FCRA, GDPR, & POPI Compliance

Farosian is proud to be FCRA, GDPR, and POPI compliant in all that we do. For more information please feel free to contact us on info@farosian.co.za.

Fair Credit Reporting Act (FCRA) Compliance

Farosian Social and Digital Media Background Screening reports are “consumer reports” under the FTC’s FCRA when they serve as a factor in determining a person’s eligibility for employment, credit, insurance, housing, or other purposes and they include information “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.” Companies that sell or provide those reports are “consumer reporting agencies” or CRA’s under the FCRA.

The FCRA allows companies such as Farosian to provide consumer reports to employers under specific guidelines. CRA’s are required to perform the following:

Follow reasonable procedures to assure accuracy. Among other things, the FCRA requires you to establish and follow “reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.”  Certain practices may be indicators that a background screening company isn’t following reasonable procedures. For example, if a report lists criminal convictions for people other than the applicant or employee – for instance, a person with a middle name or date of birth different from the applicant’s – that raises FCRA compliance concerns. Other indications that a company’s procedures might not be reasonable include screening reports with multiple entries for the same offence or that list criminal records that have been expunged or otherwise sealed.

Get certifications from your clients.  Consumer reporting agencies may provide consumer reports only to those with a specific permissible purpose, like employment. So verify that your clients are legitimate and get them to certify that they will use the reports only for employment purposes. In addition, the FCRA gives job applicants and employees the right to know that information about them is being reported to employers or potential employers. Therefore, you must get certifications from your clients attesting that:

  1. The employer notified the applicant and got the applicant’s written permission to get a background report;

  2. The employer will comply with the FCRA’s requirements; and

  3. The employer won’t discriminate against the applicant or employee, or otherwise misuse the information in violation of federal or state equal opportunity laws or regulations.

Provide your clients with information about the FCRA. 

The FCRA requires you to provide your clients with information about their responsibilities under the statute (Notice to Users of Consumer Reports) and a summary of consumer rights under the FCRA (A Summary of Your Rights Under the Fair Credit Reporting Act), which you can provide with the background screening report or before providing a report. These are standard documents available from the Consumer Financial Protection Bureau.

Honour the rights of applicants and employees.

The FCRA gives consumers certain rights with which you must comply. For example, you must give them access to their files when they ask for them, conduct a reasonable investigation when they dispute the accuracy of information, and give them written notice of the results of investigations. It’s a violation of the FCRA not to respond in a timely way to consumers’ inquiries and disputes. Another FCRA violation: creating unreasonable obstacles for consumers trying to exercise their rights under the FCRA.


Congress has limited the use of consumer reports to protect consumers’’ privacy. All users must have a permissible purpose under the FCRA to obtain a consumer report. Section 604 contains a list of the permissible purposes under the law. These are:

  • As ordered by a court or a federal grand jury subpoena. Section 604(a)(1)

  • As instructed by the consumer in writing. Section 604(a)(2)

  • For the extension of credit as a result of an application from a consumer, or the review or collection of a consumer’s account. Section 604(a)(3)(A)

  • For employment purposes, including hiring and promotion decisions, where the consumer has given written permission. Sections 604(a)(3)(B) and 604(b)

  • For the underwriting of insurance as a result of an application from a consumer. Section 604(a)(3)(C) When there is a legitimate business need, in connection with a business transaction that his initiated by the consumer, Section 604(a)(3)(F)(i)

  • To review a consumer’s account to determine whether the consumer continues to meet the terms of the account. Section 604(a)(3)(F)(ii)

  • To determine a consumer’s eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant’s financial responsibility or status. Section 604(a)(3)(D)

  • For use by a potential investor or services, or current insurer, in a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation. Section 604(a)(3)(E)

  • For use by state and local officials in connection with the determination of child support payments, or modifications and enforcement thereof, Section 604(a)(4) and 604(a)(5)

In addition, creditors and insurers may obtain consumer report information for the purpose of making“prescreened” unsolicited offers of credit or insurance. Section 604(c).

Other links:

Complete FCRA Guidelines

Protection Of Personal Information (POPI) Compliance

The basis of the POPI Act is that organisations need to conduct themselves responsibly – responsible corporate citizenship. Organisations should not only be responsible, but should be seen to be responsible corporate citizens. Part of this responsibility is to protect the information inside the organisation, to be responsible when it comes to the process of storing and sharing personal information. Personal information is to be seen as precious goods and that the act requires organisations to exercise control over these precious goods.

What constitutes as personal information under the POPI Act?

  • Identity or passport number
  • Date of birth and age
  • Phone numbers
  • Email address
  • Online messaging identities
  • Physical address
  • Gender, race and ethnic origin
  • Photos, voice recordings, video footage
  • Marital relationship and family relations
  • Criminal record
  • Private correspondence
  • Religious or philosophical beliefs including personal and political opinions
  • Employment history and salary information
  • Financial information
  • Education information
  • Physical and mental health information including medical history
  • Membership of organisations

Everyone has the right to be told if someone is collecting their personal information, or if their personal information has been accessed by an unauthorised person. You have the right to access your personal information. You also have the right to require your personal information to be corrected or destroyed, or to object to our personal information being processed.

The Act does not apply to personal information processed in the course of a personal or household activity, or where the processing authority is a public body involved in national security, defence, public safety, anti-money laundering, or the Cabinet or Executive Council of the province or as part of a judicial function.

Personal information can only be processed: – (section 11)

  • with the consent of the “data subject”; or
  • if it is necessary for the conclusion or performance of a contract to which the “data subject” is a party; or
  • it is required by law; or
  • it protects a legitimate interest of the “data subject”; or
  • it is necessary to pursue your legitimate interests or the interest of a third party to whom the information is supplied.

Everyone has the right to object to having their personal information processed. They can withdraw their consent, or they can object if they can show legitimate grounds for their objection.

A Responsible Party has to collect personal information directly from the “data subject”, unless:

  • This information is contained in some public record or has been deliberately published by the data subject.
  • collecting the information from another source does not prejudice the subject;
  • it is necessary for some public purpose; or to protect your own interests;
  • obtaining the information directly from the subject would prejudice a lawful purpose or is not reasonably possible.

You can only collect personal information for a specific, explicitly defined and lawful purpose and the subject must be aware of the purpose for which the information is being collected. (section 13)

Once the personal information is no longer needed for the specific purpose, it must be disposed of (the subject must be “de-identified”), unless you need to keep it (or are allowed to keep it) by law, or you need to keep the record for your own lawful purpose or in accordance with the contract between yourself and the subject, or the subject has consented to you keeping the records. (section 14)

You are entitled to keep records of personal information for historical, statistical or research purposes if you have established safeguards to prevent the records being used for any other purposes.

Records must be destroyed in a way that prevents them from being reconstructed.

You can only use personal information that you have collected for the purpose which you collected it for. (section 15)

Documentation relating to personal information and how it has been processed must be maintained as referred to in section 14 or 51 of the Promotion of Access to Information Act.

When information is being collected, subjects must be made aware of: (section 18)

  • the information that is being collected and if the information is not being collected from the subject,
  • the subject must be made aware of the source from which the information is being collected;
  • the name and address of the person/organisation collecting the information;
  • the purpose of the collection of information; whether the supply of the information by the subject is voluntary or mandatory;
  • the consequences of failure to provide the information; whether the information is being collected in accordance with any law;
  • If it is intended for the information to leave the country and what level of protection will be afforded to the information after it has left South Africa.
  • who will be receiving the information;
  • that the subject has access to the information and the right to rectify any details;
  • that the subject has the right to object to the information being processed (if such right exists);
  • that the subject has the right to lodge a complaint to the Information Regulator. The contact details of the Information Regulator must also be supplied.

These requirements have to be met before the information is collected directly from the subject, or soon as reasonably practicable thereafter if the information is not collected directly from the subject, unless the subject is already aware of these rights. If you collect additional information from a subject for a different purpose, you have to go through this process again. S18(3)

It is not necessary to meet these requirements if the subject has consented to non-compliance or if, by non-compliance, the rights of the subject would not be prejudiced, or if by compliance you would prejudice some public interest, or if the information is only going to be used for historical statistical research purposes, or if the subject is not going to be identified.

Farosian is aware of, and abides by all regulations stipulated above. If you have any further questions regarding personal information please feel free to contact us here.

General Data Protection Regulation (GDPR) Compliance

“In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis,” the GDPR explains in Recital 40. In other words, consent is just one of the legal bases you can use to justify your collection, handling, and/or storage of people’s personal data. Below are five other justifications.

  1. Processing is necessary to satisfy a contract to which the data subject is a party.
  2. You need to process the data to comply with a legal obligation.
  3. You need to process the data to save somebody’s life.
  4. Processing is necessary to perform a task in the public interest or to carry out some official function.
  5. You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.

General obligations to be met for the processing of data based on someone’s consent:

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Consent from the data subject must be; freely given, specific, informed, unambiguous, and can be revoked at any point. 

For more information on what constitutes personal data under the EU GDPR, click here

For any additional information about the specifics of GDPR, click here

Should you have any queries or concerns, please feel free to contact Farosian, you may do so here