PER024
On this page
- Recruiting the right person
- Set the right expectations
- Ensuring their ongoing suitability
- Managing contractors
- Managing their departure
PER007
Pre-employment checks are the foundation of good personnel security. They reduce the risk of a trusted person harming your organisation or business.
Pre-employment checks allow you to:
Carry out pre-employment checks on everyone you’re considering employing, including existing employees changing roles, contractors, short-term staff, and secondees. Don’t skip pre-employment checks because of a person’s work experience or seniority.
The three main types of pre-employment checks are:
Some organisations may have extra baseline checks because of the nature of their work. For example, Police vetting is mandatory for roles in organisations that provide services for children.
You must carry out the following pre-employment checks for each person.
You can do your own pre-employment checks or get a third party, such as a recruitment agency, to do all or some of them for you.
Remember to get the applicant’s consent first. Under the Privacy Act, you should get consent in writing before you or a third party gather information from referees or other sources. You should also tell the applicant how you will use the information that is gathered.
If you use a third party, make sure you’re clear about what checks they’ll do and to what standard. It’s good practice to ask for:
You need to check that people are who they say they are. To confirm someone’s identity, ask to see an original document, such as their passport or birth certificate.
Be mindful that:
If you find unexplained discrepancies in someone’s identity documentation, ask your HR team for advice.
When you’re doing identity checks, you must meet the standard for evidence set by the Department of Internal Affairs (DIA).
Evidence of Identity Standard(external link)
The DIA provides helpful advice on checking and confirming identity documents, such as birth certificates and passports.
View DIA factsheets on checking evidence of identity documents(external link)
It’s important to confirm a person’s nationality as it may affect which information, assets, and work locations they can access.
If you’re recruiting someone to work for your organisation in New Zealand, make sure they’re either a New Zealand citizen or have the right kind of visa to work in New Zealand.
View information about types of citizenship on govt.nz(external link)
For people who aren’t New Zealand citizens, check which visa they hold and whether the visa conditions allow them to do the job they’re applying for.
Check your applicant's visa using Immigration NZ’s VisaView(external link)
If you’re recruiting for an overseas posting
If you’re recruiting someone to work for your organisation in an overseas location, check they have the right to work in that country. For example, if your organisation has an office in China and you need to recruit someone to work there, confirm the person is eligible to work in China.
For advice to help you confirm work eligibility, contact the relevant embassy.
How a person has performed and behaved in the past is a good indicator of their future performance and behaviour. Checking references thoroughly gives you an opportunity to:
Check that any referees are:
It's good practice to take detailed notes from any verbal checks, such as phone conversations. File your notes for future reference.
If you have any concerns after checking references, consider doing some of the optional pre-employment checks as well.
Overseas references can be harder to check but you should still check them as thoroughly as you can.
A criminal record check helps you to identify any:
You must have the person’s consent in writing before you go ahead with a criminal record check. You also need to understand your obligations as an employer.
Learn about your obligations with criminal record checks from Employment NZ(external link)
If you’re concerned about the results of a criminal record check, some of the optional pre-employment checks might help you to get a clearer picture of the person’s trustworthiness and suitability.
Getting a New Zealand criminal record check
In New Zealand, the Ministry of Justice does criminal record checks. This is the minimum requirement for criminal record checks. More detailed information is available through police vetting. Your organisation’s policies and procedures should determine what check you request.
Ministry of Justice criminal record check versus Police vetting
A Ministry of Justice criminal record check only covers convictions. Police vetting can also include information on any contact that a person has had with the police including:
A Ministry of Justice criminal record check is currently free if you request one directly from them. Police vetting currently costs $8.50 plus GST.
Getting an overseas criminal record check
When you’re doing pre-employment checks for people who are overseas residents or recent migrants, consider whether you need to do an overseas criminal record check.
Be aware that rules for requesting criminal records differ by country, and sometimes by state or territory too.
View the following guide from the United Kingdom’s Centre for the Protection of National Infrastructure for helpful advice.
How to Obtain an Overseas Criminal Records Check: Quick Reference Guide(external link)
In some places, only the person the criminal record belongs to can apply for their record. In this situation, you could ask the person to apply for their record and give you an authenticated copy of it.
Factors that on their own, or together, may raise concerns about a person’s integrity and suitability to work in your organisation, include:
When you identify an increased security risk with a role or the nature of your organisation’s work, additional checks could be necessary. For example, for an IT administrator who has broad access to your organisation’s information, you may wish to take greater steps to ensure they’re trustworthy.
The additional checks you apply will depend on various factors including your organisation’s security context and culture, and operating environment.
Psychometric testing
You can use psychometric testing to test for various abilities and personality traits. This type of testing can be useful in the following situations:
Qualification check
Use a qualification check to help your organisation find out if educational qualifications, professional body memberships, or practising certificates listed in a CV are legitimate.
If a qualification is critical to the role, consider making this check mandatory to avoid serious harm to your organisation.
Make sure you sight original documents rather than copies. If you’re not sure whether the documents are genuine, consider contacting the educational institute or professional body to verify the qualification.
Checking occupational registrations
Immigration NZ’s website lists occupations that require registration in New Zealand and the contact details for authorities that can verify whether a person is registered.
Check occupational registration requirements on Immigration NZ’s website(external link)
Checking university qualifications
Some universities make their graduate databases available online so you can search a person’s name and check what qualifications they’ve achieved and when.
Checking overseas qualifications
You can ask the New Zealand Qualifications Authority (NZQA) to check whether a qualification from overseas is recognised in New Zealand or comparable to a New Zealand qualification. This service has a fee and takes about 25 working days.
Learn more about NZQA’s service for recognition of overseas qualifications(external link)
Credit check
A credit check is a commercial check of public records associated with the applicant’s financial history and any associations with businesses.
You should do a credit check if the role carries a significant financial risk or the person will have a financial delegation. Get the person’s consent first.
Be aware that the results of credit checks can be subjective. Make sure you:
Remember that under the Criminal Records (Clean Slate) Act 2004, some minor offences won’t show up in a credit check if the person has completed the rehabilitation period (7 years without criminal convictions).
Bankruptcy is removed from records 4 years after a person is discharged.
Police vetting
Police vetting covers more than convictions. It also checks for:
Under the Vulnerable Children’s Act 2014, applicants for certain roles must go through police vetting.
In other situations, police vetting may give you more assurance about a person’s suitability for a role.
Before you apply for police vetting, make sure you get the person’s consent in writing and follow your obligations as an employer.
Read about your obligations with criminal history checks on Employment NZ’s website(external link)
Requesting police vetting
To request police vetting, your organisation must be registered with the Police Vetting Service.
Request a Police Vetting(external link)
Requesting an Australian criminal history check
If your organisation is registered for NZ Police vetting, you can ask to use their Australian Criminal History Checking Service.
Request an Australian National Police History Check from NZ Police(external link)
Drug and alcohol check
It might be part of your organisation’s policy to do drug and alcohol testing for roles which:
You may also decide these checks are appropriate when your baseline checks suggest a person may have problems with drug or alcohol use.
Get legal advice before you decide to do drug and alcohol testing as privacy and employment laws apply.
View guidance on drugs, alcohol, and work from Employment NZ(external link)
The vetting process for people who need a national security clearance includes mandatory checks and is carried out by the New Zealand Security Intelligence Service (NZSIS).
Be cautious about employing a person before the vetting process is complete to avoid potential employment issues.
If you have any concerns arising from pre-employment checks, you should:
A qualification can’t be verified
You can’t verify a qualification that is essential to a role, so you decide the risk is too great and rule that person out.
A credit check reveals a small debt
A credit check reveals a small debt from many years ago, but the role doesn’t include managing finances, so you decide it’s safe to hire the person (assuming you are satisfied with the outcome of your other checks).
Record what you discover
Remember to record all:
Create a risk management plan if necessary
If you employ a person with identified risks, work with them to create an individual risk management plan. Use the plan to support the person in their work, treat risks, and maintain your organisation’s security.
PER008
Set clear expectations about security. New employees, employees changing roles, and contractors, must understand your security policies and practices as soon as possible after joining your organisation.
Conduct an induction to your organisation, including to your values, code of conduct, health and safety procedures, and security expectations.
Provide security awareness training tailored to your organisation’s security risks and to the risks you’ve identified for individual roles. Make sure everyone is aware of their responsibilities for security.
Create an individual risk management plan if an individual you employ has specific security risks. Use the plan to support the employee in their work, treat risks, and maintain your organisation’s security.
For staff who are granted a national security clearance, you must provide a security briefing. Use the briefing to help them understand their responsibilities, so they can maintain their clearance and keep your information and assets safe.
If an employee is granted a clearance with conditions (qualifications), you must develop a risk management plan to address those qualifications.
PER009
Effective pre-employment checks reduce the risk of threats to your people, information, and assets. However, people and their circumstances can change. Changes can happen over time or suddenly as a reaction to an event. Your organisation needs to make sure that people remain suitable for having access to your information and assets.
Because people and their circumstances can change over time, you must monitor changes and events that can affect people.
Ongoing security education helps to keep your people, information, and assets safe from harm.
At a minimum, your organisation must:
Report and respond to security incidents
You must have a system in place for reporting and responding to potential and actual security incidents. Managing incidents well helps your organisation to:
At a minimum you must:
Good communication between managers and employees, along with clear security expectations and procedures makes it easy for people to raise concerns, and report changes and incidents.
Managers and co-workers are in the best position to notice changes in a person’s behaviour or attitude. Encourage your people to report what they notice and make it easy for them to do so confidentially.
Provide ongoing security awareness updates and training
Ongoing security education helps to keep your people, information, and assets safe and secure. It also enhances your security culture. When you increase your people’s understanding of security practices and processes, you increase their ‘care factor’, and their ‘do factor’ — security becomes everyone’s responsibility.
When you identify an increased security risk related to a role or the nature of your organisation’s work, additional ongoing checks could be necessary. The checks you apply will depend on a range of factors including your organisation’s security context and culture, and operating environment.
Checks to consider
Additional checks you can consider to ensure ongoing suitability include:
Report significant changes in personal circumstances
Significant changes in personal circumstances can arise from many different areas: relationships, finances, health, work issues, substance abuse, or new interests and contacts.
These changes can put people under pressure. They could act irrationally or inappropriately, or be vulnerable to exploitation by others.
Reporting significant changes in circumstances helps you to manage the risk of someone:
Your people should know which changes of circumstances they need to report and who they should report them to. If you’re unsure which significant changes need to be reported, consult with your HR and security teams.
Report suspicious contacts or behaviour
Foreign officials, foreign intelligence services, and commercial, political, or issue-motivated groups can devote considerable energy to accessing information (for example, political, economic, scientific, technological, and military information).
Small pieces of information can all contribute to a valuable picture. Make sure your people understand that a seemingly innocent conversation or contact, such as an email, may be part of a wider intelligence gathering exercise. Contacts can be official (as part of a person’s role) social, or incidental and can take place in a wide variety of contexts.
Your people should complete a contact report when an official or social contact appears suspicious, ongoing, unusual, or persistent (SOUP) in any respect. This contact could be with:
Attempts to get information may involve techniques such as phishing or tailgating.
Brief people on the risks related to international travel
When your people travel overseas, they could be targeted by foreign intelligence services aiming to get access to classified material.
To protect your organisation and New Zealand’s interests, consider providing advice or briefing your people on the risks and the security measures they need to take. When they return, consider debriefing them to check for any contact that appears suspicious, ongoing, unusual, or persistent (SOUP).
Your employees, contractors, and secondees should:
More guidance
Carry out checks for national security clearance holders
For people who hold a national security clearance, in addition to your general ongoing suitability checks, you must:
More guidance
Manage role changes
It’s common for people to enter an organisation in one role and then move to another role with greater responsibilities and a higher risk profile. Not completing proper checks for the new role because the person is ‘known’ to your organisation increases the risk of problems.
Before you confirm a person in a new role, make sure you complete all required pre-employment checks and/or ongoing suitability checks to the level required for the new role.
PER011
Giving a contractor access to your information and assets comes with the same security risks as for permanent employees, and some extra risks.
The main risk is that a current or former contractor will accidentally or maliciously misuse their trusted access to harm your organisation’s people, customers, assets and information, or reputation. This risk is known as the ‘insider threat’.
To protect your information and assets:
The following challenges are common with contractors.
Gaining commitment to your security measures
If you don’t induct a contractor to your security culture or make them feel a part of the team, their commitment to your security measures may not be strong.
Knowing about competing interests
A contractor may work for a competitor before, during, and after their contract with you. If you don’t ask about conflicts of interest, you can’t assess the risks or manage them.
Renewing or extending contracts
If you renew or extend a contract without re-checking or re-verifying the contractor, you can’t easily identify new risks arising from changes in the work environment or the contractor’s life.
Moving contractors from one assignment to another
If you move a contractor from one assignment to another with a higher security profile without proper checks and a security handover, you raise the risk of problems occurring.
To address the insider threat and extra challenges with contractors, follow the process and tips in our Guide to hiring and managing contractors (available from the Supporting Documents section below).
PER010
Managing people’s departure well protects your organisation’s security and reputation.
When a person leaves your organisation, they retain their knowledge of your business operations, intellectual property, official information, and security vulnerabilities. Managing their departure well will reduce the risk of this knowledge being misused.
Whether a person is leaving by choice or not, a positive exit experience reduces the risk they will misuse their knowledge of your operations, intellectual property, official information, or any security weaknesses.
Remove access rights
Before a person leaves your organisation, you must remove their access to electronic resources, physical resources, and physical sites.
Collect security passes
Make sure the departing person returns all identification cards and access passes, including any tools that allow them remote access to your information management systems.
Make sure assets are returned
A departing person must return all property that belongs to your organisation. Take particular care with your intellectual property or official information.
If you identify a higher risk associated with a particular role or a person’s circumstances, consider asking them to:
Conduct exit interviews
In addition to their broader function exit interviews give you the opportunity to remind the departing person of their obligations to protect your organisation’s information.
Exit interviews are also a good opportunity to allow the affected individual to:
Use a deed of confidentiality if the risk is high
A deed of confidentiality may be necessary to protect your organisation’s proprietary information or intellectual property.
When a person who holds a national security clearance leaves your organisation, you must carry out the baseline activities and also: