Privacy Protection Policy
As a leader in providing timely and relevant information to our clients, Research Associates, Inc. (“RAI”) is committed to protecting the privacy of individuals and the information that we obtain, both within the United States and throughout the global marketplace.
RAI performs investigations in every major commercial location worldwide and complies with all applicable privacy laws, including the Privacy Shield Principles set forth in accordance with the European Union and US Department of Commerce. All data shall be collected, stored, used and discarded in compliance with applicable law, which may include the federal Fair Credit Reporting Act (“FCRA”), the EU-US Privacy Shield, other national laws and state background screening and privacy laws.
- RAI collects Personal Identifiable Information (“PII”) and other information in connection with our services, including employment screening, client acceptance investigations, business due diligence and business investigations.
- Prior to receiving any pre-employment services from RAI, clients must execute an agreement certifying that they will comply with all applicable laws regulating background investigations and will not procure a background investigative report without first making required disclosures to an applicant for employment and without obtaining the applicant’s prior written consent.
- RAI collects PII from job applications, resumes, databases, public records and from third parties as permitted by law.
- RAI uses PII only to perform investigations and does not share PII with nonaffiliated third parties other than as necessary to perform investigations.
- When RAI discloses PII to third parties to perform services, we require that they protect the PII and use it only for the purpose it was disclosed.
- RAI provides a toll free number and web access for individuals who, as authorized by law, seek to obtain PII maintained by RAI and information is provided in a timely basis pursuant to applicable law.
- RAI does not sell PII to third parties and does not maintain a commercially available database for the sale or transfer of PII.
- RAI maintains physical, electronic and procedural safeguards to protect PII.
- This policy is available in PDF form here.
Applicable Laws and Regulations
RAI complies with all regulations regarding the collection, use, transmission and destruction of information we receive. The major regulations include:
The Gramm-Leach-Bliley Act (“GLBA”): The GLBA requires financial institutions and businesses that receive personal information in the course of conducting their business to establish safeguards for the handling and disclosure of that information. The GLBA requires certain safeguards for the protection of Personal Identifiable Information (“PII”). PII includes any combination of a person's name and the following data: credit card numbers, date of birth, Social Security number, driver's license number and financial account numbers.
The Fair Credit Reporting Act (“FCRA”): The FCRA is a federal law that regulates the collection, dissemination, and use of consumer information. RAI is a consumer reporting agency under the FCRA and is subject to the Act when conducting investigations for employment purposes.
EU-US Privacy Shield Framework: Similar to the GLBA, the EU-US Privacy Shield Framework addresses the protection and confidentiality of Non-Public Information. The requirements under the EU-US Privacy Shield closely mirror those of GLBA, requiring adequate measures to safeguard the information from unauthorized access and unauthorized sharing, whether the data is at rest or in-transit.
Fair And Accurate Credit Transactions Act (“FACTA”): FACTA is federal legislation that went into effect June 20, 2006 and became regulatory January 01, 2008. FACTA contains provisions to help reduce identity theft and provisions regarding the proper disposal of personal information regarding consumers.
State FCRA Laws and Regulations: Several states within the United States have enacted laws similar to the FCRA. Where those state laws provide more restrictive requirements than those set forth in the FCRA, RAI follows the more restrictive limitations unless pre-empted by the express terms of the FCRA. Many states have also enacted privacy laws and regulations which limit the information which may be included in a background investigative report for employment purposes. Several states enacted legislation requiring certain data security measures to be utilized in the transmission of PII. RAI takes all reasonable steps to comply with these varying state laws and regulations.
How We Collect Personal Identifiable Information
Personal Identifiable Information is received by RAI primarily from a job application and related documents presented as part of an application for employment to one of our clients. Most applications contain PII such as name, address, social security number and driver’s license number. Dates of birth are typically obtained through independent sources. We may request a national consumer reporting agency to provide a report in compliance with the FCRA. We also obtain information from databases, public records and from third parties as permitted by law.
How We Use, Process and Disclose Personal Identifiable Information
RAI uses and discloses PII only as permitted by law and necessary to conduct business. RAI prepares “consumer reports” and “investigative consumer reports” as defined in the FCRA. Consumer reports or investigative consumer reports may contain information bearing on an individual’s character, general reputation, personal characteristics, mode of living, and credit standing. The types of reports that may be prepared include, but are not limited to: credit reports, criminal records checks, public court records checks, driving records, summaries and verification of educational records and histories, and/or summaries and verification of employment positions held and related duties, last pay rate or salary, work performance, experience, skills, qualifications, compliance with employer or institutional policies, licensing, certification, training, honesty, etc. The information contained in these reports may be obtained from private or public record sources including sources identified in the job application or through interviews or correspondence with past or present co-workers, neighbors, friends, associates, current or former employers, educational institutions or other acquaintances.
RAI processes and discloses PII under strict laws and regulations including, but not limited to: Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act and EU-US Privacy Shield Framework. In adhering to the aforementioned laws and regulations, RAI may use PII to: verify an individual’s identity, perform address locator searches, perform business due diligence, fraud investigations, business investigations and for other business related purposes. We may also disclose PII to protect against fraud and comply with legal requirements. For these purposes, we may share PII with:
- Our clients;
- Consumer reporting agencies;
- Researchers working on our behalf
- State and federal governmental authorities; and
- Other persons and entities as ordered by subpoena, warrant or other court order or as required by law.
We provide employment background reports only to businesses with a permissible purpose and in accordance with all applicable laws and regulations. All RAI clients have been subject to a due diligence investigation to confirm that they are a legitimate business. These investigations may include on-site visits to offices, verification of business standing through publicly available information, business database verifications, Internet searches, reference verification and other means.
How We Dispose Of Personal Identifiable Information
RAI does not maintain PII except to the extent required by law. RAI maintains secure and locked trash receptacles. Company policies require that any documents containing PII to be deposited in these secure containers for disposal. Documents are shredded on site by a licensed, bonded commercial shredding company which has been vetted by RAI prior to obtaining a contract for services.
How We Safeguard Personal Identifiable Information
RAI maintains appropriate physical, electronic and managerial procedures to safeguard and secure the information we collect. RAI has published to employees an employee manual and other policies that require employees to keep confidential all PII obtained in the course of our business. All RAI employees undergo a rigorous pre-employment background investigation prior to being granted access to RAI information and files. RAI maintains a state of the art building security program overseen by a licensed security professional.
The FCRA and certain state laws provide that a person, under certain circumstances, has the right to inspect files maintained by RAI which relate to that person. For example, Applicants for employment with our clients have the right to inspect their files and can receive a copy of their background reports. Within thirty (30) business days of receipt of a written request, we will disclose copies of any reports and other information in our files which we are required by law to provide. Upon written request and as required by law, we will advise to whom we have shared any consumer reports within the past two years, or for the time period required by state law, and we will provide the name and address of any consumer reporting agency that provided us a report.
An individual may contact RAI if they believe information in their file is incomplete, inaccurate or misleading. All such requests and all subsequent correspondence must be in writing. Upon such request, RAI will investigate the nature and scope of the dispute and will make appropriate changes to any incomplete, inaccurate or misleading information or will provide an explanation of our refusal to do so. If we do not make a requested change, the individual is entitled, under certain circumstances, to submit a written statement for insertion in their file and we will disclose that statement to future requestors as required by law.
Revisions to this Policy
EU-US Privacy Shield Framwork
RAI respects individual privacy and values the confidence of its customers, employees, consumers, business partners and others. Not only does RAI strive to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it does business, it also has a tradition of upholding the highest ethical standards in its business practices.
The EU-US Privacy Shield (the "Policy") applies to all personal identifiable information (PII) received by RAI in the United States from the European Economic Area, in any format including electronic, paper or verbal.
For purposes of this Policy, the following definitions shall apply:
"Agent" means any third party that uses personal information provided by RAI to perform tasks on behalf of and under the instructions of RAI.
"RAI" means Research Associates, Inc., its predecessors, successors, subsidiaries, divisions and groups in the United States of America.
"Personal Identifiable Information (PII)" as used in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
"Sensitive Personal information" means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health or sex life. In addition, RAI will treat as sensitive personal information any information received from a third party where that third party treats and identifies the information as sensitive.
Privacy Shield Principles
NOTICE: Where RAI collects personal information directly from individuals in the EEA, it will inform them about the purposes for which it collects and uses personal information about them, the types of non-agent third parties to which RAI discloses that information, and the choices and means, if any, RAI offers individuals for limiting the use and disclosure of their personal information. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to RAI, or as soon as practicable thereafter, and in any event before RAI uses the information for a purpose other than that for which it was originally collected.
Where RAI receives personal information from its subsidiaries, affiliates or other entities in the EEA, it will use such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such personal information relates.
CHOICE: RAI will offer individuals the opportunity to choose (opt-out) whether their personal information is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.
For sensitive personal information, RAI will give individuals the opportunity to affirmatively and explicitly (opt-in) consent to the disclosure of the information to a non-agent third party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. RAI will provide individuals with reasonable mechanisms to exercise their choices.
By reviewing the Disclosure Forms and completing the Authorization Form for a background investigation, an individual expressly agrees to the use of PII and consents to RAI’s use of that information in accordance with this Policy. In the event an individual ops-out of disclosure, the personal information will be deleted unless required to be maintained by law or sound business judgment. However, in the event of an opt-out, the data will not be forwarded or utilized by RAI for any further purpose.
ACCOUNTABILITY FOR ONWARD TRANSFER: RAI obtains signed contracts from EU record research vendors obligating the agent to provide at least the same level of protection as is required by the relevant EU-US Privacy Shield Framework. Vendors are provided with specific documentation to regulate their acquisition and use of criminal research, while detailing standards for data security and privacy guidelines. Where RAI has knowledge that an agent is using or disclosing personal information in a manner contrary to this Policy, RAI acknowledges this potential liability and will take reasonable steps to prevent or stop the use or disclosure.
SECURITY: RAI will take all reasonable technical, physical and managerial procedures to protect PII from loss, misuse and unauthorized access, disclosure, alteration and destruction. Any personal data transmitted to or from our web site(s) is protected by a secure socket layer (SSL) key which encrypts the data transmitted over the Internet. Strong password practices are used on RAI systems. Access to servers containing private information and data is strictly limited to only our authorized personnel who have been trained to protect against loss, misuse, unauthorized access, disclosure, alteration or destruction of personal data under our control. All servers that handle sensitive personal information are kept in a secure environment with appropriate security measures.
DATA INTEGRITY AND PURPOSE LIMITATION: RAI will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. RAI will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current.
ACCESS: Upon request, RAI will grant individuals reasonable access to personal information that it holds about them. Per EU-US Privacy Shield, RAI will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete. Individuals will be informed whether any personal data is being processed upon written notice from the applicant. Any requests must be sent by email or letter to the contact person listed at the end of this policy. Individuals have the right to receive (1) a description of the personal data; (2) the purposes for which the data is being processed; (3) a list of the recipients to whom the data may be disclosed; and (4) information regarding the source of the data. The information provided will be in a format that is easy to understand.
Research Associates, Inc.
27999 Clemens Road
Cleveland, OH 44145
RAI has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to the BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
RAI will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that RAI determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment.
Contact Regarding This Policy:
Kevin Prendergast, President & General Counsel
Research Associates, Inc.
27999 Clemens Road
Cleveland, OH 44145-1141
Phone: 800-255-9693; Fax: 440-892-9439
REVISED: September 2016