Lies and inaccuracies were present in over half of the CVs submitted in a study carried out earlier this year by The Risk Advisory Group. Cautious employers will want to take steps to verify that applicants live up to their CV promises and, given the current climate, there are also security issues to be considered. Recent press reports suggest that some employers have even taken to looking up job applicants on internet chatrooms and websites, such as Friends Reunited, to find out more about them. However, there are legal restrictions on how far employers can go when it comes to carrying out background checks.

Employers can use a variety of methods to check on potential employees, ranging from the taking up of references from previous employers to more in-depth investigations, such as criminal record checks. When carrying out any of these procedures, employers must bear in mind that they are subject to various restrictions under the Data Protection Act 1998 (DPA). Processing information relating to an individual job applicant will be processing personal data under the DPA.

Part 1 of the Employment Practices Data Protection Code (the Code), which is intended to assist employers with DPA compliance in relation to recruitment and selection, sets out the Information Commissioner's recommendations on how to carry out background checks lawfully (see News brief "Data Protection Code: Recruitment and selection", www.practicallaw.com/A22743). Although the Code is not legally enforceable, a breach of the Code is likely to be a breach of the DPA if the employer does not adopt an alternative means of compliance. If an individual suffers damage (or damage and distress) as a result of a breach of the DPA, he or she can bring a claim for compensation in the High Court or the County Court (section 13, DPA).

The Code's general approach is one of transparency wherever possible (see box "Employee references checklist"). Employers should, for example:

Background checks are divided into two categories under Part 1 of the Code: "verification" and "vetting". Verification is the process of checking whether details supplied by an applicant are accurate and complete. Vetting is more intrusive and involves actively making enquiries with third parties as to an applicant's background and circumstances. This could involve using contacts through websites, like Friends Reunited, to find out more information about an individual from their school friends.

Routine vetting is prohibited under the Code. Instead, it recommends that vetting be limited to occasions where there are particular and significant risks to the employer or others. Examples cited in the Code include where there is a risk to national security or of employing someone unsuitable to work with children or where the post involves disclosure of commercially confidential information.

The level of vetting should also be proportionate to the risks involved and only used where there is no less intrusive alternative. Collecting information about the family or close associates of a job applicant, for example, would only be justified in exceptional cases, according to the Code, for example, for police or prison officer recruitment.

The correct procedure for obtaining details of criminal records is via the disclosure service provided by the Criminal Records Bureau (CRB). Under the CRB service, employers will be able to request that applicants obtain a basic disclosure once this particular service is available. If the applicant consents and obtains the disclosure this will provide the employer with details of his or her convictions held on the Police National Computer that are unspent under the Rehabilitation of Offenders Act 1974 (1974 Act). Until this disclosure service is available, enforced access under section 7 of the DPA is still permitted (that is, making applicants obtain a copy of their criminal record as a condition of employment), although it is not regarded as good practice by the Information Commissioner or the CRB. Once the service is fully operational, enforced access will be a criminal offence under section 56(5) of the DPA.

The CRB standard and enhanced disclosure services, which are currently available to recruiting employers, provide a greater level of detail of an individual's criminal record (including spent convictions and cautions). They are available in respect of positions and professions as prescribed under the 1974 Act. Generally, these include sensitive areas of employment, for example, positions where an individual is working with children. To obtain standard and enhanced disclosures, an application form has to be signed by both the applicant and the employer who must be registered with the CRB. Separate copies are then sent to the applicant and the employer.

According to the Code, employers must be careful not to depend on information collected from possibly unreliable sources. Where inaccuracies or adverse information are revealed through background checks, applicants should be given a chance to respond and make representations regarding information that will affect the final decision to appoint a candidate. If necessary, the Code recommends that further information should be obtained to make a reasoned recruitment decision.

The Code requires employers to delete any information obtained about job applicants that is irrelevant to ongoing employment. In particular, information about criminal convictions must be deleted once it has been verified by the CRB disclosure procedure.

The Code also stipulates that any information obtained through a vetting exercise must be destroyed as soon as possible, or in any case within six months. However, employers can retain a record of the result of vetting or verification background checks provided this is necessary in accordance with the data protection principles in the DPA. Employers should note that job applicants have a right of access to these records and that this information could then be used by an applicant to pursue future litigation (for example, under discrimination legislation) if he or she believes that there is a valid claim.