Vetting candidates with international experience presents unique challenges.
By Vincent J. Pascarella
With more Americans living and working outside the United States than ever before (5.08 million, according to the U.S. State Department), it’s becoming increasingly likely that new hires for companies in the U.S. will have spent some portion of their lives abroad. Candidates with international work or school experience can bring a worldview that more domestically focused applicants lack, making them attractive hires in an increasingly global economy.
Unfortunately, screening the international portion of an applicant’s work or other activities is fraught with peril. Strict privacy laws, poor integration among law enforcement, and other problems make screening complicated and difficult. Yet, failing to screen or adequately screen this portion of a candidate’s life can expose companies to significant risk. Fortunately, employers that address, rather than evade, this problem can position themselves to screen and hire these candidates safely, efficiently, and effectively.
The Privacy Premise Escalates
Many countries have privacy laws more restrictive than those in the U.S. Prime examples occur in Europe, where in 1980 the Organization for Economic Cooperation and Development (OECD) issued seven recommendations for privacy principles. These included notice to, and consent of, anyone about whom data was collected, disclosure by the collector of its identity and purpose, strict security of the data, access to data by the subject of the collection, and accountability for failure to follow the principles.
The OECD Guidelines were nonbinding and initially had little effect in creating a unified landscape throughout Europe. (Ironically, the U.S. endorsed these principles at the time but did nothing to implement them.) However, all of them were incorporated into the 1995 E.U. directive that, by 1998, every E.U. member state had made internal law.
The E.U. directive came into the spotlight this year, as Google and Facebook came under more fire for their data collection practices, and the E.U. Justice Commission announced that U.S. and non-European companies must follow E.U. privacy laws or face harsh penalties. In March 2011, Google was fined 100,000 Euros—approximately $142,000—by the French government for violating data collection privacy laws.
Megaliths Google and Facebook and their aggressive data-collection behaviors might seem a long way from the average U.S. company, but these actions will likely resonate down to smaller firms. Although the main purpose of the finding was to put on notice (and initiate policing of) “non-E.U. data controllers whose services target E.U. consumers,” the Commission made it clear that any privacy-related infraction could lead to enforcement action.
Furthermore, these principles extend to the transfer as well as the collection of data, creating added complications for U.S. firms bringing information back to their local servers. In speeches about privacy laws, E.U. Justice Commissioner Viviane Reding has pushed for more stringent protections than the 1995 E.U. directive affords, including that privacy standards “should apply independently of the area of the world in which [the] data is being processed.”
The situation is similar in other countries, where firms must tread carefully when collecting data on candidates. For example, in Canada (America’s biggest trading partner), a convoluted mixture of federal and provincial privacy laws make the landscape as mucky as a Canadian peat bog. One of Canada’s federal laws places companies in certain industries, such as banking and aviation, under more strict scrutiny than other sectors.
In addition to (and partially because of) the privacy laws mentioned above, companies attempting to screen candidates with international backgrounds face a tortuous path to checking driving histories, criminal records, credit reports, and even educational backgrounds.
For instance, unlike the strong collaborative and communications network used by U.S. enforcement agencies, many other countries and regions have little integration—or even communication—among their law enforcement and judicial entities. Furthermore, the same privacy laws that restrict the transfer of personal information to the U.S. prevent other countries from aggregating data among themselves.
Privacy laws can even prevent problematic employees from being identified to former employers—which in turn may keep this information out of a job applicant’s record and make it very hard to uncover. For example, France has prohibited McDonald’s and other companies from initiating whistle-blower programs—designed to ensure compliance with the Sarbanes-Oxley Act—at locations on French soil.
When Better Than Nothing Is Worse Than Anything
Faced with such a tangle of laws and the reality that navigating this landscape is a complex, time- and document-intensive process, some firms assume if they gain the candidate’s advance permission to collect data, they will be protected from fallout. Others take a leap of faith, neglecting the international portion of a candidate’s experience entirely. Neither practice is wise from a risk mitigation perspective.
With the first practice, gaining candidate permission does not necessarily issue an “all-clear” message regarding the acquisition, transmission, storage, and disposal of data. Many countries take the position that an individual’s right to privacy cannot be waived by the individual.
With the second practice, if an employer performs a higher level of due diligence on the domestic side and significantly less or no due diligence on the international side of a background check the resulting legal and regulatory exposure can be the equivalent of (and in some cases worse than) performing no background check at all. Absent a very good reason for the disparity—such as the information is not publicly available, doesn’t exist, or is extremely difficult to obtain—the employer is left with cost as the only explanation for not performing reasonable due diligence.
In an increasingly litigious society, negligent hiring lawsuits continue to grow in both frequency and size of damage awards. When lack of proper scrutiny results in financial or physical harm to a company’s other employees, customers, or the public-at-large, the courts look disdainfully at firms that put dollars ahead of safety.
Workplace violence, theft, and other detrimental situations can also tarnish a company’s reputation, affecting its competitiveness, future recruiting efforts, and customer and shareholder confidence—seriously damaging its brand.
The Path to Prudence
Because privacy concerns extend well beyond the candidate screening process, many large, multinational corporations are developing their own systems for ensuring compliance with privacy laws. General Electric (GE) has been a leader in this regard, developing a “code of conduct” that its employees could apply to the handling of data.
The E.U. directive addresses such systems through its “Binding Corporate Rules” (BCRs) policy, whereby companies submit compliance documentation to one E.U. country, and others have the option of recognizing that approval, as well. However, the BCR framework was developed for multinational corporations, international organizations, and other global entities. Such solutions are cost prohibitive—and unnecessary—for smaller
A better solution for U.S.-based and operating firms is to outsource background screening of candidates with international work or life experience to a qualified third-party screening firm. During the past 10 years, the number of companies proclaiming expertise in international screening has increased dramatically.
Nevertheless, firms seeking to partner with a screening firm for international background checks must conduct their searches carefully or potentially place themselves at risk, as well. In the past decade, some background screening firms have come under scrutiny for behavior that could potentially compromise data security. Even if you already have a trusted partner for your U.S.-based background screening, do not assume that firm is the best choice to perform checks in other countries.
Before you permit a screening firm to handle the international portion of your background checking, ask the following questions:
• Does the firm use country-specific forms and processes? With hundreds of countries and thousands of districts, regions, provinces, etc., a qualified firm will address the many variations possible with appropriate paperwork and procedures.
• Does the cost and turnaround time differ from country to country? Any company that offers a “one-size-fits-all” solution for international background screening might not be performing sufficient diligence. Additionally, the processing time and expense for international screening, compared to U.S.-based checks, should be longer and higher, respectively.
• Is the firm self-certified for the U.S.-E.U. and U.S.-Swiss Safe Harbor Frameworks? (These frameworks enable firms to self-certify compliance with E.U. and Swiss privacy laws, respectively.) Or, alternately, has the screening firm addressed compliance through BCRs and other safeguards that verify compliance?
• Does the firm use advanced technologies and data security protocols for data collection, processing, and storage that minimize exposure of such sensitive data?
If the information we have detailed here makes you apprehensive, you are not alone. Hundreds of firms face the issue of international screening every day. Fortunately, taking an active approach to the situation and ensuring that your screening partner has the necessary competencies can substantially curtail your exposure when evaluating candidates who have worked or lived abroad.
Vincent J. Pascarella, Esq., a licensed attorney, is president of ClearStar, a leading provider of strategic services and decision-making information for background screening firms. For more information, visit www.clearstar.net and www.clearstarlogistics.net.