Can I carry out a security screening process on new hires? What are the legal considerations in carrying out various checks on prospective employees?

Jennifer O'Sullivan writes:

The key piece of legislation which impacts on the area of security screening is the Data Protection Acts 1988 – 2003 which impose duties on employers in relation to the information that they gather, retain and use in relation to employees and perspective employees. There are eight data protection principles forming the responsibilities of a data controller (i.e. the employer) and these rules impact in the manner in which an organisation is entitled to obtain and use information in relation to individuals. The area of employee security screening is subject to these rules.

There is minimal guidance in the legislation and from the Office of the Data Protection Commissioner in relation to employee security screening. There is a specific process for Garda Vetting in certain sectors only, for example HSE staff and those where work involves access to children and vulnerable adults. Garda Vetting does not take place in relation to other organisations as a matter of routine.

Information obtained from security screening constitutes the personal data of employees and prospective employees. It is important to note that under the Data Protection Acts, information about the commission or the alleged commission of a criminal offence by an individual falls within the definition of “sensitive personal data”. There are increased obligations on an employer in relation to how they deal with “sensitive personal data”. Explicit consent must be obtained from an employee as to the manner in which their information will be obtained and used by their employer.

The Office of the Data Protection Commissioner has not prohibited background checks on potential employees however any such check will be required to comply with the principles of data protection legislation. The key to compliance is to clearly inform the potential or existing employee of the exact details of any potential checks that may be undertaken and to seek their specific consent to the checks being carried out.

The following are a number of considerations that should be taken into account by an employer pursuant to their obligations under the Data Protection Acts:


1. Are each of the security checks being carried out absolutely necessary?

Pre employment vetting should only be used where there are particular and significant risks involved to the employer, their customers or others and, importantly, where there are no less intrusive or reasonably practicable alternative ways to obtain the information. An employer must be satisfied that each area of the security check is reasonable and necessary to ensure that the employees can carry out their job.

An employer should consider whether it is absolutely necessary that all jobs are subject to security clearance or whether it would be more appropriate to limit checks to certain roles in particular positions of trust and confidence.

Data obtained in relation to an individual cannot be excessive or irrelevant. Therefore, an employer must be in a position to show that each category being checked under the security screening measure is fully necessary for the particular role that the individual being screened carries out and that it is not excessive for that purpose.

An employer should give consideration as to whether any less obtrusive measures can be used to verify candidate information i.e. requesting candidates to provide original or certified copies of their academic or other qualifications. Wherever practicable, candidates should be asked to provide information in the first instance which is then verified as opposed to using a broad vetting procedure to gather general information.


2. Are candidates aware of a Security Screening Protocol?

An employer must be transparent with individuals as to how it carries out its security screening process. Employees should be provided with;

- details of the exact checks to be carried out,

- the reasons as to why each individual check is necessary for their particular role and for the employer’s business,

- how the information will be stored, retained and used by the organisation and,

- the consequences of a failure to meet any aspect of the security screening process.

The above information could be built into a consent form as part of the recruitment process which provides the employee’s consent to the security screening being carried out.


3. Is there a data processing agreement in place with a third party provider if they are carrying out security checks on behalf of an employer?

An employer must ensure that any organisation carrying out the security screening process is subject to a contract that contain appropriate provisions in relation to the processing being carried out on the employer. The organisation carrying out security checks on behalf of the employer must be contractually obliged to put in place a certain requisite level of security and to ensure that they will only obtain and process data and sensitive personal data in accordance with the Data Protection Acts.


4. Does the Contract of Employment reflect the necessity to satisfactorily pass security checks

The purpose for which the information will be used and the consequence of a failure to pass a security check must be made clear to prospective employees. An employer could contractually provide that it is a precondition to employment that employees successfully pass the security screening process and that failure to do so may lead to termination of employment.


5. Limit Access to Security Screening Information

Only designated individuals within the employer organisation that have a legitimate need to examine the security clearance information should be granted access. In particular, any information regarding criminal convictions constitutes sensitive personal data and should not be disclosed inappropriately.


6. Put Appropriate Security Measures in Place

Information must be held securely by the employer and should not be capable to be interfered with or accessed by unauthorised individuals. Appropriate password protection and other security measures must be put in place.


7. Do not Retain Security Clearance Information for an Excessive Period

The information retained as a result of the security screening process should be held for an appropriate retention period. The Office of the Data Protection Commissioner has published guidelines in relation to Garda vetting and these state that long term retention of vetting disclosures increases the potential for unauthorised access and use. Accordingly, the Office of the Data Protection Commission has recommended that vetting disclosures should be routinely deleted one year after they are received except in exceptional circumstances. This retention period may be appropriate to apply to security screening where the purpose of this is to establish a particular point in time that the individual has been cleared for employment.