IFSECInsider-Logo-Square-23

Author Bio ▼

IFSEC Insider, formerly IFSEC Global, is the leading online community and news platform for security and fire safety professionals.
February 1, 2011

Nothing found. Please check your show/episode id.

Download

State of Physical Access Trend Report 2024

Employee screening for a secure retail environment

Every day, employees including cashiers and telephone sales operators who work in the retail sector have access to vital customer data such as bank and credit card details.

As a result, many well-known retail chains and telephone sales operations are regularly targeted by organised criminals who attempt to infiltrate their workforce in order to commit fraudulent activity.

In many cases retailers – or indeed their suppliers – have little idea whether or not the employees they’re trusting with confidential customer data have criminal backgrounds.

What, then, should retailers be doing to secure themselves and their customers’ personal data?

Payment Card Industry Data Security Standard

Central to the fight against data fraud is the Payment Card Industry Data Security Standard (PCI DSS), a group of globally agreed principles and accompanying requirements relating to technology security and protecting the details of a card holder.

This comprehensive standard is intended to help organisations proactively protect customer account data, but equally important is the risk posed by the human element in any transaction.

Section 12.7 of the PCI DSS recommends that organisations screen potential employees to minimise the risk of attacks from internal sources.

Performing thorough background investigations on employees who have access to cardholder data reduces the risk of unauthorised use of account numbers by individuals with questionable or even criminal backgrounds.

Every company is expected to have a policy and process for background checks which should include credit checks, employment history verifications, assessment of references and a criminal record check.

Many companies are now beginning to realise the need to perform comprehensive background checks as part of a pre-employment screening process (and increasingly as a retrospective check on existing staff). That’s just as well, as there’s evidence to suggest that as many as one fifth of all 35-year-olds will have some form of criminal conviction as defined by the ‘Standard List Offences’.

Varying degrees of seriousness and relevance

The basic problem employers face is that these offences will vary in their seriousness and relevance.

Less than half a percent (0.4%) of these 35-year-olds would have committed an offence carrying a sentence of more than two-and-a-half years. As a result, these offences would fall under the Rehabilitation of Offenders Act 1974, which means that the offence is considered to be spent (and, under normal circumstances, can be removed from the record with the employee not required to disclose details of the prosecution).

While there are five broad categories of employment exempt from the Act (among them medical practitioners, barristers, accountants, firearms dealers, those working with children and those working in national security), many employees with a criminal history are able to take up roles with access to sensitive consumer data.

However, organisations are unable to obtain a criminal history disclosure without the consent of the employee. Under no circumstances may such a disclosure be obtained covertly.

The disclosure must be obtained from either Disclosure Scotland or the Criminal Records Bureau (CRB) by a registered body, or otherwise through the use of a registered ‘umbrella body’. This leaves many firms with the worrying prospect of hiring employees that may have an increased propensity to commit crime or have links to criminal gangs.

Although new staff can be subject to a criminal history disclosure when a recruiter can demonstrate that this is appropriate, it can prove more sensitive when existing employees are requested to consent to a disclosure and that consent is withheld.

If consent is still withheld then employers will usually need to review the options for alternative equivalent employment outside the sensitive environment. There’s certainly a careful balancing act to be struck between not discriminating against an employee and mitigating any risk to the business.

What happens when evidence of a criminal history has been found?

If the criminal history disclosure search reveals an offence has been committed, employers must give individuals the opportunity to discuss the outcome and provide an explanation.

The employer will need to consider whether or not there had been an admission of any or all offences prior to the official disclosure, and whether this represents a fundamental breakdown of trust.

In addition, the employer must also consider the relevance of the offences to the work performed, and whether there is any significant threat to colleagues or clients as part of their Duty of Care.

Once an employment decision has been made, the Information Commissioner instructs that all details not directly relevant to an employee’s work must be securely destroyed as soon as possible, with only a note made of whether the outcome was satisfactory or unsatisfactory.

Guidance from the CRB

The guidance from the CRB is that a six-month retention period should not normally be exceeded, with Disclosure Scotland prescribing just a three month period.

As a result, criminal history information cannot normally be retained after the completion of the recruitment process. The information cannot be held on file and used as part of late performance reviews, remuneration or any promotion considerations.

While we anticipate the development of more flexible systems from the Home Office in the next few years, the current disclosure process ultimately provides only a snapshot in time and subsequent convictions can easily go untraced unless the disclosure process is repeated.

As a consequence, criminal history disclosures cannot be considered portable for the individual and offered by an employee as evidence of their suitability when moving from one employer to another.

What does thi means in practice, particularly for those employed in regulated professions or industries?

Even if a disclosure has been very recently obtained, a change of workplace will require that the process is repeated all over again. This is particularly relevant in organisations when employees TUPE between employers when the contract for provision of services is transferred between two companies.

What can be done to facilitate the employee screening process?

Speed… Time is of the essence in the recruitment process, so it’s important for recruiters to know that the turnaround times for criminal history disclosures are improving all the while (with both bodies regularly exceeding their performance targets).

Basic disclosures are often available from Disclosure Scotland within a couple of days (100% within two weeks), and the latest CRB reports show almost all (99.8%). Standard disclosures are issued within two weeks and most (95.2%) enhanced disclosures within four weeks of information receipt.

Gaps… As an employer, it’s always worth checking CVs for unexplained gaps of any significant length of time, and asking probing questions about periods of otherwise unexplained overseas travel (as these are the most likely methods of disguising time spent incarcerated overseas that could otherwise pass undetected).

If the explanations are unsatisfactory then further investigations may well be warranted.

There are many other areas of an employee’s background that it may be appropriate to verify subject to consent being sought. Criminal activities are not the only area of their history that a candidate may be tempted to lie about.

Rigorous background checking regularly exposes bogus or exaggerated qualifications, fictitious employment experience and claimed membership of professional bodies from which a candidate has been debarred or expelled: something that a request to view certificates and paperwork will not reveal.

Driving licences are regularly copied, borrowed or simply not updated, meaning that only a check with a DVLA will reliably confirm that a licence covers the specialist vehicles (such as HGVs or forklift trucks) ued in a role and that the licence is currently valid.

Credit checks will yield information about County Court judgments, disqualifications and bankruptcies which can be very relevant for many positions (as well as providing confirmation of residential addresses which can help to confirm identity).

Avoiding the arbitrary

The Information Commissioner’s Office (ICO) warns against reliance on non-verifiable sources and arbitrary checks of an individual’s private life where it does not affect work activity.

For this reason the use of social networking sites in the screening process can be fraught with risk. It’s difficult to establish that the contents are authentic, un-doctored and are actually connected to the candidate and not someone merely sharing the same name.

In 2008, the Criminal Justice and Immigration Act created tough new sanctions for the ICO. This new legislation gave the Commissioner the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act.

David Smith, the deputy Information Commissioner, has said: “This change in the law sends a very clear signal that data protection must be a priority and that it’s completely unacceptable to be cavalier with personal information. The prospect of substantial fines for deliberate or reckless breaches of the data protection principles will act as a strong deterrent, and help ensure that organisations take their data protection obligations more seriously.”

Employers need to perform a delicate balancing act in order to comply with the requirements of the PCI DSS which, for many organisations, poses a seemingly overwhelming challenge.

As a result, many businesses have hesitated in addressing the critical issue of employee screening and have subsequently suffered from fraud and theft.

Professional screening and vetting service providers

Professional screening and vetting providers can ensure that the appropriate measures are taken in a professional, efficient and cost-effective manner.

Great care should be taken in selecting a reputable service provider given the recent plethora of unregulated organisations that have sprung up without membership of any security association. Such organisations are not subject to any regular external auditing.

In the retail industry, employee turnover is often high, which some firms claim makes adequate screening difficult and not cost-effective.

However, with faster and more cost-effective screening now available, it’s easier for retailers to realise benefits from a risk and compliance standpoint.

Indeed, screening should now be regarded as a critical business process.

Adrian Taylor is managing director of G4S Employment Screening and Vetting

Related Topics

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments