Pre-employment checks control procedure

Contents

• Policy statement
• Audience
• Control statements
• Compliance
• Related documents

Policy statement

This control procedure defines our approach to the vetting of employees and their continued information security responsibilities, and directly supports the following policy statement from the information security policy:

“The University’s security policies and expectations for acceptable use will be communicated to all users to ensure that they understand their responsibilities. Information security education and training will be made available to all staff, and poor and inappropriate behaviour will be addressed.”

“Where practical, security responsibilities will be included in role descriptions, person specifications and personal development plans.”

Audience

This procedure is intended to be read and understood by all employees and contractors. It is of particular relevance to Human Resources staff and recruiting managers.

Control statements

Employees, contractors and third-party users must understand their responsibilities in respect of university information, and checks should be conducted to ensure they are suitable for the roles they are considered for, prior to being granted any access to university systems or information.

• Screening
• Third party requirements for screening
• Terms and conditions of employment

Screening

Background verification checks on all candidates for employment, contractors, and third-party users should be carried out by human resources. Checks will be proportionate to the business requirements, the classification of the information to be accessed, and any perceived risks.

The process for conducting verification checks and subsequent offers of employment is documented in the university’s recruitment and selection policy.

Candidate data that is collected as part of the university’s recruitment process will be handled in accordance with human resources policies and procedures.

Third party requirements for screening

Occasionally a third party will request additional screening of a university employee in order to grant access to information, for example where a research project is using HMG information. Such requests will be considered on a case-by-case basis by the legal and human resources teams.

Terms and conditions of employment 

As part of their contractual obligation, users must agree to and sign their offer letter and contractual terms and conditions. Employment contracts will state employee obligations and responsibilities for complying with university policies and procedures including those associated with information security.

Employee contracts contain a confidentiality statement outlining that as part of the offer of employment, individuals understand the confidential nature of the information they access, that they will not use the information for unauthorised purposes and that they will return or destroy any information or assets when their employment terminates.

Compliance

Failure to comply with this procedure could result in action in line with the university’s disciplinary procedure or performance improvement procedure where personal development can promote improvement.

Compliance checks will be undertaken by the university’s information governance functions. The Information Governance Board will manage the results of compliance checks, their risk assessment, and their remediation.

Related documents

This control procedure needs to be understood in the context of the other policies and procedures constituting the university’s Information Security Management System.

Browse Information Security policies and control procedures

Review

The information security team will undertake a review of this policy annually or more frequently, as required, and will be approved by the Information Governance Board.