Personnel Screening Policy
This is a Controlled Document
In line with Vaxa's governance framework, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.| Version | Effective | Reviewed | Next review due |
|---|---|---|---|
| 0.7.1 | 2024-09-22 | 2024-09-22 |
Purpose
The purpose of this policy is to establish comprehensive guidelines and procedures for employment screening in accordance with AS 4811:2022.
This policy aims to ensure that all potential and existing employees, contractors, and volunteers are appropriately screened and monitored based on their level of access to sensitive information or their position within the organisation. It is designed to mitigate risks such as fraud, theft, or reputational damage while promoting a fair and transparent process across all levels of employment.
Scope
This policy applies to all potential and current employees of the organisation, including full-time, part-time, and temporary staff, as well as contractors and volunteers. It also extends to ongoing employment screening, periodic re-screening, and continuous monitoring of current employees, particularly those in sensitive positions.
Additionally, it applies to external contractors in certain circumstances.
Roles & Responsibilities
The person undertaking the employment administrative tasks is responsible for ensuring that all potential employees undergo the appropriate screening checks in accordance with this policy.
Policy
Screening levels
Potential and current employees, contractors, and volunteers each bring about a different level of risk. Our risk-based approach classifies employees into four Levels, which in turn determines the appropriate level of screening/vetting/due diligence.
These levels are:
- Level 4 - Executive: This level is for employees who hold executive positions within the organisation, such as CEOs, directors, and other senior leaders who have a significant impact on the direction and management of the organisation.
- Level 3 - Sensitive Access: This level applies to employees who require access to sensitive information, financial data, or other privileged information. This includes employees with company credit cards, access to financial systems, or those who could cause significant public-facing damage due to their level of access or position (e.g., spokespersons, technical roles, or work on sensitive contracts).
- Level 2 - Standard: This level is for all other employees who do not fall under Level 3 or Level 4.
- Level 1 - Restricted Access Contractors: This level is for contractors with limited access to systems (e.g., only email) but who nonetheless have some level of access. Full-time or part-time contractors with broader access fall into Level 2 or above. Level 1 is usually only suitable for short-term or transient employees.
Records of employment screening checks
Records of all employment screening checks must be kept for five years from the date of the last action taken on the records. Record shall be securely disposed of after this time.
This applies to both potential and current employees, including any re-screening checks conducted during ongoing employment. The organisation shall ensure compliance with data privacy laws and secure storage practices for these records.
Undertaking of screening
Screening checks shall be conducted using an approved third-party supplier. Where possible, the organisation shall not store personal information of potential or current employees, in line with the organisation’s information security management policies. Instead, the organisation will store only the outcome of the screening provided by the third-party supplier.
Offers of employment (or in the case of a contractor, engagement) shall:
- Be contingent on successful completion of screening checks; or
- Not be issued prior to the successful completion of screening checks.
Candidates must be informed of the screening process and the types of checks that will be conducted as part of the job offer process. This ensures transparency and allows candidates to provide accurate and complete information, facilitating a smooth and efficient screening process.
Mandatory screening checks
The following screening checks shall be conducted for all potential and current employees (Level 2, Level 3, and Level 4) prior to employment or as part of ongoing employment monitoring:
- Identity check requiring 100 points of ID: All potential and current employees must provide identification that meets the 100 points of ID requirements (e.g., passport, driver’s license, birth certificate).
- Eligibility to work in Australia: All potential and current employees must provide evidence of their eligibility to work in Australia.
- Address history checks for a minimum of five years: Potential and current employees must provide their address history for the past five years, verified through a screening check. Address history will be cross-referenced against sensitive countries that may pose a risk to the employee or organisation.
- Character reference checks: Two character references will be obtained and verified for all potential and current employees.
- National police check not exceeding one year: A national police check, no older than one year, must be conducted for all potential and current employees.
- Verification of declared experience and qualifications: All declared experience and qualifications must be verified through appropriate screening checks.
- Social media assessment: A social media assessment will be conducted for all potential and current employees.
- Referee checks: Referee checks will be conducted for all potential and current employees.
Ongoing employment screening and re-screening
Periodic re-screening of current employees, particularly those in Level 3 and Level 4 positions, is required to ensure continued suitability for their roles. This includes re-screening at intervals determined by the organisation based on the risk profile of the position.
Additional screening checks
The following additional screening checks may be conducted depending on the assessed screening level:
- Australian Securities and Investments Commission (ASIC) check: An ASIC Banned & Disqualified Persons, Enforceable Undertakings Register, and Australian Directorships checks will be conducted for Level 4 potential and current employees.
- Employment history checks, including Defence-related work: Employment history checks, including any Defence-related work history, will be conducted for all potential and current employees to verify information provided in resumes.
- Credit check: A basic public record credit check will be conducted for Level 4 potential and current employees and any Level 3 employees dealing with the organisation’s financial dealings.
- Professional membership and education verification: Where employment is predicated on professional membership or education (e.g., tertiary degree), the existence and validity of the membership and/or education must be verified directly with the relevant body.
Cultural and diversity considerations
The organisation is committed to ensuring that the employment screening process is conducted in a manner that is respectful and inclusive of all cultural, religious, and personal backgrounds. The following considerations must be taken into account:
- Respect for cultural differences: Screeners must be sensitive to cultural variations in naming conventions, documentation, and personal histories. For example, the identity verification process should account for differences in the types of identification documents that are commonly used or accepted in different cultures.
- Non-discrimination: All screening processes must be conducted in a non-discriminatory manner, ensuring that no potential or current employee is treated unfairly or differently based on their race, ethnicity, religion, gender, sexual orientation, disability, or any other protected characteristic.
- Language barriers: Where necessary, the organisation will provide translation or interpretation services to ensure that all potential and current employees fully understand the screening process and can provide accurate information.
- Religious sensitivities: The organisation will accommodate religious practices and observances during the screening process, such as respecting religious attire in photographs or conducting interviews in a manner that aligns with religious customs.
- Inclusive practices: The screening process should be designed to include, rather than exclude, individuals from diverse backgrounds. This includes recognising qualifications and experiences from different countries and adapting the screening process to fairly evaluate such credentials.
See also our Environmental and Cultural Heritage Policy.
Management of screening vendors
Vaxa recognises the importance of maintaining strong, transparent relationships with third-party suppliers we use that are responsible for conducting employment screening checks.
These vendors, like all Vaxa vendors, are subject to our Supplier Security Policy. These vendors shall be assessed under that policy.
In addition, these vendors should be subject to the following additional requirements:
- Selection criteria: Vendors chosen to conduct employment screening must demonstrate their ability to comply with AS 4811:2022, relevant legal requirements, and the organisation’s internal policies. They should also provide evidence of their expertise, reliability, and commitment to data security.
- Contractual obligations: All third-party suppliers should enter into a formal agreement with the organisation that outlines their responsibilities, the scope of services, confidentiality requirements, and the standards they are expected to meet. The agreement should also include provisions for regular audits and performance reviews.
- Data Security and privacy: Vendors should adhere to strict data security protocols to protect the personal information of potential and current employees. This includes ensuring that data is stored securely, access is restricted to authorised personnel only, and data is processed in compliance with relevant privacy laws.
- Performance monitoring: Vaxa should regularly monitor the performance of third-party suppliers to ensure that they are meeting agreed-upon standards. This may include periodic reviews of screening outcomes, timeliness of service, and compliance with contractual obligations.
- Continuous improvement: Vaxa should work collaboratively with third-party suppliers to continuously improve the screening process. This may involve providing feedback, sharing best practices, and updating screening criteria as new risks or regulatory requirements emerge.
- Termination of services: If a vendor fails to meet Vaxa’s standards or breaches the terms of the contract, Vaxa should reserve the right to terminate the relationship and seek an alternative supplier. Termination procedures should be clearly outlined in the contract, along with any associated penalties or remedies.
Compliance and Monitoring
Any violation of this policy may result in disciplinary action, up to and including termination of employment.
For all personnel, the Information Security Group shall be responsible for monitoring compliance with this policy.
For personnel in scope of DISP, then the DISP Security Officer shall also be responsible for monitoring compliance with this policy.
Related Documents and Legislation
- AS 4811:2022 - Employment Screening: available via Standards Australia here.