Recruitment agencies: staying compliant when running candidate background checks

Recruitment agencies routinely run background checks on candidates — credit checks, identity verification, qualification verification, criminal history checks, and social media screening. Each of these involves collecting personal information from third-party sources.

The consent question

Most recruitment agencies include a background check consent clause in their candidate registration form. However, the Privacy Act requires that the consent or notification is specific to the data sources being accessed and the type of information being collected.

A generic "you consent to background checks" clause may not be sufficient — particularly for more intrusive checks like credit reporting and criminal history.

Best practice for recruiters

• Specific consent. List the exact data sources you will access (e.g., Centrix credit check, Ministry of Justice criminal records).

• Proportionate checking. Only run checks that are relevant to the role. A credit check for a warehouse position may not be proportionate.

• Record the pathway. For each check on each candidate, record whether you relied on written consent, verbal consent, notification, or an exception.

• Notify unsuccessful candidates. If you ran checks on candidates who were not placed, they still have a right to know about the data collection.

Using DEIS

DEIS allows recruitment agencies to run multiple checks per candidate and record the IPP3A pathway for each one. The evidence trail covers both successful and unsuccessful candidates, ensuring full compliance.