Data protectioni Requirements for registration
Puerto Rico does not have a formal data protection agency or government body responsible for supervising the collection, use and dissemination of employees' personal information gathered by a public or private corporation. The right to privacy, nonetheless, is recognised under the Constitution. Additionally, local and federal laws recognise the confidential nature of certain information gathered by businesses. Depending on the nature of the information, a higher or lesser degree of confidentiality and reasonableness is applicable to employees' employment records and private data.ii Cross-border data transfers
Companies do not need to register for purposes of cross-border data transfer of an employee's personal information. To the extent records and information transferred include employees' private data, a company must take necessary steps to protect it from indiscriminate or public disclosure. The applicable standard should be that of a prudent business person.iii Sensitive data
Various federal and local employment laws specify the confidential information employers must protect from public disclosure.
The US federal Americans with Disabilities Act (ADA) and Genetic Information Nondiscrimination Act, as amended, and their local counterparts, protect employees' genetic, medical and health-related information, and data in the employment context, or relating to disabilities or requests for accommodation (or both). This information must be kept in separate records. Enforcement guidance issued by the EEOC under the ADA, and applicable in Puerto Rico, concerning disability-related enquiries and medical examinations of employees suggests that any medical information concerning employees' disabilities must be treated as confidential. Employers may share such information in limited circumstances with supervisors, safety personnel and government officials investigating compliance with the ADA.
Additionally, Act No. 207 of 27 September 2006 prohibits employers from using an employee's social security number for identification purposes and requires safeguards to protect it from undue disclosure. An employer may only transfer social security numbers electronically when there are sufficient safeguards to protect their confidentiality.
Puerto Rico's legislation prohibiting discrimination owing to sexual orientation and gender identity also requires employers to keep information about gender identity and sexual orientation confidential. A similar protection from disclosure is afforded to information gathered during an investigation to protect a domestic violence victim who is at risk in the workplace, or who is alleging discrimination. Employers must take reasonable measures to prevent disclosure of the confidential information to persons without a need to know.
Furthermore, Act 59 requires employers who perform drug tests to job applicants and employees in the private sector to treat test results and related data confidentially. Also, to the extent Form I-9 for employment eligibility contains personal information about employees, the US Citizenship and Immigration Service recommends that employers provide adequate safeguards to protect it.
Finally, the privacy and security provisions of the US federal Health Insurance Portability and Accountability Act of 1996 apply to employers who are covered entities in Puerto Rico.iv Background checks
Employers can perform background checks (including criminal and credit checks) on job applicants and current employees, subject to legal parameters. Employment decisions that consider the results of background checks cannot have an adverse impact on a category protected from discrimination. The PRSC has held that not hiring an applicant based on his or her criminal record may constitute social-condition discrimination. In that regard, employers are required to assess different factors to make employment decisions involving an individual with a criminal record. Despite initiatives by the US government to promote removing from employment applications the check box or enquiries about applicants' criminal records (a campaign also known as 'ban the box'), Puerto Rico does not have such a prohibition.
Employers must also comply with the US federal Fair Credit Reporting Act of 1970 by notifying the applicant or employee of the possibility of using their background report for employment decisions; getting their written permission; and certifying compliance to the reporting agency. If an employer takes an adverse employment action based on the background report, it shall provide a copy of the report to the job applicant or employee and a notice of rights with the contact information of the consumer reporting agency. Its Puerto Rico counterpart, the Credit Reporting Agencies Act, provides similar protections.
Subject to limited exceptions, areas outside the scope of review include job applicants' or employees' genetic, medical and disability-related information. Considering other categories revealed in background checks, such as filing for bankruptcy, military service or discharge records, may also expose employers to discrimination claims.