TL;DR: Background checks are a valuable tool for managing hiring risk — but what you can check, when you can check it, and how you must handle the results varies significantly across 7 countries. Getting this wrong can expose you to data protection penalties, discrimination claims, and unfair hiring challenges. This guide explains the rules.
Disclaimer: MmowW Scrib🐮 is a document preparation service, not a law firm. We do not provide legal advice. This guide is for general informational purposes only. Background check rules vary significantly by jurisdiction and are subject to change. Always consult a qualified employment solicitor or attorney for advice specific to your situation.
Background checks fall into several categories, each with different legal rules:
The core principles that apply across all 7 countries:
Criminal record checks are among the most sensitive — and most regulated — type of background check. The ability to refuse employment based on criminal history varies significantly, and blanket exclusions of candidates with any criminal record are often unlawful.
Key concepts:
| Country | Criminal Check Type | Who Conducts | When Permitted | Key Rule |
|---|---|---|---|---|
| 🇬🇧 UK | DBS (Disclosure and Barring Service) check — Basic, Standard, or Enhanced | Employer or candidate via DBS / Disclosure Scotland | Any employer (Basic); certain roles (Standard/Enhanced) | Spent convictions protected under Rehabilitation of Offenders Act 1974 |
| 🇫🇷 France | Extrait de casier judiciaire (bulletin B3 for candidate) | Candidate requests own bulletin; employer may request for certain roles | Regulated roles only | CNIL oversight; strict proportionality required |
| 🇸🇪 Sweden | Belastningsregistret (criminal record register) | Candidate requests extract; employer may receive for certain roles | Specific roles (education, care, security) | Proportionality required; general ban-the-box principles |
| 🇦🇺 Australia | Police check via Australian Criminal Intelligence Commission (ACIC) | Third-party screening provider | Most roles; Enhanced for working with children/vulnerable persons | Working with Children Check separate and mandatory for regulated roles |
| 🇳🇿 New Zealand | Criminal record via Ministry of Justice or NZ Police vetting | Candidate or employer (NZ Police vetting for certain roles) | Most roles; Police vetting for specified roles | Clean Slate Act 2004 restricts disclosure of eligible convictions |
| 🇨🇦 Canada | RCMP criminal record check; vulnerable sector check | Candidate via RCMP or third party | Most roles; VSC required for vulnerable sector roles | Criminal Records Act; provincial human rights codes restrict use |
| 🇺🇸 USA | County, state, and federal criminal records | Consumer reporting agency (CRA) under FCRA | Most roles; "ban the box" laws in many states restrict timing | FCRA requires consent, adverse action process; EEOC guidance on criminal history |
Universal best practice: Conduct criminal record checks after a conditional offer — not before. This approach (often called "ban the box") gives candidates the opportunity to demonstrate suitability before criminal history is considered.
Credit checks are permitted for certain roles but should not be a default part of every hiring process.
When credit checks may be appropriate:
When credit checks are generally not appropriate:
| Country | Legal Basis for Credit Checks |
|---|---|
| 🇬🇧 UK | Permitted with candidate consent; data protection rules apply; should be proportionate to role |
| 🇫🇷 France | Restricted; CNIL oversight; must be proportionate and relevant |
| 🇸🇪 Sweden | Permitted for roles with financial responsibilities; Datainspektionen oversight |
| 🇦🇺 Australia | Privacy Act 1988 restricts pre-employment credit checks; generally requires consent |
| 🇳🇿 New Zealand | Privacy Act 2020 requires consent; proportionality applies |
| 🇨🇦 Canada | PIPEDA + provincial law; consent required; proportionality required |
| 🇺🇸 USA | FCRA governs; adverse action process required; many states restrict use (California, New York, Illinois) |
Reference checks are almost universally permitted, subject to data protection rules. However, what former employers can say about a departed employee is restricted in some jurisdictions.
What you can do:
What former employers must consider:
Best practice:
Verifying that a candidate holds the qualifications they claim is legitimate and important — particularly for regulated professions.
Always verify:
How to verify:
Right-to-work verification is mandatory (not optional) before employment commences in all 7 countries.
This is covered in detail in our First Employee Hiring Checklist. In brief:
Social media screening occupies a legally grey area. It is not formally regulated in most jurisdictions but carries significant risk:
If you conduct social media screening:
Use our free tool: Employment Checker
Try it free →Background check data — particularly criminal record information and health data — is classified as sensitive personal data requiring higher protection under GDPR (EU/UK), the Privacy Act (AU/NZ), and equivalent legislation.
Key obligations:
1. Conducting criminal checks before a conditional offer
"Ban the box" laws in many US states and good practice guidelines in the UK, Australia, and Canada require criminal history questions to be deferred until after a conditional offer. Asking about criminal history too early excludes candidates before they have the chance to demonstrate their suitability.
2. Blanket exclusion of candidates with any criminal record
An automatic policy of excluding all candidates with a criminal record — regardless of the offence, its relevance to the role, or how long ago it occurred — may constitute indirect discrimination in most jurisdictions.
3. Not obtaining informed consent
Conducting a credit or criminal background check without the candidate's knowledge and written consent violates data protection law in the UK, EU, Australia, New Zealand, and Canada. In the US, the FCRA requires specific written disclosure and authorisation before a consumer reporting agency runs a background check.
4. Using background check results inconsistently
If you apply credit checks only to candidates from certain backgrounds, or criminal record checks more rigorously to some candidates than others, you create discrimination risk. Background check policies should be applied consistently to all candidates for equivalent roles.
5. Keeping background check data indefinitely
Background check data should be deleted or anonymised once it is no longer needed — typically within a few months of the hiring decision. Retaining sensitive data indefinitely creates compliance risk.
Q: Can I Google a job candidate?
A: You can — but you may inadvertently discover protected information (health conditions, religion, pregnancy) that you cannot lawfully use in your selection decision. If you conduct online research, have a clear policy, document what you found, and consider having someone not involved in the hiring decision conduct the research. Never make selection decisions based on protected information discovered online.
Q: What if a candidate refuses to consent to a background check?
A: You can require background checks as a condition of employment for roles where they are proportionate and relevant. If a candidate refuses to consent, you may be unable to proceed with the appointment. However, for roles where the background check is not genuinely necessary, refusing employment because a candidate will not consent to an unnecessary check may be challenged.
Q: How long can I keep background check records?
A: Data protection law in the UK, EU, Australia, and Canada requires that personal data is kept only as long as necessary. For background check data, this is typically a few months after the hiring decision. Specific criminal record information should be deleted promptly. Consult a qualified employment solicitor or attorney or data protection specialist for your jurisdiction.
Q: What is the adverse action process in the US?
A: Under the FCRA, if you intend to take adverse action (reject a candidate) based on a background check from a consumer reporting agency, you must: (1) provide a "pre-adverse action notice" with a copy of the report and a summary of rights; (2) wait a reasonable time (typically 5 business days) for the candidate to dispute inaccuracies; (3) if proceeding, provide a final adverse action notice. Failing to follow this process violates the FCRA and can result in significant penalties.
Our Employment Checker provides an overview of background check requirements and restrictions by country and role type.
Track key hiring deadlines and right-to-work verification requirements with our Filing Deadlines tool.
Use our Cost Calculator to factor background check costs into your total hiring budget.
Remember: MmowW Scrib🐮 prepares documents — it does not provide legal advice. A qualified employment solicitor or attorney should review your background check policy and practices.
Loved for Safety. MmowW Scrib🐮 — Document preparation made simple across 7 countries.
Free tools to help you get started:
MmowW Scribe prepares your formation documents, compliance filings, and business paperwork across 7 countries.
Start 14-Day Free Trial →No credit card required. From $149/month.
Loved for Safety.