Not all that glitters is gold: pre-employment screening

NIS (NISG) already stipulates this today:

" The operator shall ensure that employees are trustworthy and aware of their responsibilities. The operator shall also ensure that employees are qualified for the roles assigned to them. "

The upcoming NIS2 directive will make this requirement even more specific: Annex 3, point 5b talks about mandatory background checks for security-relevant roles. The internationally recognized ISO 27001 also requires in section A.6.1 an appropriate check of all persons who are to be included - in relation to business risk, information classification and within the framework of applicable laws and ethical standards.

But what does this mean in practice? How far can you go? And what is allowed at all?

Why background checks are becoming more important

Effective risk management starts with the selection of the right personnel. A study by the Association of Certified Fraud Examiners shows that in 85% of cases of internal fraud, the perpetrators showed behavioral abnormalities in advance - and were hired anyway.

Pre-employment screening is a valuable preventative measure, especially for security-relevant positions or in high-risk areas of the company. It helps to identify people who potentially pose a security risk - be it due to false qualifications, a criminal record, a history of white-collar crime or extremist ideologies.

What exactly is pre-employment screening?

Pre-employment screening involves structured background checks as part of the recruitment process. The aim is to identify applicants who could pose a risk from a legal, economic or security perspective.

Depending on the industry and company size, screening can include the following points, for example:

• Verification of CV and references
• Certificate of good conduct / criminal record
• Credit check
• Online presence check
• Validation of academic degrees
• Identity check (especially for remote hires)

In banks or safety-critical sectors (e.g. energy, aviation), such screening is sometimes required by law (e.g. Section 39 BWG). However, it is important to note that the type and depth of the screening must be based on the function and risk of the position.

What is allowed, what is forbidden?

Pre-employment screening is legally possible - but subject to strict limits.

What is permitted is what is in the legitimate interest of the company, informed, voluntary and with consent, proportionate and within the scope of the GDPR and the BDSG (Section 26). This means that the depth of the check must depend on the specific position. A credit check on a trainee accountant? Possible. For a janitor? Disproportionate.

Any form of research without a legal basis is prohibited. This includes

• Queries without the consent of the data subject (e.g. certificate of good conduct)
• Evaluation of private social media content without relevance to the activity
• Health data without medical relevance or legal basis
• Blanket or discriminatory checks (e.g. religion)

Legally relevant in particular:

• Art. 5, 6 and 9 GDPR (purpose limitation, data minimization, protection of special categories of personal data)
• Section 26 BDSG (permissibility of data processing in the employment context)
• For certain industries: special laws such as the Banking Act (Section 39 BWG) or provisions of the Aviation Security Act

Conclusion: Companies must make individual risk assessments and carry out screenings with a sense of proportion and transparency. Consent is generally mandatory - it must be voluntary, informed and revocable.

Between prevention and control: what companies should know

Background checks are not a universal remedy - but they are a further component of a comprehensive security strategy. They must be embedded in a holistic control system (ICS) that also takes technical and organizational measures into account (e.g. “least privilege” principle, separation of duties).

Companies must also be aware that not all risks are visible: 83% of internal fraud cases in the ACFE study were committed by first-time offenders. Screening is therefore not a free pass, but a preventative measure - no more, but also no less.

Conclusion: people are key - and a risk

Background checks help companies to make informed personnel decisions and manage their risks in a targeted manner. For operators of critical infrastructures or ISO-certified companies, this is no longer a voluntary measure - but a legal and normative obligation.

Those who rely on CVs and gut instinct are taking a business risk. On the other hand, those who carry out legally clean, transparent and proportionate checks not only protect the company - but also employees, partners and customers.

Sources:

• https://www.nis.gv.at/dam/jcr:bbe1c393-ba27-43b3-8d38-890610cfcc75/NIS_Factsheet_9_2022_1_0.pdf
• https://acfepublic.s3.us-west-2.amazonaws.com/2022+Report+to+the+Nations.pdf