Our consultation on this draft guidance is open until 5 March 2024.
In detail
- When can we carry out pre-employment vetting?
- What do we need to tell candidates about pre-employment vetting?
- How can we decide what information to obtain for pre-employment vetting?
- Can we obtain information about criminal convictions?
- Can we ask if the candidate has been excluded or disciplined by a professional membership body?
- What can we do if our checks are not consistent with the information provided by the candidate?
- Can we use social media for vetting purposes?
- Can we perform a credit check on a candidate before we employ them?
- How long can we keep information collected for vetting purposes?
When can we carry out pre-employment vetting?
Pre-employment vetting is where employers make their own enquiries from third parties about a candidate’s background and circumstances. It is particularly intrusive and goes beyond verification or simply checking the accuracy of the information candidates have provided about themselves.
Pre-employment vetting is not usually a requirement of the recruitment process and you are unlikely to need to do this for many roles. If you have questions about information the candidate has provided, you should contact the candidate about this.
You should only do pre-employment vetting where you are under a legal obligation (eg to perform right to work checks), or you can identify significant and particular risks to the employer, clients, customers, or others. The nature and extent of these risks may depend on the type of the role, but examples might include:
- breaches of national security;
- employing unsuitable people to work with children or adults at risk of harm;
- there is a danger to others;
- risk of theft; or
- disclosure of trade secrets or other commercially sensitive information.
It’s important that the type of vetting you are thinking of doing is proportionate to an identified risk, and a targeted way of achieving your objective. Therefore, you must ensure that it’s justified in the circumstances and there are no less intrusive alternatives. You should not routinely vet all candidates, unless you are legally required to do so.
Example
A company wants to recruit a director. It decides to perform a bankruptcy search on the successful candidate. However, it’s not necessary to carry out these checks on all candidates.
What do we need to tell candidates about pre-employment vetting?
You must inform candidates if you intend to use pre-employment vetting as part of your recruitment process. This is part of your transparency obligations and you should include an explanation of:
- what information you need for the vetting;
- why you need to carry out pre-employment vetting;
- who will have access to the information;
- the processes you will use;
- how long you will keep the information; and
- where possible, the third party sources you will rely on.
Depending on the circumstances, you could also inform candidates at what stage in the process you will assess the information.
Further reading
- See the earlier section, Do we need to tell candidates about how we are using their information?
How can we decide what information to obtain for pre-employment vetting?
Recruiting for certain roles may allow you to carry out more intrusive checks. You may wish to consider any relevant legislation to help you decide what level of checks are justified for the role. This may also help you decide at what stage in the process to carry out pre-employment vetting. For example, you may be legally required to vet candidates at the shortlisting stage for some roles that involve working with children.
You must only collect the minimum amount of information that you need. If you are requesting information from third parties, you should clearly explain what you need and why. Organisations need to understand why you are asking for this information so that they may make an informed choice about whether they can provide it or not. If there is a legal obligation, you should reference the specific provision you are relying on.
You must not make wide-ranging or vague requests to organisations, or ask organisations for more information than you require. However, you should ask for enough information to be able to understand the context and circumstances. For example:
- asking whether someone has a criminal conviction for a violent offence and receiving a yes or no answer is unlikely to be helpful; or
- if you’re asking about spent convictions, it’s important to know what age the person was at the time the offence was committed, as this is likely to have a bearing on the relevance of the information.
You may also wish to consider other laws or relevant sectoral guidelines. You may wish to seek independent legal advice, or contact your other regulators for further details.
Can we obtain information about criminal convictions?
If the nature of the role means you need to ask about criminal convictions, you should determine what level of checks are required. In many circumstances, you can ask candidates to make a self-declaration about their criminal record, or you can perform these checks, provided that you get the candidate’s consent first. This applies to any criminal convictions, alleged offences, or information that confirms that a candidate does not have any convictions.
The process differs across the UK, and depends where the job is based:
- for England and Wales, use the Disclosure and Barring Service (DBS);
- for Northern Ireland, use AccessNI; and
- for Scotland, use Disclosure Scotland.
Further reading
Some roles may require more in-depth checks, and it’s important that you comply with other legislation and guidance on this area. You must tell candidates what level of checks are required and how you will carry these out at the beginning of the process. Because of the sensitivity of this type of information, in most circumstances the processing of criminal offence information for vetting will be high risk. Remember that you must carry out a data protection impact assessment (DPIA) in these circumstances.
In general, it’s likely that you will only require information about unspent convictions, although for some roles you may also need to obtain information about spent convictions.
As far as possible, you:
- must only obtain criminal records disclosure of the person you intend to appoint; and
- should ensure that you do not share the information you obtain with other third parties (eg other employers).
To process criminal conviction information as an employer or recruiter, you must have a lawful basis and either:
- official authority; or
- legal authority.
Only organisations that perform public functions and exercise powers established by law can rely on official authority. Therefore, if you do not have official authority, you must meet a specific condition under Schedule 1 of the DPA 2018. The following are likely to be most relevant:
- the processing is necessary in order to comply with employment law obligations. For example, you are legally required to vet candidates for particular roles for safeguarding purposes, or to comply with Financial Conduct Authority conduct rules; or
- the processing meets one of the substantial public interest conditions set out in the DPA 2018. For example, safeguarding of children and of people at risk, preventing or detecting unlawful acts, or preventing fraud.
You must not mislead a person or organisation into giving you information about a candidate (either recklessly or deliberately) for recruitment purposes, as this is a criminal offence.
You must not obtain information about criminal convictions by forcing a candidate to make a SAR to any organisation, including the DBS, Access NI, and Disclosure Scotland.
Further reading
Can we ask if the candidate has been excluded or disciplined by a professional membership body?
Professional membership bodies exist to uphold ethical and professional standards and rules in specific professions. Regulatory bodies may take disciplinary action against their members and apply various sanctions. For example, they may restrict a person’s professional ability to practice.
You might consider it to be necessary and proportionate to enquire whether a candidate has been excluded by or subjected to disciplinary action from a professional membership body, if this is relevant to the job role. This may be relevant for some regulated professions (eg solicitors and accountants).
However, if you require information about spent or unspent convictions, refer to the relevant statutory framework instead (DBS, AccessNI or Disclosure Scotland).
If a candidate has been excluded from a membership body, you can assess this information on a case-by-case basis to decide how this impacts the job role you are recruiting for. You can refer to professional codes of conduct or other relevant legislation in making your decision about the candidate.
What can we do if our checks are not consistent with the information provided by the candidate?
If some of your checks produce discrepancies between the information provided by the candidate, and your own findings, you should:
- have a policy which sets out a transparent process to follow in these circumstances;
- give the candidate an opportunity to explain these discrepancies to you;
- ensure that the candidate’s explanation or comments are considered in your decision-making process;
- ensure that staff who are involved in verification and vetting are trained on the correct process to follow, including how to inform candidates and give them an opportunity to comment or explain anything you have concerns about; and
- keep records of your decisions.
You cannot assume that the candidate is being untruthful. Where the facts are unclear, you should make a reasonable decision based on the factual evidence, taking into account the nature of the information and associated risks.
Can we use social media for vetting purposes?
If you want to check the candidate’s public social media profiles as part of your pre-employment vetting, you must be able to justify why this is necessary. This means you should identify and document a specific risk. However, in doing these checks, you are also likely to find information that is not relevant to the role. It’s important that you carry out these checks fairly.
As your vetting processes must be transparent, you must inform candidates if you intend to use social media. The staff members who research the candidate’s social media profiles should not also make the recruitment decisions about them.
Example
A care home is recruiting carers to look after elderly people. It informs candidates that it will check the successful candidate’s public social media profiles for any behaviour or conduct which may mean they would be unsuitable to work with people who need care and support. The care home believes it has a duty of care to check public sources of information about staff it appoints for this particular role, and it has clearly identified the risk and documented its reasons for carrying out these checks.
As social media checks are likely to reveal irrelevant personal information about the candidate, the organisation asks one member of staff to do the social media checks, and screen the information for relevancy against the specified interview criteria. This member of staff passes only the relevant information to the recruitment panel.
It’s unlikely to be lawful, appropriate or necessary to conduct intrusive or targeted checks of candidates on social media or online (eg by using specialist software to check information that is not publicly available).
Remember that information you find online may not be accurate or properly reflect whether the candidate is suitable for the role. It is unlikely to be fair and lawful to make a decision about the candidate based on this information alone. You should give the candidate an opportunity to provide further information or comment on the accuracy of the information you have obtained. This allows you to make a fully informed and defensible decision and ensures that you are using the information in a transparent way.
Can we perform a credit check on a candidate before we employ them?
You may wish to undertake a credit reference check on a candidate, where this is relevant to the role you are recruiting for. You must not carry out credit reference checks routinely or without justification.
You must be able to justify why collecting credit information is necessary for the role. You must also inform candidates as early as possible in the recruitment process what information you require, and what methods you will use to carry out such checks.
How long can we keep information collected for vetting purposes?
If you collect personal information as a condition for appointing someone, you must not retain it for longer than is necessary. This will often mean that you should securely and permanently destroy personal information obtained for vetting purposes once the recruitment process has taken place. However, you could keep a record of the outcome and your decision.
As information obtained for vetting purposes is particularly intrusive and sensitive, you must securely and permanently destroy it as soon as it is reasonably practicable to do so. This includes any information you’ve collected from third parties or through your own research (eg manual checks of the candidate’s public social media profiles). You should address this in your retention and disposal policy.
Further reading