Banking Exchange logo215mar2015

Balancing need to know with employee rights

From credit reports to Twitter, a major HR challenge

Balancing need to know with employee rights

It comes as a surprise to some people that the word “privacy” never appears in the United States Constitution.

In fact, America is almost unique amongst western democracies in not having a comprehensive national privacy law that protects personal information.

Sure, we have piecemeal, industry-specific legislation like the Gramm-Leach-Bliley Act, which prohibits disclosure of financial information, and the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule that protects our personal health information. Some states have passed more general laws, too, but none compares with the European Union’s Privacy Directive that mandates that each member state enact a comprehensive personal data privacy law and create a government agency to enforce it.

I’m not passing judgment one way or the other. I’m just pointing out that we are a little schizophrenic here when it comes to personal privacy. (Is that a nice way of saying “hypocritical”?)

On one hand, we share intimate details of our life on social media.

On the other, we are outraged that the NSA has accessed our phone records.

Privacy in the workplace

The issue comes quickly to the foreground in the employment arena with background checks.

Credit checks and bank employment. There is a strong movement to restrict the use of credit checks in hiring. Some states have already passed laws outlawing such checks, although to the best of my knowledge all have exceptions for jobs in financial services. There are two current proposals in Congress which would bar discriminating against a candidate or employee on the basis of their credit record. Although neither seems likely to pass, they are notable in not containing an exception for banking.                     

How do you use credit checks?

Want more banking news and analysis?

Get banking news, insights and solutions delivered to your inbox each week.

Criminal checks and bank employment. The Equal Employment Opportunity Commission (EEOC) issued guidelines in 2012 strongly discouraging any inquiry about criminal convictions and banning questions about criminal arrests. The guidance recognizes that other federal laws, such as the Federal Deposit Insurance Act (FDIA), require criminal record checks, but warns against any screening that goes beyond the bare legal minimum.                           

What steps do you take to comply with FDIA without overstepping?

An old law repurposed

The Fair Credit Reporting Act (FCRA) was originally passed in 1970 and substantially amended in the 1990s. It applies to any “consumer report” (not just credit checks) obtained on a candidate or employee from a consumer reporting agency, such as TransUnion, Equifax, or Experian.

Compliance with the FCRA requires three steps:

1. A release. Before seeking the report, the employer must obtain a release from the applicant or employee. This release should be standalone, not wrapped into boilerplate on the application form.

2. Notice to the applicant. If adverse information is received and is being considered in connection with the application, the bank must notify the applicant, and send a copy of the report together with a statement of FCRA rights.

3. Notice after action on adverse data. If, after “a reasonable period,” the bank decides not to hire or continue employment, based in whole or in part on the adverse information, a further notice must be sent.

Recently, these technicalities have tripped up several large companies which have found themselves the object of FCRA class-action lawsuits, and have paid substantial settlements. Although this new wave of litigation has yet to hit banking, it demonstrates again the need for care when gathering employee information.

Employees on Facebook

“Social media” and “privacy” seem to me to be contradictory concepts. However, this is the most active area in the struggle to balance the bank’s need to gather information about its applicants and employees, and the individual’s right to keep personal information private.

Some states have gone as far as to ban would-be employers from asking to access applicants’ social media accounts. Where such bans are not in place, studies have indicated that being asked for Facebook passwords and the like, is a turn-off to candidates who may then choose to look elsewhere.

My advice to those hiring managers who just can’t resist perusing social media sites is to use the information gathered carefully and consistently.

It is possible that you will discover all kinds of information that is not relevant to the individual’s ability to perform the job. For example, posts, blogs, and tweets may reveal membership in a legally protected category. If employment is denied, the bank may be vulnerable to a claim of discrimination.

NLRB: Not just for union shops anymore

Several recent National Labor Relations Board (NLRB) cases have addressed the issue of employees making negative comments about the employer in social media posts. The general conclusion is that when these posts, no matter how disrespectful, concern the terms and conditions of employment—pay, hours, etc.—and are read by other employees, they constitute “concerted protected action,” and may not be the cause for discipline. In the NLRB’s eyes, this is distinct from “mere griping” which is not protected.

Crafting an adequate social media policy that protects the bank’s confidential information and reputation in the community is a thankless task, given the fast-changing technology as well as these recent somewhat ambiguous rulings.

I advocate a broad written policy (something like: “Don’t be a jerk”) backed up with regular, meaningful, ethics training. (See my previous post, “Doing the right thing: Training moves tone from compliance to culture.”)

Medical information and privacy protection

Several statutes protect the privacy of personal health information: the Americans with Disabilities Act (ADA), the HIPAA Privacy Rule, and the Genetic Information Non-Discrimination Act (GINA), for example.

Yet the Office of Federal Contract Compliance Programs recently passed a rule requiring all banks with more than 50 employees to ask all applicants and employees whether they have a disability. This data is now needed to fulfill new Affirmative Action Plan mandates. (See my earlier blog on this, “Big changes coming in affirmative action: Effective March 2014, new rules hit banks with over 50 employees.”)

Marian Exall

Marian Exall ( recently retired after a long career as an employment lawyer and HR professional with more than 25 years' experience advising banks and other employers on compliance issues. She was a principal and co-founder of Employment Law Compliance, Inc. which provides HR compliance solutions to banks. For more information on this or other employment compliance topics, please call Employment Law Compliance at 866-801-6302 or go to

Now retired from blogging as well, Marian also writes fiction. Her latest novel is a mystery called A Slippery Slope. For more information and to order, go to

back to top


About Us

Connect With Us