Employee Background Checks UK: What Employers Can and Cannot Do
Complete guide to employee background checks in the UK. Covers DBS checks, credit checks, reference checks, social media screening, and GDPR compliance.
Pre-employment background checks help you verify that candidates are who they claim to be and are suitable for the role. But in the UK, what you can check — and how you use the results — is tightly regulated by the Rehabilitation of Offenders Act 1974, UK GDPR, the Data Protection Act 2018, and the Equality Act 2010.
This guide covers every type of background check available to UK employers, the legal limits on each, and how to build a compliant screening process.
Types of background checks in the UK
Not all checks are appropriate for every role. The level of screening should be proportionate to the nature and seniority of the position.
DBS checks: criminal record screening
The Disclosure and Barring Service (DBS) provides criminal record checks at three levels, each appropriate for different roles.
Basic DBS check
A basic check shows only unspent convictions under the Rehabilitation of Offenders Act 1974. Any employer can request a basic check for any role, and candidates can apply for their own basic check. The cost is £18 (as of 2025/26).
This is the only level of DBS check available for most standard roles such as office workers, retail staff, and general warehouse operatives.
Standard DBS check
A standard check shows both spent and unspent convictions, cautions, reprimands, and warnings held on the Police National Computer. It is only available for roles listed in the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 — such as roles in healthcare, legal, and accountancy professions.
Enhanced DBS check
An enhanced check includes everything on a standard check plus any relevant information held by local police forces. For certain roles (such as those involving regular unsupervised contact with children or vulnerable adults), it also includes a check of the DBS Barred Lists.
Enhanced checks are only available for specific roles defined in the Police Act 1997 (Criminal Records) Regulations. Common eligible roles include teachers and teaching assistants, care workers, healthcare professionals, and some financial services positions.
Do not over-check
Requesting a DBS check at a higher level than the role is eligible for is unlawful. An employer cannot request an enhanced DBS check for a standard office administrator. If you are unsure which level your role qualifies for, use the DBS eligibility tool on GOV.UK.
Using DBS results fairly
Having a criminal record does not automatically make someone unsuitable for a role. Under the DBS filtering rules, certain old or minor convictions are "filtered" and will not appear on standard or enhanced checks.
When a relevant conviction does appear, you must carry out an individual risk assessment considering the nature of the offence, how long ago it occurred, the candidate's age at the time, the relevance of the offence to the role, any evidence of rehabilitation, and the pattern (single incident versus repeated offending).
Blanket policies that reject all candidates with any criminal record are likely to be unlawful discrimination, particularly where they disproportionately affect people with certain protected characteristics.
Reference checks
There is no legal obligation to provide a reference for a former employee (except in certain regulated sectors like financial services). However, if you do provide one, it must be accurate and fair.
What to ask in a reference request
Standard reference requests typically cover confirmation of employment dates and job title, brief summary of duties, reason for leaving, and any disciplinary or performance concerns.
Many employers now provide only a factual reference confirming dates and job title, to minimise the risk of defamation claims. There is nothing wrong with this approach, but it limits the information available to hiring employers.
What you cannot do with references
You must not refuse to provide a reference for discriminatory reasons — for example, because the employee brought a grievance or discrimination claim against you. This could constitute victimisation under the Equality Act 2010.
You must not provide misleading references, either by omitting important facts or by including inaccurate negative information. A negligent reference can give rise to claims from both the former employee and the hiring employer who relied on it.
Be consistent
Adopt a standard reference policy and apply it consistently to all employees. If your policy is to provide factual references only, do so for everyone. Providing a glowing reference for one person and a bare-bones factual reference for another in similar circumstances could suggest discrimination.
Credit checks
Employers can only carry out credit checks where there is a legitimate, proportionate reason to do so. This typically applies to roles in financial services, positions involving handling significant amounts of money, and senior roles with financial authority.
Credit checks require the candidate's explicit consent and must comply with UK GDPR. You must explain why the check is necessary for the role, obtain written consent before conducting the check, use a reputable credit reference agency, and consider the results in context — financial difficulties alone do not make someone a theft risk.
Discrimination risk
Be cautious about rejecting candidates based on credit history alone. Financial difficulties can correlate with protected characteristics — for example, they may disproportionately affect people from certain socioeconomic backgrounds, disabled people with higher living costs, or single parents. Always conduct an individual assessment.
Qualification and professional registration checks
You can and should verify qualifications and professional registrations where they are a genuine requirement of the role. This includes checking degree certificates with the issuing university, verifying professional body membership (such as ACCA, CIPD, NMC), and confirming specialist qualifications or licences.
Lying about qualifications on a CV is more common than most employers realise. Verification is straightforward and significantly reduces risk, particularly for regulated roles.
Social media screening
Checking candidates' social media profiles is legally possible but high-risk. The information you find may reveal protected characteristics such as religion, sexuality, disability, or pregnancy — and once you know this information, it becomes very difficult to demonstrate it did not influence your decision.
If you do conduct social media screening, apply it consistently to all candidates for the same role, only consider information directly relevant to the role, document what you found and how it was assessed, conduct the screening after shortlisting (ideally by someone not involved in the hiring decision), and never use personal information related to protected characteristics.
Better alternatives
In most cases, structured interviews, work sample tests, and formal reference checks provide better and less risky information than social media screening. Reserve social media checks for roles where there is a specific, documented reason — such as a public-facing spokesperson role where published views are directly relevant.
GDPR compliance for background checks
Every background check involves processing personal data. UK GDPR requires a lawful basis for this processing and compliance with data protection principles.
Lawful basis
The most appropriate lawful basis for pre-employment checks is usually legitimate interest (Article 6(1)(f)) — the employer has a legitimate interest in verifying the suitability of candidates, balanced against the candidate's right to privacy. For some checks (such as credit checks), explicit consent may be more appropriate.
For DBS checks involving criminal conviction data, you need an additional lawful basis under Schedule 1 of the Data Protection Act 2018, plus an appropriate policy document.
Data protection obligations
Your screening process must meet these requirements:
- Privacy notice: Inform candidates about what checks you will conduct, why, and how their data will be handled. This should be provided before the checks take place
- Data minimisation: Only collect information that is necessary for the hiring decision. Do not gather data "just in case"
- Retention: Keep screening data only as long as necessary. For unsuccessful candidates, delete it within a reasonable period (typically 6-12 months). For successful candidates, retain it as part of their personnel file with appropriate retention periods
- Security: Store screening results securely and limit access to those involved in the hiring decision
- Subject access requests: Candidates have the right to request access to any data you hold about them, including screening results
For broader guidance, see our article on UK GDPR and employee data.
Building a proportionate screening policy
A well-designed screening policy applies different levels of checking to different roles, based on the actual risks involved.
Conditional offers
The standard approach is to make a job offer conditional on satisfactory completion of background checks. This allows you to carry out the checks (some of which, like health questionnaires, are only permissible post-offer) and withdraw the offer if the results are unsatisfactory.
Ensure your offer letter clearly states which checks are required and that the offer is conditional on satisfactory results. See our employment contract essentials guide for more on structuring offer letters and contracts.
BrightHR
BrightHR simplifies pre-employment screening with built-in document management, compliance tracking, and onboarding checklists — all in one platform.
Affiliate link — we may earn a commission at no cost to you.
Frequently asked questions
Next steps
Free Pre-Employment Screening Policy Template
Download our screening policy template covering all check types, GDPR compliance requirements, and a role-based screening matrix. Ready to customise for your business.
pre-employment-screening-policy-2026.docx
Key takeaways
Background checks are a valuable part of the hiring process, but they must be proportionate, lawful, and consistently applied. Match the depth of screening to the actual risk level of each role. Always complete your mandatory right to work checks for every new hire, use DBS checks only where the role is eligible, and ensure your entire screening process complies with UK GDPR. Document your policy, train your hiring managers, and keep your records secure.
Enjoyed this guide?
Get our weekly Compliance Brief with regulation updates, new guides, and free tools.
No spam. Unsubscribe anytime.
