By Andrew McLeod, CEO, Certn
In comparison to the pre-digital world, the way we think about and use identity has changed tremendously. We’re asked to provide our identity in some way to numerous entities almost every day – and likely many times a day – whether it’s to check our healthcare data, agree to a background check or conduct online banking, for example.
In many instances, it’s rather simple to falsify or steal these identifications, adding still another layer of difficulty. How does an organisation verify that someone is who they say they are? What’s more, how can that company verify identity without requiring the person to go through several steps? What kinds of data are these businesses looking at, and how are they using it?
There aren’t many good solutions to these problems right now, but there ought to be. Individuals must have more control over their personal data, and the process of exchanging this data must be made simpler and safer.
Trends in background checks
Most organizations screen full-time employees; that’s nothing new. What is new is an increase in companies screening part-time and temporary workers, and even volunteers. This may speak to the increase in the “gig economy” or to more part-time than full-time hiring, but for whatever reason, more background checks are happening than ever before.
International background checks are a growing necessity, as well. Now that the remote work model has proven its merit, organizations are able to extend their talent search around the world. Live video interviews are a starting point to assure employers of a candidate’s qualifications, but the ability to check education and credentials in another country provide that additional confidence to make good hiring decisions.
Trust goes both ways
How can an employer know if someone is who they claim they are when they apply for a job? In many instances, they will do a background investigation. In a study sponsored by the Professional Background Screening Association (PBSA), 94% of respondents said their organisation conducts one or more types of employment background screening, and 73% said they have a documented policy for background screening procedures.
This indicates that companies mean business when they’re considering candidates. Whether they’re required to by law, want to improve the quality of their hires, protect their current employees and customers or all of the above, effective background checks act as a hiring firewall. These checks can also help to protect an organisation’s reputation by alerting the hiring team about candidates’ undesirable past actions that could reflect poorly on the company if the candidate repeated those actions.
The potential employee, aware of the hiring status quo, basically grants prospective employers permission to view their personal information – usually with few restrictions. The ability to access all this data on a potential employee can be beneficial to an employer, but how can they assure the candidate that they’re being good stewards of that data? Efforts to protect prospective employees are in process, but more needs to be done.
In the EU, General Data Protection Regulation (GDPR) applies to any business or organisation collecting personal data from EU citizens. It forces businesses to clearly state why they need to acquire and process personal data, and those needs must be evaluated in consideration of the rights and freedoms of the persons whose data they seek. And that certainly extends to employers conducting background checks on prospective employees – especially when it comes to things like credit checks. GDPR ushered in strict standards, which is a positive, but compliance continues to falter almost four years after it went into effect.
Individuals need assurance that when they submit to a background check, the potential employer is conducting it with data privacy in mind. But how can they be certain of this? The hiring process is very much a two-way street of trust. Employers must be assured that a job candidate is who they say they are, but candidates also must be able to trust their data will be kept private.
Individuals should have more control over their own data in this era of pervasive data theft and misuse. For example, what if an individual was given an ID token that allowed them to govern the information shared with a potential employer? This token would simply allow the employer to access the data that the individual thinks is proper for them to see, which the employer could then use to make a hiring decision. In the event of an incident such as information misuse, the individual would also retain the right and power to revoke access to the information.
This technique may seem like something out of a sci-fi movie, yet it is not unattainable. Estonia is demonstrating this point with the world’s most advanced national ID card system. Every citizen has a government-issued digital identity that they can use to identify themselves and access e-services in a secure manner.
Limit data use and storage
While a global identity token may be years away, as an employer, you may strike a compromise between data privacy and identity and your capacity to conduct complete background checks. It begins with merely gathering what you require. Limit the scope of your checks to the facts you actually require to assess the individual. This involves verifying employment eligibility and ensuring they haven’t fudged on their CV about their school or work experience.
Another recommended practice is to only retain this data for as long as you require it; you will not need it in perpetuity. Personal data that is no longer needed to achieve the stated goals should be discarded, erased or anonymized. Under GDPR, individuals have the “right to be forgotten” – in other words, the right to have personal data erased. Ensure that personal information is properly disposed of or destroyed to prevent unauthorised parties from obtaining access to it.
Integrity with information
Identity has become increasingly important in today’s digital environment. Many elements of life, including background checks for job prospects, rely on our digital presence. However, having legal access to a person’s personal information does not imply that you are allowed to treat it carelessly. Organisations need to be respectful of people’s data sovereignty by treating their personal data with the care that the law and a clear conscience demand.
By Andrew McLeod, CEO, Certn