Blog Layout

A Guide to Employee Data Privacy for CRAs

Share this article:

Key Takeaways


  • There is no federal law that explicitly addresses employee data privacy. There are federal laws that touch on the issue, and there are some state data privacy laws.
  • Employers and CRAs can be subject to sanctions for violating provisions of federal laws that indirectly address data privacy. They may also be subject to civil action from employees whose privacy has been violated.
  • Regardless of the laws, employees should follow best practices to safeguard employee data privacy.
  • The national trend is toward more regulation concerning what data employers and CRAs may collect and how they may go about doing it.
employee data privacy for consumer reporting agencies (CRAs)

Employee Personal Information Protection Laws


There are not any federal laws that explicitly address employee personal information protection. Laws such as the Fair Credit Reporting Act (FCRA), the Fair and Accurate Credit Transaction Act (FACTA), the 1974 Data Privacy Act and the Health Insurance Portability and Accountability Act (HIPAA) indirectly speak to employee data protection. The Americans with Disabilities Act (ADA) addresses the confidentiality of employee medical records. Some states, such as California, have enacted data privacy legislation.


Generally, employees do not have a right to expect privacy in the workplace, and employers may use drug testing, workplace surveillance and lifestyle discrimination as a condition of employment. Employers may not, however, disclose private information, or they could be held liable for invasion of privacy.


What is the Data Protection Act in the US?

The American Data Privacy and Protection Act (ADPPA), introduced in 2022, is a federal bill that would replace the current patchwork of privacy laws with a comprehensive structure of privacy rights and an oversight and enforcement mechanism. It was not enacted in 2022 or 2023. However, the idea has bipartisan support, and it could become law in the future.


Provisions of ADPPA include:

  • The right of individuals to access their personal information.
  • The right to have personal information deleted.
  • The right to correct inaccurate personal information.
  • The right to opt out of sale of this information.
  • Restrictions on how organizations can collect and use such information.
  • A requirement for organizations to implement reasonable security measures
  • Formation of a Federal Privacy Commission to enforce the new regulations.


US Data Protection Laws


The European Union has its General Data Protection Regulation (GDPR), but there is no equivalent overarching security law in the US. Instead, there is a mishmash of state and local laws, and there are federal laws that indirectly address data protection.


  • The 1974 Privacy Act governs the collection and use of personal information by federal agencies.
  • The Fair Credit Reporting Act (FCRA) restricts what data employers may collect about applicants and how they may use it.
  • The Fair and Accurate Credit Transactions Act (FACTA), a 2003 amendment to FCRA, mandates the secure disposal and destruction of consumer data.
  • The Health Insurance Portability and Accountability Act (HIPAA) regulates the protection of personal information held by healthcare providers.


None of these specifically address employee data privacy. California has enacted the California Consumer Privacy Act (CCPA), which is a comprehensive privacy law similar to the EU’s GDPR. At least five other states have similar laws pending. In addition, many states have extended the provisions of the FCRA with additional regulations around collecting data in the course of background checks.


Employee Data Protection Best Practices

Because of the jumble of privacy laws, there isn’t a legal template that employers can implement to ensure employee data privacy. Here are some practices they should consider in the absence of a comprehensive data security law:


  • Keep abreast of developments in data privacy legislation.
  • Establish written procedures for handling employee data. Ensure that management and employees are aware of these procedures. Where it’s required, obtain employee consent for data handling.
  • Work with the technology department to design and implement data security procedures. This includes encryption, secure storage, restriction of access and secure destruction of data that is no longer required.
  • Restrict data access on a need-to-know basis. Regularly review permissions to ensure all access is authorized and necessary.
  • Regularly review what is being stored to ensure you are retaining only data that is necessary for business.
employee data protection best practices

What Happens to an Employee’s Data Once They Leave a Company?


Laws around the retention of employee data are vague. There are no specific maximum or minimum time limits, other than to state that data should be kept no longer than necessary. Any data no longer required, either digital or on paper, must be securely destroyed.


The Equal Employment Opportunity Commission (EEOC) requires that employee personal information be retained for at least one year. Payroll information must be kept for three years.


It’s a common practice for employers to destroy personal information after three years. They may retain it longer if there are court disputes that may require it. An individual may request that their former employer destroy their personal data. However, the employer is under no obligation to accede to this request. They will not do so if federal and state laws require them to retain it.


How Does Employee Data Privacy Affect CRAs?

CRAs are in the business of collecting data, including data from previous employers, and data privacy restrictions limit what data they are permitted to collect as well as what they use it for. Many of the restrictions are due to state and local laws. For example, in some jurisdictions, CRAs may not be able to discover and report older criminal records.


Employers and CRAs are already required to obtain consent from potential employees before conducting background checks. They must make a copy of the background report available to the applicant and give them the opportunity to dispute inaccuracies.


Data privacy laws are likely to become more restrictive about what personal data is available and how it may be used. This will present a greater challenge to CRAs in conducting effective yet legal background checks.


Bottom Line


There is no comprehensive federal data privacy law, although it’s possible that one will be enacted in the next few years. In the meantime, employee data privacy is governed by state laws and indirectly by the provisions of several federal laws. Employers need to establish their own best practices for safeguarding employee data.


The trend is for less and less employee data to be legally available and usable by employers and CRAs that conduct background checks. That's why CRAs should rely on a background check wholesaler such as Eagle Eye Screening Solutions. We keep abreast of the most current federal, state and local law, and we have the technology and the nationwide scope to compliantly provide the information that employers require.

Connect with Us:

A statue of lady justice in front of a pennsylvania flag

Pennsylvania Expungement | Pennsylvania Clean Slate Law

17 Apr, 2024
The Pennsylvania Clean Slate Act, which took effect in 2019, shields some misdemeanor records from public view after 10 years have passed.
A statue of justice sitting on top of a book in front of a flag

Colorado Expungement | Colorado Clean Slate Law

09 Apr, 2024
The Colorado Clean Slate Act, which goes into effect in 2024, seals records of arrests that did not result in a conviction as well as some older criminal convictions and civil judgments.
A man is looking at a background check with a magnifying glass.

How Long is a Background Check Valid?

14 Mar, 2024
A background check never actually expires, but, after several years, you can’t be certain that an individual is as free from legal issues and other problems as they were on their hire date.
Share by: