Policies

Data Protection

The Data Protection Act (DPA) aims to promote high standards in the handling of personal information and to protect the individual's right to privacy. The DPA applies to anyone holding information about living individuals in electronic format and in some cases on paper. They must follow the eight data protection principles of good information handling.

European Background is registered with the Information Commissioner No Z6130941 and follows data protection principles.

			fairly and lawfully processed
			processed for specified purposes
			adequate, relevant and not excessive
			accurate; and where necessary, kept up to date
			not kept longer than necessary
			processed in line with the rights of the individual
			kept secure
			not transferred to countries outside the European Economic Area unless there is adequate protection for the information.

Personal data covers both facts and opinions about an individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply.

BS 7858:2006

Security screening of individuals employed in a security environment - Code of Practice to which all of our checks adhere unless superceded by overseas policies.

This British Standard was first published in June 1996 having been prepared at the request of users and providers of security services. The standard underwent a three year revision and industry consultation that culminated in the second edition (2004) being issued in March 2004. The standard underwent a further revision during 2005 with industry consultation that culminated in the third edition (2006) being issued in August 2006. With the stringent rules, applying thereto it is considered an ideal model for use in other areas where an individual's background is of paramount importance.

The Standard is subject to copyright but the salient points are abridged as follows:

Scope

"This British Standard gives recommendations for the security screening of individuals to be employed in an environment where the security and safety of people, goods or property is a requirement of the employing organisation's operation and/or where such security screening is in the public interest."

General

"The organisation should not employ individuals whose career or history indicates that they would be unlikely to resist the opportunities for illicit personal gain, or the possibilities of being compromised or the opportunities for creating any other breach of security, which such employment might offer."

Provision of Information

“All individuals applying for relevant employment and all existing employees transferring to relevant employment from other duties should be required to sign the form declaration and to provide the following.”

Proof of identity and address of residence
Details of their education, employment, periods of self-employment throughout the security screening period
The names of two individuals with personal knowledge of the individual been security screened who would act as Character Referees. The Character Referees should not be relatives through blood or marriage or reside at the same address as the individual being security screened
Detail of all cautions or convictions for criminal offences, subject to the provisions of the Rehabilitation of Offenders Act 1974
Details of all bankruptcy and court judgments.

Security Screening period

"Period of years immediately prior to the commencement of relevant employment or transfer to relevant employment, or back to the age of 12 it this date is more recent."

Period allowed for completion of security screening

"Security screening covering the whole of the security-screening period should be completed: for 5 years security screening, not later than 12 weeks after employment (i.e. provisional employment) has commenced or, for a longer period, not later than 16 weeks after employment (i.e. provisional employment) ha commenced.”

ISO 9001

What is ISO 9000?

ISO 9000 is a generic name given to a family of standards developed to provide a framework around which a quality management system can effectively be implemented. European Background was granted this.

ISO 9001:2000, the requirement standard, includes the following main sections:

Quality Management System
Management Responsibility
Resource Management
Product Realization
Measurement Analysis and Improvement

What does it mean to us?

To gain the maximum benefit from ISO 9000:2000 there are a number of steps to take:

Define why our organization is in business.
Determine the key processes that state 'what' we do.
Establish how these processes work within our business.
Determine who owns these processes.
Agree these processes throughout the organisation.

Background checks for PCI DSS

Our background checks and vetting services are designed to meet Requirement 12.7 of the PCI DSS (Payment Card Industry Data Security Standards).

If your company takes payment from credit or debit cards online or over the phone and then stores the card information, you need to make sure that your company is compliant with PCI DSS. Even if you use a third-party to take those payments you still have to be compliant and so does the third-party.

Vetting your staff with us will bring you one step closer to being compliant because part of the compliance standard states that your staff need to have their background checked.

What is Requirement 12.7?

Requirement 12.7 is part of the PCI DSS standard which states that every organisation should "maintain a policy that addresses information security for employees and contractors." 12.7 specifically states that organisations should "Screen potential employees to minimise the risk of attacks from internal sources."

The greatest threat to an organisation's data security is from internal sources i.e. people who are either directly employed by the organisation or third-party contractors. Our background checks are designed to help you reduce the risk and limit the damage from this internal threat.

How do I initiate PCI DSS checks for my staff? What's involved?

Our PCI DSS vetting process is simple: after signing our contract proposal we send a disclosure and authorisation form to you for your employees (existing or potential) to complete and return. This form gives us the information we need to carry out the vetting quickly and efficiently.

The vetting itself usually takes ten working days and can include:

verification of employment
Basic criminal record disclosure
Credit checks searching for CCJ, bankruptcy, IVA and insolvency information

Money laundering and terrorist checks

These vetting checks will ensure your employees meet the requirements of 12.7 of the PCI DSS, allowing you to continue your PCI DSS programme safe in the knowledge that our background checks will meet your needs.