Changes to Staff Security Screening in 2020
On 1st April 2020, the updated British Standard relating to staff security screening BS 7858:2019 (published 30th September 2019) comes into force, bringing a number of significant changes. Now is the time to make sure you are prepared for this new standard.
An important aspect of security and risk management is an effective approach to security screening of new staff, in particular those involved with the security of your people and property and those with access to critical systems and data. The accreditations that many security organisations require will include adherence to effective screening as laid out in BS 7858:2019. Additionally, this updated standard broadens its scope so it can be used as a model for all staff screening, not just within the security sector.
You may have a team within your organisation that carries out screening, or you could use an independent specialist screening organisation. Either way, the security of your organisation and reaching the required accreditation is dependent on you getting it right.
In this transitional period before BS 7858:2019 becomes operational in April 2020, where either standard BS7858 or BS7858:2019 can be used, there is time to familiarise yourself with the changes summarised below.
Firstly, it is helpful to note that if you have already satisfactorily screened people under the BS 7858 regime, you do not need to rescreen them when BS 7858:2019 comes into force.
Top management must demonstrate commitment to screening
A significant change in the new standard is that it now places more importance on the role of top management of an organisation, requiring them to demonstrate that they are employing good risk management practices, including their approach to employing people.
Top management must show they understand the parts of their business where risk lies and the roles that are involved with these risks, be they financial, security of data, risk to property or related to people, such as roles with access to vulnerable adults and children.
Commitment to effective screening from the top of the organisation is needed: to ensure the resource and infrastructure is in place; to direct and support the activity required; to ensure responsibilities are assigned and communicated. This is irrespective of whether screening is outsourced or carried out in house, to comply with the standard. In either situation, the organisation employing the individual screened is required to review and sign off the screening file.
Practical Changes to BS 7858:2019 for staff security screening
There are a number of specific changes within BS 7858:2019 that those carrying out screening need to understand:
Character references no longer required
The 2012 standard required a character reference as part of screening. Additionally, individuals who needed to explain a long period out of work could use a character reference to evidence a valid reason for this period under the previous standard. Character references are now deemed to be too easy to abuse and are no longer required. For absences (more than 31 days and not registered as unemployed) further evidence and checks will be needed and this is going to be more of a challenge to provide. This is where specialist agencies can sometimes be of help.
Global Watch List Check
As part of screening, checks must be made across a range of lists and databases. For example, the HM Treasury list of financial sanctions targets in the UK, watch lists and fraud databases like CIFAS. A comprehensive list is not provided; it is the screening organisation’s responsibility to determine which are the appropriate lists to check against.
The new standard recognises that a lot of documentation is now authenticated by electronic means; “wet signatures” are not always used.
Annual competency review
There is a new requirement for evidence on an annual review of the competency of individuals carrying out screening.
Third requirements added: Currently there are two steps you have to follow before making an offer of conditional employment: completion of the prescribed preliminary checks and satisfactorily completing limited screening. The new standard introduces a third element: you must undertake a risk review and confirm that “the level of risk in the intended employment has been evaluated and is deemed to be acceptable and documented“ and therefore you are happy to make the offer based on that and your risk profile.
Where an individual is reviewed and not made a conditional offer, or where employment will not continue after limited screening, organisations are required to retain records on this person for 12 months.
Permission to pass on screening file from one employer to another
With appropriate consent of the employee, employers can pass on their screening files to another employer. However, the new employer is still responsible for making sure screening has been done to the required standard. Both parties are also responsible for ensuring that other legislation, such as data protection, is adhered to.
Open Source / Social Media
The new standard recognises that some organisations may want to carry out open source checks on social media activity. This is an area that needs to be handled with care. Organisations carrying out these kinds of checks need to do them consistently, without discriminating and within data privacy legislation. The guidance for the new standard refers to the Financial Conduct Authority (FCA) Handbook – The Financial Crime Guide for further help. Caution is recommended for this area and to keep a watching brief of further guidance to be provided from regulatory bodies.
In just a few months BS 7858:2019 will come into force. Is your organisation ready? Make sure you can answer key questions around screening. Now’s the time to ensure you have the right process, resources and infrastructure in place.
Managing Director, National Security Screening Agency (NSSA)