Author: Paul Curwell

Executive Summary

Workforce Screening is an important function for any business today, however it cannot be developed on the fly and needs to properly balance the organisations’ risk and regulatory obligations against an employee’s right to privacy and the cost and operational burden created by the screening program itself. Workforce Screening should form part of a well-governed, risk-based program managed by HR and Security / Integrity comprising a range of policies, a personnel security risk assessment, and associated guidance to enable effective implementation. This article provides an overview of the key considerations when designing any workforce screening progam in Australia.

What is Workforce Screening?

The practice of Workforce Screening goes by many names – vetting, background checks – all of which are the same thing. In Australia, the term Employment Screening has been used since at least 2006 with the introduction of Australian Standard AS4811:2006. However, this standard was recently updated and republished as AS4811:2022 Workforce Screening.

A Workforce Screening Program comprises the specific checks performed on each employee or contractor to determine initial and ongoing suitability for employment and the associated processes and records to manage those checks. In many organisations there are a few key artefacts which comprise any Workforce Screening Program:

• Employment Policies
• Corporate Security and Integrity frameworks and associated programs
• Workforce Screening Guideline

The Workforce Screening Guideline (or Standard) details what identity verification, security and character checks are required for employees, contractors, or consultants as a condition of employment and under what circumstances these checks will be performed, such as the risk posed by an employees’ role. The relationship between these documents, and how they are created is outlined below:

In our book Terrorist Diversion, Oliver May and I provide a detailed process map and overview of all forms of vetting, including insiders and suppliers.

When should workforce screening be performed?

Typically, workforce screening is performed periodically with four triggers:

1. During recruitment – ideally prior to the letter of offer being issued; and,
2. Periodically throughout employment; and,
3. In response to an incident; and,
4. Upon resignation – particularly important for employees involved in creating Intellectual Property or where potential Conflicts of Interest may arise post-separation.

Workforce Screening is different to Insider Threat Detection. Whilst there is a relationship between the two functions, screening is holistically focused on who the individual is (taking into account the ‘whole person’) whilst insider threat detection is focused on what the individual does once they enter the organisation. One is not a substitute for the other: they are different controls.

Workforce Screening is a mandatory obligation in Australia for many regulated industries under a variety of legislation, including:

• Financial Services – Anti-Money Laundering and Counter Terrorist Financing Act 2006 and Rules
• Aviation – Aviation Transport Security Act 2004 and Regulations
• Ports, Maritime and Offshore Oil and Gas Platforms – Maritime Transport and Offshore Facilities Act 2003 and Regulations
• Commonwealth Public Service – Public Service Act 1999, Subsection 22(6) Security and Character Checks
• Australia’a 11 declared Critical Infrastructure sectors – Security of Critical Infrastructure Act 2018 and Rules

What checks are typically performed in workforce screening?

There is a standard menu of checks which are performed across public and private sectors in Australia, including:

• Identity verification
• Citizenship and / or work rights
• Credit rating and bankruptcy status
• Education and occupational licences / trade certificates
• Criminal history (National Police Check)
• Sanctions and Adverse Media
• Psychometric testing (in accordance with applicable employment policies)
• Litigation history
• Regulatory Actions pertaining to their profession
• Internal employer database and record checks (for ongoing employees)
• Candidate interview
• Referee interviews

More intrusive checks permissible in Australia under certain circumstances include:

• National Security Assessment – such as those required under the SOCI Act for ‘critical workers’ and here for an explanation of SOCI
• Drug and alcohol testing
• Health screening and medical examinations

Not everyone will pass workforce screening, potentially including ongoing employees. There are a number of considerations associated with any workforce screening adjudication process which will be addressed in a future article.

What’s the relationship between the PSRA and High Risk Roles in Workforce Screening?

Selecting which specific background checks to perform in your employment process should not be determined by way of a ‘lucky dip’. Many organisations require a ‘background check’ as a condition of employment, but fail to articulate why each check is necessary – such as where credit scores are used as a proxy for character tests.

Rather than ad hoc approaches, organisations need traceability from a regulatory obligation, personnel security risk, policy or similar instrument which establishes the risk and outlines how performing the respective background check will mitigate this risk. To provide this traceabiilty, the Register of High Risk Roles informs the Personnel Security Risk Assessment (PSRA), and the PSRA informs the design and implementation of the Workforce Screening Program as well as the Insider Risk Management Program.

The Register of High Risk Roles identifies:

• Which positions pose a greater trusted insider risk due to a variety of factors, and therefore,
• Which position numbers are most likely to require additional vetting and insider risk monitoring to mitigate inherent risks.

The PSRA identifies:

• Suitable internal controls to manage the organisation’s inherent risk exposure (including that arising from High Risk Roles) to within risk appetite.
• The specific trusted insider risks faced by an organisation and where these may arise by team, function, business line etc; and,

Cost and privacy are two important factors that also need to be considered: As with any security decision, there are tradeoffs. Workforce Screening is intrusive, expensive and has an operational impact, often delaying the commencement of new hires as well as reducing the total pool of candidates. The need for screening should be balanced against the PSRA to guide employers on what to check when, and why.

Further Reading

• Australian Public Service Commission (2022). Security Clearances in Conditions of Engagement, https://www.apsc.gov.au/working-aps/aps-employees-and-managers/guidance-and-information-recruitment/conditions-engagement#security-clearances
• Curwell, P. (2022). What is a Personnel Security Risk Assessment?,
• Curwell, P. (2022). Understanding High Risk Roles, https://forewarnedblog.com/2022/11/26/understanding-high-risk-roles/
• Department of Home Affairs (2022). AusCheck background checks, https://www.auscheck.gov.au/what-we-do/background-checks
• Department of Home Affairs (2022). AusCheck Background Checks for the purpose of a Risk Management Program, Consultation Draft v2 as at 24 October 2022, https://www.homeaffairs.gov.au/reports-and-pubs/files/auscheck-background-checks-for-rmp.pdf
• May, O. and Curwell, P. (2021). Terrorist Diversion: A Guide to Prevention and Detection for NGOs, www.amazon.com
• Standards Australia (2022). AS4811:2006 Employment Screening, published 11 July 2006, www.standards.org.au
• Standards Australia (2022). AS4811:2022 Workforce Screening, published 4 March 2022, www.standards.org.au

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.