate or up to date. This violates both federal and

California law when reported as such. Also, in California, an employer may not inquire about a

marijuana conviction that is more than two years old.

Workers' compensation. In most states including California, when an employee's claim goes through

the state system or the Workers' Compensation Appeals Board (WCAB), the case becomes public

record. An employer may only use this information if an injury might interfere with one's ability to

perform required duties. Under the federal Americans with Disabilities Act, employers cannot use

medical information or the fact an applicant filed a workers' compensation claim to discriminate

against applicants. (42 USC §12101).

In California, employers may access workers' compensation records after making an offer of

employment. To gain access, employers must register with the WCAB and confirm that the records are

being accessed for legitimate purposes. Although the agency may not reveal medical information and

the employer may not rescind an offer due to a workers' compensation claim (California Labor Code

132a), employers sometimes discover that applicants have not revealed previous employers where

they had filed claims. In such situations, employers often terminate the new hire because it appears

they falsified the application.

Bankruptcies. Bankruptcies are public record. However, employers cannot discriminate against

applicants because they have filed for bankruptcy. (11 USC §525)

Although these laws should prevent an employer from considering certain information, there is no

realistic way for the applicant to determine whether such information will be revealed in a background


check. This is particularly true for investigations conducted online where the information obtained

from online information brokers might not be verified for accuracy or completeness.

For example, if you were arrested but never convicted, a data search could reveal the arrest, but the

investigator who compiled the information might not delve further into the public records to

determine that you were acquitted or the charges were dropped. Reputable employment screening

companies always verify negative information obtained from data base searches against the actual

public records filed at the courthouse.

Can an employment application ask about things that should not be reported?

The FCRA does not prohibit an employer from asking questions in an employment application. See FTC

letters to Nadell and Sum:

www.ftc.gov/os/statutes/fcra/nadell.htm

www.ftc.gov/os/statutes/fcra/sum.htm

For example, an employment application might ask if you have "ever" been arrested. The FCRA says a

consumer reporting agency cannot report an arrest that from date of entry was more than seven years

ago. It does not say the employer cannot ask the question.

How to handle such questions on an employment application is of real concern to many people,

especially those concerned with a youthful mistake from the distant past.

To learn about employment laws in your state, search the Internet for “employment inquiries”

followed by the name of your state. State and local equal employment opportunity agencies, along

with federal EEO field offices, may also be located through the US Equal Opportunity Commission

website, http ://www.eeoc.gov/field/index.cfm . State employment laws may limit the questions that an

employer includes on a job application. So- called "Ban the Box" laws in a few states and municipalities

may prohibit employers from inquiring into criminal history in a job application. These laws can be

complex and varied. For examples, see http://www.littler.com/workplace-privacy-counsel/san-

franciscos-board-supervisors-bans-box-and-further-complicates-criminal.

The California Labor Code says an employer cannot ask about:

Any arrest or detention that did not result in a conviction.

Any arrest for which pretrial diversion has been completed.


As of January 1, 2014, employers are prohibited from asking job applicants about criminal

records that have been expunged, sealed or dismissed.

As of July 1, 2014, public sector employers (California state and local agencies, cities and

counties) are prohibited from asking about criminal records on employment applications. Public sector

employers must review an applicant's qualifications before inquiring about their conviction history.

Provisions of the Labor Code are reinforced in regulations of the California Department of Fair Housing

and Employment. (See: 2 Cal. Codes Regs Sec. 7287.4(d) (1) (Register 95, No. 29: 7-21-95) A

Department publication lists questions that are inappropriate for a California job applicant.

Aren't some of my personal records confidential?

The following types of information may be useful for an employer to make a hiring decision. However,

under the federal Fair Credit Reporting Act, the employer is required to get your permission before

obtaining the records. (See PRC Fact Sheet 11, "From Cradle to Grave: Government Records and Your

Privacy,"www.privacyrights.org/fs/fs11-pub.htm)

Education records. Under both federal and California law, transcripts, recommendations, discipline

records, and financial information are confidential. A school should not release student records

without the authorization of the adult-age student or parent. However, a school may release "directory

information," which can include name, address, dates of attendance, degrees earned, and activities,

unless the student has given written notice otherwise.

Military service records. Under the federal Privacy Act, service records are confidential and can only be

released under limited circumstances. Inquiries not authorized by the subject of the records must be

made under the Freedom of Information Act. Even without the applicant's consent, the military may

release name, rank, salary, duty assignments, awards, and duty status. (5 USC §§552, 552a) For more

on military records, visit the National Archives and Records Administration web site:

www.archives.gov/facilities/mo/st_louis/military_personnel_records.html


Medical records. In California and many states, medical records are confidential. There are only a few

instances when a medical record can be released without your knowledge or authorization. The FCRA

also requires your specific permission for the release of medical records. If employers require physical

examinations after they make a job offer, they will have access to the results. The Americans with

Disabilities Act allows a potential employer to inquire only about your ability to perform specific job

functions. (42 USC §12101)

There are other questions such as age, marital status, and certain psychological tests that employers

cannot use when interviewing. These issues are beyond the scope of this fact sheet. If you have further

questions, contact the resources at the end of this fact sheet. The federal Equal Employment

Opportunity Commission and the fair employment agencies in the states handle these issues.

What can my former employer say about me?

Often a potential employer will contact an applicant's past employers. A former boss can say anything

truthful about your performance. However, most employers have a policy to only confirm dates of

employment, final salary, and other limited information. California law prohibits employers from

intentionally interfering with former employees' attempts to find jobs by giving out false or misleading

references. (California Labor Code §1050)

Under California law and the laws of many other states, employees have a right to review their own

personnel files and make copies of documents they have signed. If you are a state or federal employee,

your personnel file is protected under the California Information Practices Act or the federal Privacy

Act of 1974 and can only be disclosed under limited circumstances (California Civil Code §56.20;

California Labor Code §§432, 1198.5; 5 USC §552a).

Jobs such as truck driver positions fall under regulations of the federal Department of Transportation.

Employers are required to accurately respond to an inquiry from a prospective employer about

whether you took a drug test, refused a drug test, or tested positive in a drug test with the former or

current employer (49 CFR §40.25, 49 CFR §382.413).


Canada:What Can Be Included in a Background Check:

Indication of criminal record searches

Individual credit reports

Education and employment verifications

Professional licenses and certification verifications

Reference interviews

Driver record abstracts (except Alberta)

Civil and bankruptcy record searches

Lien and property searches

Internet and media presence searches

Corporate registration searches

International terrorism, financial, and political sanctions searches

Ontario Bill 168:

Bill 168, which amends Ontario's Occupational Health and Safety Act (OHSA) and went into force in

June 2010, requires Ontario employers with more than five employees to take specific steps to address

the issues of workplace violence and workplace harassment.

OSFI Guideline E-17

The Canadian Office of the Superintendent of Financial Institutions (OSFI) issued Guideline E-17 in

2009, mandating that all Responsible Persons of Federally Regulated Entities (FREs), most notably

members of boards of directors and senior management, be subject to a thorough background check

upon initial appointment to their position. These individuals must likewise undergo routine, ongoing

assessments during the tenure of their positions. Such assessments are used to gauge the continued

suitability and integrity of these Responsible Persons. OSFI expects every FRE to have a written policy

regarding the performance of assessments of their Responsible Persons.

Guideline E-17 applies to all FREs, including:

Banks and bank holding companies


Insurance companies and insurance holding companies

Trust and loan companies

Co-operative credit associations

Retail associations

More detailed definitions may be found in the full text of OSFI Guideline E-17.

Mexico:The Mexican Federal Law was published on July 5, 2010 for the Protection of Personal Data in Control

of Private Persons, by the Mexican Ministry of the Interior. The Data Protection Law came into effect

on July 6, 2010. The Regulation of the Data Protection Law was published in the Official Gazette by the

Ministry on December 21, 2011.

The Data Protection Law requires a lawful basis (consent from the individual or legal obligation) in

order to collect, process, use or disclose personal data on an individual. Companies must also provide

notice to individuals when they intend to handle their personal information. The notice should state

what personal information is being collected and how it will be used. Individuals have rights to access

the information collected on them as well as rights to correct and object.

The Data Protection Law states that individuals or corporations handling personal data must ensure

that they have appropriate security measures in place to keep the personal data secure and protected

from loss. If there is a security breach with regard to an individual's personal data, the individual must

be notified of the breach immediately. They must be informed of the type of breach, what personal

data was involved in the breach, what steps they can take to protect themselves and any corrective

actions the company has taken regarding the security breach.

When personal data is communicated inside or outside of Mexico to someone other than the data

subject or data handler a data transfer occurs. When a data transfer occurs the recipient of the

personal data has an obligation to handle the data as agreed in the privacy notice and assumes the

responsibilities of safeguarding the personal data as stated in the Data Protection Law.

Bulgaria:The “Bulgarian Data Protection Authority (DPA)” is the authority/commission that oversees and

enforces data protection in Bulgaria. Bulgaria follows the data protection Directive 95/46/EC that was


put in place by the European Union. Bulgaria has implemented the provisions of the data protection

directive through their Personal Data Protection Act of January 2002 and their amendments. These

laws protect the way that personal data is collected and handled. It states that individuals should

provide consent prior to the collection of data, unless the law suggests otherwise.

Data can only be collected if it is done so for relevant reasons and not in excess;

Data that is collected may only be used for the purpose for which is was collected;

Data must be up to date and accurate;

If the data is found to be inaccurate, it needs to be discarded and replaced with accurate data;

Once you are finished with the information collected, and it has fulfilled its purpose, the data

must be destroyed;

Data that is collected must be stored in a safe location with very limited and relevant access.

Data Protection restrictions are in place for countries within the European Union (EU). They do not

allow for the transfer of data to countries outside of the European Union. Due to this restriction, the

Safe Harbor was created. When a company becomes Safe Harbor certified, they agree and certify that

they will meet the privacy and data protection requirements set forth by the Safe Harbor Directive.

Info Cubic is Safe Harbor certified, which allows us to obtain information from the EU.

United Kingdom:The UK is one of the twenty-seven member countries in the European Union (EU). The EU setup a Data

Directive that seeks to provide framework regarding how and when information can be collected on

individuals. The Directive outlines seven quality principles and some additional criteria that must be

met to legally obtain information on individuals in the UK. The seven quality principles include:

Fairness – Data must be obtained fairly and lawfully.

Specific purpose – Data must be processed, collected and stored for a specific, explicit and

legitimate purpose.

Restricted – Data that is collected on the individual must be adequate and relevant to the

purpose.


Accurate – Data that is being collected should be accurate and up-to-date. Any errors to the

information must be corrected.

Destroyed when obsolete – Once you are finished with the data that was collect is should be

destroyed.

Security – Data that is collected must be kept securely.

Automated Processing – You cannot make a decision solely on reviewing the information

using an automated process.

Example: scanning a resume for keywords.

In order to legally obtain information on an individual the above principles must be met. In addition,

you need have the individuals consent prior to obtaining information on them. The individual then has

the right to see what information was collected on them and for what specific purpose.

When conducting background checks on individuals according to the quality principles, keep in mind

that credit checks are usually not considered relevant to an employment decision. Other information

on an individual such as sexual orientation and other facts that make up a person's general reputation

are also not considered relevant.

Data Protection restrictions are in place for countries within the European Union (EU) that do not allow

for the transfer of data to countries outside of the European Union. Due to this restriction the Safe

Harbor was created. When a company becomes Safe Harbor certified they agree and certify that they

will meet the privacy and data protection requirements set forth by the Safe Harbor Directive. Info

Cubic is Safe Harbor certified, which allows us to obtain information from the EU.

India:There is currently no comprehensive privacy law in India. Background checks are permitted however

the consent form is often required based on the culture in India.


The Right to Information Act 2005 relates to all States and Union Territories in India except for the

State of Jammu and Kashmir. Jammu and Kashmir have their own act called Jammu and Kashmir Right

to Information Act, 2009. The Right to Information Act 2005 states that citizens are allowed to request

information from a public authority and they must reply within thirty days.

In India Education and Employment checks are a very common practice, and normally the

responsibility the candidate will potentially hold will determine the depth of the background check

India has a large pool of educated and talented candidates, there is also high incidences of

resume fraud

Verifying past employment history requires employee ID number or an equivalent unique

identifier as there is a non-standardization of name writing/common names

Requirements for types of background checks in India

Education – copy of degree and transcript, and authorization

Employment – Copy of work experience/relieving letter, employee id number, and authorization

Criminal Record – Local address to search, and authorization

India - Background Check by Program

Location Program Drug Test Education Employment Address Criminal

Malad AT&T UCSDC Yes Yes Yes Yes NoAiroli AT&T Click2chat Yes Yes Yes Yes NoAiroli AT&T U-Verse Airoli Yes Yes Yes Yes NoThane CITI_Fulfillment Yes Yes Yes Yes Yes Thane SCB_LOAN No Yes Yes No NoMalad Dell Portable Mumbai No Yes Yes Yes NoMalad Dell DOC - PPM No Yes Yes Yes NoMalad Dell India Technical Support No Yes Yes Yes NoMalad Dell SMB Voice India No Yes Yes Yes NoMalad Symantec EH No Yes Yes Yes NoMalad Symantec India 4 IndiaHindiSup No Yes Yes Yes NoMalad Shutterfly No Yes Yes Yes NoMalad Clear Trip CS No Yes Yes Yes NoMalad DELL PLE No Yes Yes Yes NoMalad Schlumberger_NA No Yes Yes Yes NoMalad AT&T ConnecTech Mumbai No Yes Yes Yes No


Airoli Schlumberger_JMS No Yes Yes Yes NoAiroli Symantec EH Chat No Yes Yes Yes NoThane Bank_Axis_CASA No Yes Yes Yes NoThane Yes_Bank_CASA No Yes Yes Yes NoThane Fullerton_TP No Yes Yes Yes NoThane Bankops Common No Yes Yes Yes NoThane Bharti Axa - Fixed No Yes Yes Yes NoThane DHL No Yes Yes Yes NoThane iCollect Cards - Chennai No Yes Yes Yes NoThane iCollect Cards - Mumbai No Yes Yes Yes NoThane iCollect TOP 92 No Yes Yes Yes NoThane iCollect Variable - Chennai No Yes Yes Yes NoThane iCollect EMCT No Yes Yes Yes NoThane iCollect Top 92 - Variable No Yes Yes Yes NoThane Lodha No Yes Yes Yes NoThane Reliance No Yes Yes Yes NoThane ICICI Cards Mum 180+ variable No Yes Yes Yes NoThane BAFL_TW No Yes Yes Yes NoThane SBI Life_Coll No Yes Yes Yes NoThane FutureCap_TP No Yes Yes Yes NoThane IPru_Mum No Yes Yes Yes NoThane SBI_LifeColl_Chn No Yes Yes Yes NoThane Federalbank_loan_coll No Yes Yes Yes NoThane DVO Common No Yes Yes Yes NoThane End-to-End Origination No Yes Yes Yes NoThane Kuoni Business Travel No Yes Yes Yes NoThane Cleartrip_Airoli No Yes Yes Yes NoThane Air India BIDT No Yes Yes Yes NoThane Air India Audit No Yes Yes Yes NoThane Etihad Audit No Yes Yes Yes NoThane Gulf Air FDS No Yes Yes Yes NoThane Malaysian FDS No Yes Yes Yes NoThane Oman FDS No Yes Yes Yes NoThane Oman Pax Audit No Yes Yes Yes NoThane Oman PRA No Yes Yes Yes NoThane Qatar CRA No Yes Yes Yes NoThane Qatar FDS No Yes Yes Yes NoThane Qatar Pax Audit No Yes Yes Yes NoThane Qatar PRA No Yes Yes Yes NoThane Qatar Revenue Integrity No Yes Yes Yes NoThane SAS FDS No Yes Yes Yes NoThane FD_Srilanka No Yes Yes Yes NoThane DNATA_Westjet_Audit No Yes Yes Yes No


Thane Travel_NACIL_FDS No Yes Yes Yes NoThane Jet Airways No Yes Yes Yes NoThane Travel_WY_BIDT No Yes Yes Yes NoThane Travel_MH_Audit No Yes Yes Yes NoThane Travel_Misc_Project No Yes Yes Yes NoThane Travel_JAL_Audit No Yes Yes Yes NoThane Rak Airways_PRA No Yes Yes Yes NoThane Travel_ZI_Audit No Yes Yes Yes NoThane Travel_EY_FDS No Yes Yes Yes NoThane Air India CS No Yes Yes Yes NoThane Travel Common No Yes Yes Yes NoThane F&A Outsourcing No Yes Yes Yes No

Chennai AT&T Click2chat Yes Yes Yes Yes Yes Chennai Intuit No Yes Yes Yes Yes Chennai Intuit - FSG No Yes Yes Yes Yes Chennai Intuit Common No Yes Yes Yes Yes Chennai CITI_Fulfillment No Yes Yes Yes Yes Chennai CITI Underwriting No Yes Yes Yes Yes Chennai PHH Loan Star 3C No Yes Yes Yes Yes Chennai PHH Title Review No Yes Yes Yes Yes Chennai PHH HOI No Yes Yes Yes Yes Chennai Argo UK – F&A Yes Yes Yes Yes Yes Chennai Argo US – F&A Yes Yes Yes Yes Yes Chennai Argo US - Insurance Yes Yes Yes Yes Yes Chennai ARGO Cat Modeling Yes Yes Yes Yes Yes Chennai Argo Internal Audit Support Yes Yes Yes Yes Yes Chennai Harlandclark No Yes Yes Yes Yes Chennai Cisco Center of Excellence No Yes Yes Yes Yes Chennai Cisco India for India Support No Yes Yes Yes Yes

Chennai Cisco SBSC NA Chat Support-Ind No Yes Yes Yes Yes

Chennai Verizon Dataservices Yes Yes Yes Yes Yes Chennai Telephonica O2 No NA Yes NA YesMalad India AT&T U-Verse Yes Yes Yes Yes NAMalad Hughes No Yes Yes NA Yes Malad AT&T OMC Yes Yes Yes Yes NAAiroli AT&T Uverse Yes Yes Yes Yes NAAiroli AT&T Uverse Click to Chat Yes Yes Yes Yes NAAiroli India AT&T U-Verse Airoli Yes Yes Yes Yes NAAiroli AT&T Uverse ClicktoChat Airoli Yes Yes Yes Yes NAAiroli Schlumberger_JMS No Yes Yes Yes YesAiroli Symantec EH Chat No Yes Yes Yes Yes

Cochin Equifax Yes Yes Yes Yes Yes


Cochin PHH E2E IND No Yes Yes Yes Yes Cochin PHH HOI No Yes Yes Yes Yes Cochin PHH Loan Star 3C No Yes Yes Yes Yes Cochin PHH Title Review No Yes Yes Yes Yes Cochin PHH - Pricing e Mail Phase 4&5 No Yes Yes Yes Yes Cochin PHH – Common No Yes Yes Yes Yes Cochin Argo P&C Lloyd’s Ins Yes Yes Yes Yes Yes Cochin Argo US - Insurance Yes Yes Yes Yes Yes Cochin ARGO US - Claims Yes Yes Yes Yes Yes Cochin ARGO Cat Modeling Yes Yes Yes Yes Yes Cochin MCS BO&CS(IB/OB Voice) No Yes Yes Yes Yes Cochin Harland Clarke FAO Yes Yes Yes Yes Yes Cochin CITI Underwriting Yes Yes Yes Yes Yes Cochin CITI Pre-Purchase Audit Yes Yes Yes Yes Yes Thane CITI_Fulfillment Yes Yes Yes Yes Yes Thane Citi Re-engineering Yes Yes Yes Yes Yes

Philippines:Taguig:

Program Audit Name Vendor Vendor Requirement

PaypalGlobal Data Set Search First Advantage Complete name and birthday 2 Panel Drug Test Medicard Complete name and birthday

eBay UKGlobal Data Set Search First Advantage Complete name and birthday 2 Panel Drug Test Medicard Complete name and birthday

eBay NAGlobal Data Set Search First Advantage Complete name and birthday 2 Panel Drug Test Medicard Complete name and birthday

IntuitGlobal Data Set Search First Advantage Complete name and birthday 2 Panel Drug Test Medicard Complete name and birthday


Clark:

Program Audit Name Vendor Vendor RequirementCost (Php) TAT

Iron Mountain

OFAC including Office of Inspector General and General Services

Admin

CIBI Complete name and birthday 100 7 days

PH Criminal Check - Name Search CIBI Complete name and birthday 500 7 days

US Court -Criminal - Felony Misdemeanor

County Search

First Advantage

US SSS #; US Add w/postal code; Consent form 650.4 7 days

US Court -Criminal - National Criminal Database Search

First Advantage

US SSS #; US Add w/postal code; Consent form 271 7 days

5-Panel Drug Test MaxicareWe have to make the coordination

with Maxicare at least 2 weeks before the actual date of Drug Testing.

1,135 1-2 days

Fiserv

OFAC including Office of Inspector General and General Services

Admin

First Advantage Scanned LOA 100 7 days

10 Panel Drug Test MaxicareWe have to make the coordination

with Maxicare at least 2 weeks before the actual date of Drug Testing.

TBD 1-2 days

PHH - Title Review

Educational & Employment Check CIBI Scanned LOA , school doc and COE 1500 5-15

days

PHH MBS Underwriti

ng Educational &

Employment Check CIBI Scanned LOA , school doc and COE 1500 5-15 days

Microsoft Negative Records Check CIBI Complete Name 1751-2

days

The Data Privacy Act of 2012 went into effect on September 8, 2012. This new data privacy law is the

first of its kind for the Philippines and was enacted to protect personal data privacy. The National

Privacy Commission was created to implement the law, investigate complaints and monitor

compliance. The Data Privacy Act puts regulations on the processing of the personal information of

Philippine residents and those currently residing in the Philippines. The Act further requires that

personal information collected by organizations and individuals must be protected and fair practices

must be established with regard to the notification, consent, access and correction of personal data.


For further information on the Data Privacy Act of 2012 click on the link:

http://www.gov.ph/2012/08/15/republic-act-no-10173/

Colombia:

Campaign BGC requirements Medical test requirements Are we doing BGC and MT?

Nice No No Yes

McAfee No No Yes

Account Now No No Yes

SLB No No Yes

ATT Uverse Green No

Sections 10.3.2 and 10.3.3 discuss background check and Drug Screening as an

ATT no additional charges association for the Price Per Billable but there is not an

specific requirement about it.

Yes

ATT ConsumerSpanish No Yes

ATT UverseTech Support No Yes

Mobility - IRU No Yes

Lenovo YES All agents must have successfully passed Yes


drug screening and criminal and background check processes. Is such written request is

made, Service Provider will provide requested documentation within One Business Day from receipt by Service

Provider of such written Request.

It is required that the employees go through an MT prior to starting his/her contract with the company. To conduct a drug test and to not hire the employee because of this result is not legal.

In October 2012, Colombia enacted Law 1581 to regulate the protection of personal data and

safeguard the constitutional right of privacy in the midst of the challenges posed by globalization and

new technologies that enable the easy electronic transfer of personal data.

On June 27, 2013, Colombia’s executive branch issued a decree to implement various provisions of the

law. Decree 1377 went into effect immediately.

Important Provisions of the Privacy Law

The privacy law imposes various obligations on any “responsible party” that directly or indirectly

processes personal data about the data owner. Law 1581 defines the “responsible party” as the public

or private individual or entity that processes the personal data or decides how the data should be

processed or the database safeguarded. The data owner is the individual whose personal data is

processed. The processing of personal data encompasses the collection, processing, storage, use,

transfer or suppression of any information that can be associated with an identified or identifiable

individual.

Since employers, as part of their normal course of business, typically collect and process the personal

data of their prospective, current or former employees, employers should be especially mindful of the

following important provisions under the law:

Privacy notice. Either in writing, verbally or electronically, the responsible party must notify the data

owner about: the purpose driving the data collection or processing; the intended use of the personal

data; the data owner’s privacy rights; and how the data owner can access the responsible party’s

policies that regulate the processing of personal data. To avoid any contention that an employee

received, but did not understand, the notice, we recommend that the privacy notice be made in

Spanish and in simple, clear and understandable language.


Consent requirements (generally). The responsible party must obtain the data owner’s unequivocal

consent prior to processing the personal data. As such, for the consent to be valid, it must be

accompanied by a privacy notice that contains all of the information described above. The consent

must be expressly stated and can be provided in writing, verbally or through methods that would

advise the responsible party that the data owner has expressly consented to the processing of his or

her personal information. However, in no way can silence be deemed as consent. We recommend that,

where possible, the employer obtain a signed consent, to be able to establish the data owner’s express

consent.

The law requires the responsible party preserve proof of the data owner’s unequivocal consent.

Concerning this recordkeeping requirement, the privacy law is unclear as to the length of time that a

responsible party is required to preserve the proof of consent. Nonetheless, it would be prudent for

employers to implement procedures whereby data owners provide unequivocal consent, as well as to

retain proof of such consent for at least three years from the date the employment relationship ends,

so as to align it with the statute of limitations period for any employment-related claim.

Consent can be revoked at any time, except that such revocation will be deemed invalid if it is made to

avoid a legal or contractual obligation. At all times, the responsible party must provide a procedure for

the data owner to revoke the consent easily and at no charge. If the processing of the personal data

exceeds the purpose for which it was collected, the data owner shall have the right to petition the

Superintendency of Industry and Commerce (SIC), the regulatory agency in charge of enforcing this

law, to order the revocation or suppression of the personal data.

Consent for processing and protection of sensitive personal data. Except in limited circumstances,

processing of sensitive personal data is prohibited. Sensitive personal data refers to information

intimately tied to the data owner’s personal characteristics, such as race, ethnicity, medical condition,

sexuality, political association, religious or philosophical beliefs, and membership in a union or human

rights organization or biological data. Because such data can be improperly used to discriminate

against individuals, the privacy law provides that no action or activity can be made contingent upon the

data owner providing his or her sensitive personal data for processing. This means that an employer is

not allowed to require that a current or prospective employee provide his or her sensitive personal

data for hiring or continued employment, unless the employer is required by law to collect this


information, as it is in the case, for example, where a current or prospective employee is required to

undergo a medical exam for a legitimate business reason. Assuming the collection or processing of the

sensitive personal data is allowed, the responsible party nonetheless must ensure that the data is

adequately protected and kept confidential.

International and other types of transfer of personal data. Whenever the responsible party transfers

personal data to a third party, such as a data processor (for example, an employer that transfers

personal data to a vendor for purposes of conducting a background check), the responsible party must

enter into an agreement where the third party agrees to process the personal data only for the

purposes for which the personal data was collected. This means that, in no way can the personal data

be processed for any other purpose without the data owner’s express consent.

The law is stringent regarding international transfers of personal data, such as when a subsidiary

corporation located in Colombia transfers personal data to its parent corporation in the U.S. In such

cases, the transfer is prohibited, unless the personal data will be transferred to a country with equal or

higher standards for the adequate protection of personal data than those required by Law 1581. This

prohibition does not apply where the SIC has determined that the third country provides an adequate

level of protection or when the transfer has been made in accordance with an international treaty to

which Colombia is a signatory.

As of this writing, no guidance has been provided as to whether Colombia will recognize the U.S.-E.U.

Safe Harbor Framework as meeting the adequacy standard. This prohibition notwithstanding, the

privacy law provides various exceptions to the adequacy requirement. Two potentially relevant

exceptions for employers are:

When the data owner has provided his or her express and unequivocal consent to the transfer.

Where the transfer is necessary for the fulfillment of a legal or contractual obligation.

Internal policies available to data owner. The responsible party must establish and implement

policies and methods to adequately protect the privacy and confidentiality of the personal data. It is

recommended that employers adopt policies that provide guidance to human resources and IT

employees on the proper handling of personal data.

Enforcement and sanctions for noncompliance. Decree 1377 establishes that the SIC is authorized to

enforce Law 1581 and impose sanctions for noncompliance. Specifically, the SIC may impose a fine in


the amount of 2,000 times the general minimum salary in effect at the time of the fine. At the time of

this publication, the maximum fine would amount to $627,411 USD. Other sanctions that may be

imposed include suspension of operations for up to six months, a temporary (but indefinite) shut down

of operations if the company has not corrected its practices to fully comply with the law, or permanent

closure of operations if the company refuses to comply with its obligations under the law.

Jamaica:

Currently a Data Protection Act is being developed and no restrictions on what data can be obtained in

a background check exists.

United Arab Emirates:Federal laws

The United Arab Emirates (UAE) does not have any specific federal laws on data privacy, but various

pieces of legislation may have an impact on businesses that engage in data processing activities. These

include the following:

The UAE Constitution of 1971, which guarantees the right to secrecy of communications.

Federal Law No. 5 of 1985 regarding Civil Transactions, which provides that a person is liable for

acts causing harm generally. This could include harm caused by unauthorized use or publication of the

personal or private information of another.

Federal Law No. 9 of 1987, as amended (Penal Code), which is the primary source of criminal

law in the UAE. In articles 378 and 379, it sets out statutory offences and punishments for publication

of private matters or the unauthorized disclosure of private information (although private information

is not clearly defined).

There are also rules regarding the handling and storage of specific types of data, such as employee

information (which must be maintained under the UAE Federal Labour Law) and personal credit

information.

Consequently, businesses must be aware of the combination of potentially applicable laws (including

regulations specific to their sector) in order to ensure that data is being processed in a lawful manner.

Where a UAE entity imports personal data from another country, it may also be subject to the rules of

another jurisdiction governing the export of that data from the originating country. This is a particularly


important consideration for intra-group transfers where, for example, under European legislation the

exporting group entity would retain primary liability as a data controller.

Free zones

The economic free zone areas of Dubai International Financial Centre (DIFC) and Dubai Healthcare City

(DHCC) have their own comprehensive legislative regimes, which apply to companies established in

those zones:

The processing of personal data by DIFC entities is regulated by DIFC Data Protection Law No.1

of 2007, which aligns closely with the European Data Protection Directive.

DHCC Regulation No. 7 of 2008 is the Health Data Protection Regulation for entities operating in

DHCC. This is intended to establish certain principles for collecting, using, disclosing and giving access

to patient health information. This includes any information about a patient – whether spoken, written

or in the form of an electronic record – that identifies the patient and relates to his physical or mental

health or condition.

There are also restrictions on transferring personal data or patient health information to recipients

located in jurisdictions outside the DIFC or DHCC, respectively. Broadly, these require that – unless the

individual to whom the data relates has given his consent – such transfers may take place only if there

is an adequate level of protection for the data or information, or if a permit has been obtained from

the relevant regulator.


RisksPros for doing a background check:

Better safeguarding organizational assets – the people you hire potentially have access to property of

great value, from physical assets to valuable information. Background screening can help minimize the

possibility of theft or corporate espionage.

Helping promote safety – background screening helps minimize the possibility of violence at your

workplace or campus by checking for past criminal behavior and better clarifying the history and

character of prospective employees, vendor personnel, and/or academic program applicants.

Hiring the best employees or selecting the ideal applicants – background screening helps establish

that candidates are qualified for the positions for which they’ve applied. It can also weed out any

candidates that were dishonest in their resumes or CVs, helping you bring in trustworthy

individuals.

Maintaining your good reputation – with the latest news now available at the touch of a button,

organizations today need to take every step to ensure that a hiring mistake doesn’t turn into a

public relations disaster. Just one employee who wasn’t qualified or had a criminal history can

tarnish a carefully built reputation. Background screening helps protect your organization’s good

name.

Building trust within your organization – performing background checks means that you are

committed to integrity and safety, important values that help underscore your current employees’

faith in your organization.

Note: Ties into our values of ECLIPS.

Protecting you from negligent hiring/retention litigation – in some countries, employers are at risk if

they knew, or should have known, that an employee presented a foreseeable risk of harm. For

example, if one of your employees attacked a co-worker, your organization could potentially be held

liable if that employee had a known history of such behavior. Performing pre-employment

background checks can be of major importance in demonstrating proper due diligence and further

safeguarding your organization.


Cons for doing a background check:

Expensive

Background checks can be costly, and the more detailed the background check, the more it costs the

company. Prices can range from $10 for a basic background check to $300 for a comprehensive check

for an executive candidate. Most quality background checks include criminal record investigations and

are $25 to $30. Depending on the number of candidates you screen, costs can accumulate quickly.

Note: The prices for an average background check in each geo is listed below.

Mistakes

It is possible for the company conducting the research to make a mistake in verification of bureau

records, and it is also possible for bureau data to be incorrect. Names can be misspelled, birthdates can

be miss-typed, and similar names and/or the distinction between senior/junior within families can

inadvertently flipped. Mistakes of this nature can cause serious problems for the employer and the

employee, and these problems can be difficult to reverse.

Note: This should not be a deterrent. Just something to point out.

Offensive

Some people find the use of background checks a violation of their personal liberties, and companies

run the risk of offending highly qualified candidates by undertaking them. They may also offend

candidates of they fail to face to undertake background checks in a uniform manner; offenses of this

kind can lead to lawsuits, including discrimination charges.

Note: Most major companies in the United States and other countries have some form of this. It is

not an uncommon practice.

Unfair Bias

Background checks can disqualify criminal offenders whose transgressions occurred many years

previously--perhaps in their youth--but who have since developed to be responsible, experienced and

highly qualified candidates for the position being offered. The revelations of a background check can

elicit biased judgment of a candidate based on the stigma of the activities documented in their report,


rather than considerations of the relevance of their transgressions to the position. If you are going to

conduct comprehensive background checks, it is a good idea to come up with specific grounds for

disqualification before you review the report.

Note: This has to be consistent across all Geos for it to work.

Timing Issues

Background checks can take anywhere from 24 hours to a week or more depending on the details

being sought, and this can delay the hiring process, which may affect production. Many companies will

only screen a short list of candidates, or their final choice, so if the background check does not elicit

positive results, the whole hiring process will have to start again.

Note: An average return for each Geo is listed below.


Sourceshttp://www.infocubic.net

www.ftc.gov/os/statutes/fcra/nadell.htm

www.ftc.gov/os/statutes/fcra/sum.htm

http ://www.eeoc.gov/field/index.cfm

www.dfeh.ca.gov/res/docs/publications/dfeh-161.pdf

www.privacyrights.org/fs/fs11-pub.htm

www.ed.gov/offices/OM/fpco/ferpa/index.html

www.archives.gov/facilities/mo/st_louis/military_personnel_records.html

https://www.privacyrights.org/employment-background-checks-jobseekers-guide#2

http://www.hireright.com/canada.aspx?apsi=3

http://www.infocubic.net/international/india.asp

http://www.justifacts.com/services/background-checks-in-india/

http://www.nortonrosefulbright.com/knowledge/publications/54334/key-data-privacy-and-intellectual-property-issues-in-the-uae

http://www.poweryourpractice.com/practice-management/14-best-practices-hipaa- compliant-staff/

http://searchcompliance.techtarget.com/definition/PCI-compliance

https://www.pcisecuritystandards.org/security_standards/why_comply.php

http://smallbusiness.chron.com/disadvantages-background-check-2561.html http:// theundercoverrecruiter.com/background-check-info/


http://smallbusiness.chron.com/disadvantages-background-check-2561.html

http://www.archives.gov/facilities/mo/st_louis/military_personnel_records.html

http://www.ed.gov/offices/OM/fpco/ferpa/index.html

Documents

Introduction - Careers @ Sutherland Global – Just …sutherland-careers.com/.../1394562319-Background_C… · Web viewProperty ownership Military records State licensing records