Pre-employment screening explained
Right to Work, DBS, BS7858, credit checks, references — and the modern OSINT layer. A practical guide for hiring teams building a screening programme.
UK pre-employment screening rests on six core components: Right to Work verification (statutory under the Immigration Act 2014), DBS checks at the appropriate tier (Basic, Standard, or Enhanced), employment-reference verification, qualification verification, credit checks for regulated roles, and BS7858:2019 where security screening applies. The depth of checks should scale with the risk tier of the role — a graduate hire needs less than a SMCR-regulated finance hire needs less than a security-cleared contractor. Modern screening programmes increasingly add a digital OSINT layer — identity consistency, social-media verification, undisclosed directorships — to catch what statutory and documentary checks don’t surface. Major UK providers include Accurate Background, Sterling Check, Know Your Candidate, uCheck, and HireRight. Compliance sits under UK GDPR, the Equality Act 2010, and DBS filtering rules.
The six core pre-employment checks
A UK screening programme selects from these six. Which ones you need depends on the risk tier of the role — an Enhanced DBS for a grad admin role is disproportionate, while a senior finance hire without a credit check is underweight.
Right to Work verification
Statutory under the Immigration Act 2014. Employers must verify that the candidate has a legal right to work in the UK, either through prescribed document checks or via Home Office-accredited Identity Document Validation Technology (IDVT) services for UK and Irish citizens. Civil penalties for non-compliance can run to £60,000 per illegal worker.
DBS check (at the appropriate tier)
The UK Disclosure and Barring Service offers three tiers. Basic DBS is available to any role and returns unspent convictions only. Standard DBS shows spent and unspent convictions for eligible roles. Enhanced DBS adds police intelligence and, for child-facing or vulnerable-adult roles, barred-list checks.
Employment reference verification
Direct confirmation with previous employers of employment dates, job title, and reason for leaving. The standard output of a reference in the UK is limited to factual verification — employers are typically cautious about volunteering opinion for legal reasons.
Qualification verification
For roles requiring specific degrees, professional accreditations, or regulated qualifications. Verified directly with issuing institutions or registered bodies. Essential for regulated professions (law, accountancy, medicine, engineering).
Credit check (regulated roles)
For roles with financial authority — typically financial services, senior management under SMCR, or where bonding is required. Runs against a credit reference agency with FCA oversight.
BS7858:2019 security screening
The British Standard for security screening of personnel in secure environments — SIA-licensed roles, data-centre staff, or contractors with access to regulated information. Specifies a documentary and reference-gathering process covering a five-year employment history.
Matching checks to role risk
Four tiers of risk, four different screening depth levels. Proportionate screening is both sensible and an explicit UK GDPR requirement — over-screening creates compliance risk, under-screening creates operational risk.
Low-risk roles
Example: Graduate hire into general business role, non-regulated, no access to sensitive systems or vulnerable groups
- Right to Work
- Basic DBS (optional)
- Employment reference verification
- Qualification check (if role-critical)
Medium-risk roles
Example: Mid-level roles with commercial access, customer data handling, or financial authority under £50k
- Right to Work
- Standard DBS
- Employment references (previous 3-5 years)
- Qualification verification
- Credit check (role-dependent)
- Digital OSINT layer
High-risk regulated roles
Example: SMCR-regulated finance roles, senior professional-services hires, legal or medical
- Right to Work
- Enhanced DBS where eligible
- Full employment history verification
- Qualification + professional registration check
- Credit check
- Sanctions screening
- BS7858 where applicable
- Full OSINT background
Security-cleared roles
Example: Defence, government, SIA-licensed security, data-centre access, critical national infrastructure
- Right to Work
- Enhanced DBS
- BS7858:2019 or BPSS equivalent
- Five-year employment history
- Credit check
- Character references
- Security vetting (SC/DV) where required
- Comprehensive digital OSINT
The main UK screening providers
The UK market spans enterprise-scale incumbents to SME-focused platforms. Most HR teams standardise on one or two.
Accurate Background
Enterprise screening platform with UK operations. Covers full compliance suite including BS7858.
Sterling Check (UK)
Previously First Advantage UK. Established enterprise provider of DBS, Right to Work, and international background checks.
Know Your Candidate
UK-focused SME screening service — pay-as-you-go, DBS + credit + employment, no long-term contracts.
uCheck
Online DBS processing and employment screening, accessible to smaller employers.
HireRight
Global screening provider with strong UK presence. Common at international and enterprise scale.
BLACKEYES (OSINT layer)
Email-input OSINT investigation to complement statutory and documentary checks. Runs alongside any of the above providers — not a replacement.
What goes beyond statutory screening
The six core checks handle statutory and documentary requirements. They don’t answer the question any modern hiring team asks: is this person who they claim to be, consistent across everything public about them? That’s where a digital OSINT layer fits.
Identity consistency
Does the candidate’s digital identity match what’s on paper? Name, aliases, previous employers, location history — all verifiable through OSINT, none confirmed by a DBS check.
Undisclosed directorships or commercial interests
A Companies House search can reveal side businesses, dissolved companies, or directorship conflicts the candidate hasn’t mentioned. Material in regulated or senior roles.
Social-media consistency
Public social presence often contradicts a candidate’s stated history. An OSINT check flags the inconsistency before interview — or before the offer.
Breach exposure
Whether the candidate’s credentials circulate in breach dumps. Relevant for security-sensitive roles where the candidate’s own operational security matters.
Reputational signals
Publicly disclosed conduct, professional disputes, or reputational history a DBS check won’t surface. Especially relevant for public-facing or executive-level hires.
The legal framework
Pre-employment screening touches UK GDPR, the Equality Act 2010, DBS filtering rules, and role-specific regulatory regimes. Six points every HR team should have mapped.
UK GDPR lawful basis
Pre-employment screening is typically lawful under legitimate interest or contract-performance basis. Document which applies, and state it in the candidate privacy notice.
Data minimisation
Only run the checks proportionate to the role. An Enhanced DBS for a graduate admin position is disproportionate; an OSINT layer for a SMCR-regulated hire is not.
Equality Act 2010
Screening must not produce discriminatory outcomes across protected characteristics. Apply checks consistently, and document the decision rationale where adverse findings influence an outcome.
DBS filtering rules
Certain convictions and cautions become “filtered” after defined periods and must not be taken into account. Your decision-making process needs to reflect the rules — relying on filtered information is unlawful.
Retention and deletion
Screening data is typically retained for the duration of employment plus a defined period, then deleted. Document the retention rule and have a process for action on Subject Access Requests.
Candidate rights
Candidates have access, rectification, and erasure rights under UK GDPR. Adverse findings that influence a decision trigger a duty to provide the basis of the decision if the candidate asks.
This is an overview, not legal advice. For formal screening programmes — regulated sectors, enterprise scale, or security-cleared environments — consult your employment-law counsel and DPO on the specific framework that applies.
Frequently asked questions
How long does a pre-employment screening pack take?
Basic Right to Work and Basic DBS complete within days. Standard DBS is typically 2-10 working days. Enhanced DBS can take 2-8 weeks depending on local police force response time. BS7858 adds 3-5 years of employment history verification which is often the slowest component. Most enterprise screening packs complete end-to-end within 2-3 weeks. An OSINT layer runs in parallel and completes in around 15 minutes.
Is DBS the same as CRB?
DBS replaced CRB (Criminal Records Bureau) in 2012 when it merged with the Independent Safeguarding Authority. The terms are still used interchangeably in some industries, but DBS is the current and correct name. Legacy CRB certificates are no longer valid for new checks.
Can I do a DBS check myself?
Individuals can apply for a Basic DBS directly. Standard and Enhanced DBS checks can only be applied for by an employer or a DBS-registered umbrella body — not by the individual themselves. For an employer without DBS registration, an umbrella body like uCheck, Access Group, or Sterling handles the application.
Is BS7858 the same as SC clearance?
No. BS7858 is a British Standard maintained by BSI for background screening in secure environments. SC (Security Check) is a government security vetting level administered by UKSV, going considerably deeper than BS7858 — criminal record, financial records, personal history checks, and referee interviews. BS7858 precedes SC for some roles but doesn’t replace it.
Do employers have to disclose what checks they’re running?
Yes, under UK GDPR. The candidate privacy notice should set out what categories of personal data are processed during recruitment, for what purposes, on what lawful basis, and for how long. Candidates have a right to this information.
What happens if a check reveals something adverse?
Your decision process should be consistent, documented, and proportionate to the role. Certain old or filtered convictions cannot lawfully be taken into account. For material adverse findings, offer the candidate an opportunity to respond before the decision is finalised — this is good practice and supports defensibility if the decision is later challenged.
Add a digital OSINT layer to your screening
One email. Fifteen minutes. A source-cited digital identity check that runs alongside every DBS and Right to Work verification.
Reports are tools, not conclusive judgements — verify material findings before reliance. See the FAQ