You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Brucewee is going to have to explain which countries have laws against "this kind of thing" because all countries as far as I know have security vetting procedures for jobs that have national security implications, the outliers will be ones where they DON'T need consent and just run checks whether you agree or not.
Talking about Norway, for one. From what's been posted it sounds like the rules in the UK and Norway are actually pretty similar. If you want to be CFO then a credit check might well be expected. If you work on a factory floor, no way. Any attempt to do so would have the unions rubbing their hands with glee that a company had tried to do anything so stupid.
I'm not sure what's worse, When I thought it was legal in the UK or the fact that it is also illegal in the UK but employers don't have to care.
Thats not true for Norway Bruce. I had one run as a part of my job ( in Norway)
Seeing as we like AI
-
Legitimate Interest and Objectivity:Norwegian law emphasizes that employers can only process personal data, including credit information, when it's necessary to achieve a legitimate purpose.This means the credit check must be directly relevant to the job and not simply a standard procedure.
-
Position Requirements:Credit checks are generally permissible for high-ranking positions with significant financial responsibility.For example, a role involving managing large sums of money or having access to sensitive financial data might justify a credit check.
etc.
It's a bit difficult to say if it's true or not from your statement. If you were loading boxes in a warehouse then yes, it was almost certainly illegal. If you were working for the Sovereign Wealth Fund then it would be expected.
Credit checks are generally permissible for high-ranking positions with significant financial responsibility.For example, a role involving managing large sums of money or having access to sensitive financial data might justify a credit check.
Yes. Therefore, not someone working as a printer.
Printers can have access to sensitive financial data. iirc there was an insider trading job done by the FSA where the printers doing prospectus for sales etc etc were getting early access to market sensitive data and dealing on the back of this.
Not just 'a printer' though.
A printer working for a firm that has the contract to print documentation for a financial institution. Documentation that could be sensitive (eg: example previous, the annual report will be printed in advance of the info being publicly available, but could be very useful for an investor to know before the markets do)
It doesn't matter. If the OP regularly has access to sensitive financial information then he should be well aware of the company's processes regarding this. Having a credit check should come as no surprise because it should be clearly laid out as part of the training he received in order to conform to the company's rules and UK law.
Perhaps the OP has had this training and just didn't mention it.
Or this is an overreach by a company trying to please a client that is used to not having to follow things like GDPR laws and Data Protection Impact Assessments.
The fact they want to do checks on the entire company raises red flags to me. This sort of stuff should be the minimum needed. I'd love to see the justification for this
I think Bruces point is that better workers rights in other countries means that employers realise what their obligations are and don't try to ignore them
I work in Financial Services and almost always have to agree to have a credit and background check carried out by a vetting company when onboarding to a client. I can of course refuse the credit check that means I won’t onboard with client and basically I’d be unemployed as I’d miss my billing requirements.
Not sure on the need for drama here as we do credit checks every time you change electricity or mobile phone suppliers. OP can obviously say no but they won’t be able to work with that particular client.
We had similar last year where they wanted to do enhanced CRB checks that included financial checks (Fire Service, bought inline with Police as we were under a PFCC). Plenty of people panicked due to silly things they'd done in their youth but not had to report when they got the job.
Union managed to negotiate for past stuff, within reason not to be a problem.
At an absolute minimum, if it gets to the stage where an employee requires a credit check, then they should also have had a documented training course to understand their role in protecting sensitive data. If a company is compliant with any kind of ISO standard that deals with data security then all employees should have had some training. All employees who may actually have to handle sensitive information should have had more extensive training.
If you've gotten to a position where a credit check is required, you should not be so perplexed as to why this is happening that you post on an internet forum.
No offense to the OP, by the way. I'm just trying to illustrate why not knowing why a credit check is being required is a pretty good indication that one is not needed.
And also, I'm still curious as to what happens if they discover certain employees have bad credit?
He hasn't said that the whole company is being asked to do it. Where do you get that from?
"They recently requested a number of staff including myself...."
And OP hasn't said they have regular access; just that a client is a FS institution, they print documents for this client, and the client has requested that some staff undergo a level of checking. They've then asked why and been told that it's a client requirement, I assume there is more detail available to the printco than that but OP has accepted on that basis.
Why now - who knows. Maybe they have been printing non-sensitive dox for a while but now the FS Inst wants them to do some sensitive work? Maybe the FS Inst has realised their control of sensitive info has been sub standard and now are making corrections.
Where the extrapolation that the company or client doesn't know law or obligations about GDPR / DPIA comes from, I don't know. Nothing that is being asked for is illegal or unethical as long as the employee gives consent, which is what they were asked to do.
Client is a multinational. My employer is UK standard SME.
This isn't a huge surprise
Small company wins a contract from big company
Big company imposes their T&C's on small company
Said T&C's have loads of stupid clauses in it
I deal with this nonsense regularly
So this.
I've just had the misfortune of looking sell training to a nursery chain, who outsourced thier IT / Data Security check to a US company. Two Hundred questionnaire of ridiculous nature later they agreed we could provide courses to thier staff.... And of course on day 1 the customer left a register of names and contact details for the participants out to be seen on the desk....
And also, I'm still curious as to what happens if they discover certain employees have bad credit?
IDK in this case, but in my case a risk based assessment can be carried out, about the level of access they may have to sensitive info, any other mitigations that might be appropriate (eg: no lone working access) or if appropriate, that they simply can't work on certain parts of our research.
Flip the other way....(and it's seldom just credit checking, despite Xora's one off seagull manoeuvre there are firms that specialise in this) - you do a suite of checking, and comes back that because of factors the employee is felt to be high risk. What, they've got to be treated the same as everyone else? How does that make any sense?
We had similar last year where they wanted to do enhanced CRB checks that included financial checks
Unlikely given that the CRB hasn't existed for over a decade.
Plenty of people panicked due to silly things they'd done in their youth but not had to report when they got the job.
Union managed to negotiate for past stuff, within reason not to be a problem.
I'm confused here. AFAIK the DBS check is done by a third party who then simply tells the employer whether they've passed or not. When I had my Basic the results came to me not my employer who had requested it, I had to scan it in and email it to them; when I later got the Enhanced again it came to me rather than my partner / her umbrella company. What does the union have to do with anything? You can't talk your way out of a background check.
Do you mean negotiating with the employer subsequently if it came back negative?
He hasn't said that the whole company is being asked to do it. Where do you get that from?
I'm not sure what you're referring to here.
Where the extrapolation that the company or client doesn't know law or obligations about GDPR / DPIA comes from, I don't know. Nothing that is being asked for is illegal or unethical as long as the employee gives consent, which is what they were asked to do.
If it's gotten to the stage where credit checks are required for non-management roles because of data sensitivity concerns, you would assume the company must be ISO 27001 compliant at a minimum. Employee training is a requirement for certification, particularly for employees who are actually handling sensitive data.
If the company isn't even conforming to ISO 27001 then they have no business asking for credit checks. They have far bigger issues to worry about.
Just out of interest, @wait4me can you give us an idea how much recorded training your company has required you to complete related to handling sensitive data?
I don't even work with sensitive data and I've got at least four online training courses related to data and security marked 'Complete' on our company training portal. But then that's par for the course for companies that are ISO 27001 compliant.
Just a thought,
Does technology not exist to make "secure printing" a thing? Like, the printers never get chance to see the documents at all?
I've dealt with PCI-DSS which is the compliance standard for taking card payments. If it's a call centre and they're taking payments over the phone then we didn't send the call handler for a credit check, we installed a dongle under the phone which filters out DTMF tones so when the customer dials in their card number the operative can't hear them.
I don't even work with sensitive data and I've got at least four online training courses related to data and security marked 'Complete' on our company training portal.
I once had to complete a "working at heights" course. The closest I came to working at heights was turning up to work in unusually thick socks.
I once had to complete a "working at heights" course. The closest I came to working at heights was turning up to work in unusually thick socks.
When I was working in the North Sea I once had to do a piracy awareness course.
Not as in downloading movies. As in, what is a fishing boat and what is a boarding party of Somalis looking to take control of the ship.
Luckily I'd watched Captain Phillips the night before so I was able to keep my focus on whatever argument I was having on here instead of the online interactive training course and still pass the test.
I suspect I managed to download a virus along with the film though.
He hasn't said that the whole company is being asked to do it. Where do you get that from?
I'm not sure what you're referring to here
TJ's comment from 9:11
The fact they want to do checks on the entire company raises red flags to me.
My mum had a terrible credit rating. Reason being, she'd never borrowed anything since "TV rentals" was a thing. If she couldn't afford to pay for something outright then she went without. When she died, her savings paid off what was left on my mortgage. Financial risk? I'm more of a financial risk than she ever was, I'm unemployed and kinda broke but my credit rating is "excellent."
I don't know if the "credit check" used by financial services employers for vetting is quite the same as those used for lending.
Talking about Norway, for one. From what's been posted it sounds like the rules in the UK and Norway are actually pretty similar. If you want to be CFO then a credit check might well be expected. If you work on a factory floor, no way. Any attempt to do so would have the unions rubbing their hands with glee that a company had tried to do anything so stupid.
I'm not sure what's worse, When I thought it was legal in the UK or the fact that it is also illegal in the UK but employers don't have to care.
So are you saying that the guy who runs the machine that makes bank cards in Norway doesn't have any checks beyond someone who prints business cards? Or that someone who runs the printers printing, folding, envelope stuffing annual pension statements isn't expected to undergo extra scrutiny? Or the factory which assembles circuit boards for "chip n pin" card readers requires no checks? The OP hasn't provided any real detail - and may not even know that yet, but if that's really the case I'll make sure I avoid Norwegian banking organisations because these sort of checks with appropriate balances to protect employees are considered the norm.
So are you saying that the guy who runs the machine that makes bank cards in Norway doesn't have any checks beyond someone who prints business cards?
I would read the entire thread before commenting.
It's explained in some detail why the process of handling sensitive data isn't generally reliant on doing credit checks of manual workers.
But if coming to a country that values protecting employee rights and has unions with the muscle to back you up in any dispute sounds unappealing then yes, you should definitely avoid Norway.
I would read the entire thread before commenting.
I thought I had. Can you confirm that someone making credit cards, printing PIN numbers, or sending out sensitive statements in Norway is not subject to extra vetting over someone printing flyers for the pizza shop?
I must have missed that - because there are a number of posts from people telling you that actually financial checks are not uncommon on people who have access to sensitive info even if they are in low skills positions. So what steps are the Norwegians using which other western countries have missed to address the risks that someone in the "print factory" accesses/shares information with others for fraudulent purposes? How do they manage to work with international collaborators or parent companies without setting off their "you do no vetting" alarm bells?It's explained in some detail why the process of handling sensitive data isn't generally reliant on doing credit checks of manual workers.
I don't believe for one second that a UK printing operation's management team is sitting round working out ways to "errode workers rights" and coming up with the cunning plan to require financial checks. Not least because getting those checks costs the company time and money. Most financial services employers don't even handle that data themselves they pay a vetting agency so all they get back is a green light or a red light for the employee.But if coming to a country that values protecting employee rights and has unions with the muscle to back you up in any dispute sounds unappealing then yes, you should definitely avoid Norway.
I thought I had. Can you confirm that someone making credit cards, printing PIN numbers, or sending out sensitive statements in Norway is not subject to extra vetting over someone printing flyers for the pizza shop?
I can't, no.
If I had to take a guess I'd say there are very few people doing this job as it's mostly done electronically and where it's not I'd imagine they have machines to do all the folding automatically.
If there are still people handing sensitive information by hand then they will have had extensive training in order to conform to ISO 27001. They would not be posting on an internet forum asking why they are being asked to submit to a credit check as it would be written into their contract, it would have been covered in their training, and their union rep would be ensuring they were aware if they were being asked to do anything not covered by the collective agreement.
I must have missed that - because there are a number of posts from people telling you that actually financial checks are not uncommon on people who have access to sensitive info even if they are in low skills positions.
Actually, as far as I can see, no one has said it's common for manual workers to have credit checks. Even UK guidance says it should only be people responsible for finances.
So what steps are the Norwegians using which other western countries have missed to address the risks that someone in the "print factory" accesses/shares information with others for fraudulent purposes? How do they manage to work with international collaborators or parent companies without setting off their "you do no vetting" alarm bells?
I have no idea.
However, what I've personally found is that management will generally prefer to piss off clients who are making stupid demands than their workforce.
Pissing off your workforce is nearly always more trouble than it's worth.
If compromises have to be made then there will be negotiations. It won't be a diktat.
I don't believe for one second that a UK printing operation's management team is sitting round working out ways to "errode workers rights" and coming up with the cunning plan to require financial checks.
I also don't think most UK companies sit around thinking up ways of eroding workers rights. I think it's an unfortunate byproduct that happens over time where more and more rights are overlooked in the interests of making a sale and there is little to no pushback. So each erosion just becomes the way things are done.
It's not a conspiracy, it's just the inevitable result of employers being way more powerful than employees.
However, what I've personally found is that management will generally prefer to piss off clients who are making stupid demands than their workforce.
Equally anecdotally, I've found the opposite to be true. I've had many "but the customer wants..." conversations over the years.
Equally anecdotally, I've found the opposite to be true. I've had many "but the customer wants..." conversations over the years.
Oh, absolutely. The difference is in Norway, once you point out what the rules actually say most managers will give up fairly quickly.
There's nothing I enjoy more in Norway than when a CEO or senior manager gets a bit over-enthusiastic and sends out a poorly thought out email to staff.
It will often then quickly be followed by a passive aggressive email from the union rep and sometimes the HMS (Workplace Safety Rep) explaining which particular bits of employment law the CEO's decree violates and that the CEO's idea will not be happening.
It doesn't happen often but when it does it reminds me of the feeling of similar messages from the bosses when I was in the UK and the sinking feeling that there was realistically little we could do to pushback.
Like I said in my first post, I really don't think I could go back to working in the UK.
I can't, no.point made
of course, but someone mans the machines, loads the stock, deals with the paper jams, moves the output from one place to the other.If I had to take a guess I'd say there are very few people doing this job as it's mostly done electronically and where it's not I'd imagine they have machines to do all the folding automatically.
which all ignores the part where the OP says its a NEW CONTRACT for a Bank that has triggered this. Of course every factory employee had been excellently briefed on the business strategy, the upcoming contract, the consequences of that contract etc. no employer anywhere in the world has ever highlighted a new requirement before explaining the full detail, just as no employee has ever not listened to the full story, skipped over some dull section explaining ISO27001, etc. And no manager has ever flagged up something that's coming down the pipe to see if he gets pushback and needs to do a load of effort explaining it or everyone shrugs and signs.If there are still people handing sensitive information by hand then they will have had extensive training in order to conform to ISO 27001. They would not be posting on an internet forum asking why they are being asked to submit to a credit check as it would be written into their contract, it would have been covered in their training, and their union rep would be ensuring they were aware if they were being asked to do anything not covered by the collective agreement.
Actually, as far as I can see, no one has said it's common for manual workers to have credit checks. Even UK guidance says it should only be people responsible for finances.
Probably read the whole thread then 😉 You are right in the sense that nobody says its common for manual workers, the OP described himself as working in a factory, which he added a little more detail to "print" and this was a banking client. At that point many people said, "probably not that unusual" and despite your suggestion that Norway is employment rights utopia and the UK an intrusive management hell - actually sounds like in some circumstances in Norway checks probably would be required!
Pissing off your workforce is nearly always more trouble than it's worth.
Not entirely clear why it needs to piss off the workforce. The majority of people will tick the box/sign the form with no fuss. Some will make a fuss but are going to "pass" anyway. So the only ones who will really be pissed off are the tiny majority who get flagged as a risk. Do you know what is always a load of trouble? A security breach. What else is a load of trouble? Making a bunch of staff redundant because you didn't win the big bank contract.
CONCLUSION:
Is it necessary/reasonable? Maybe/maybe not
Is it unheard of? No
Is STW the best place to find out about what's happening in your employer? No
Is STW the best place for people with half the information to twist a point to their political agenda? Yes
Unusually harsh.
which all ignores the part where the OP says its a NEW CONTRACT for a Bank that has triggered this. Of course every factory employee had been excellently briefed on the business strategy, the upcoming contract, the consequences of that contract etc. no employer anywhere in the world has ever highlighted a new requirement before explaining the full detail, just as no employee has ever not listened to the full story, skipped over some dull section explaining ISO27001, etc. And no manager has ever flagged up something that's coming down the pipe to see if he gets pushback and needs to do a load of effort explaining it or everyone shrugs and signs.
Could be, but I tend to just take people at their word on here, rather than create a new scenario that supports my viewpoint.
According to the OP this just came out of the blue at the behest of a non-UK company. No explanation. No extra data security training. Just this.
So yes, if the OP is forgetful, inattentive, or not being entirely honest for some reason anything is possible. The question is why do we need to add additional complications of our own invention to their story? Why not just take what they say at face value.
And if we take it at face value, the fact they feel the need to ask on a mountain biking forum is a pretty big indicator this is an overreach by a management desperately trying to placate a client who have a box to tick and little consideration for their contractors following employment law.
Probably read the whole thread then 😉
Feel free to post the relevant quotes and/or links.
Not entirely clear why it needs to piss off the workforce. The majority of people will tick the box/sign the form with no fuss. Some will make a fuss but are going to "pass" anyway. So the only ones who will really be pissed off are the tiny majority who get flagged as a risk. Do you know what is always a load of trouble? A security breach. What else is a load of trouble? Making a bunch of staff redundant because you didn't win the big bank contract.
Yeah, no one has yet demonstrated how running credit checks is going to actually mitigate any of these risks in the real world. Creating a poor working environment is more often than not a death of a thousand cuts type of thing. This is just likely just one more tiny cut.
And it's particularly pointless when there has been no training on secure data handling.
Iso 27001 is good practice but not mandatory
A credit check won't mitigate the risk. It helps to identify where there may be a risk and allow a mitigation to be devised. Which could include being unable to work on that information.
I think you are making a big thing of iso27001 type policies for handling sensitive data, which is different to printing the quarterly report and ensuring the content isn't leaked in return for clearing someone's debt. For sure, if they were 27001 registered then this would be easier, and some stuff in 27001 is probably appropriate for this type of activity, but full 27001 is a different beast.
No, but if I was concerned about third parties handling my sensitive data, ensuring they adhered to ISO 27001 would be my first priority.
Not making the third party's manual workers get credit checks.
No, but if I was concerned about third parties handling my sensitive data, ensuring they adhered to ISO 27001 would be my first priority.
Ah, so its your requirement then? That is quite different to
If it's gotten to the stage where credit checks are required for non-management roles because of data sensitivity concerns, you would assume the company must be ISO 27001 compliant at a minimum. Employee training is a requirement for certification, particularly for employees who are actually handling sensitive data.
If the company isn't even conforming to ISO 27001 then they have no business asking for credit checks. They have far bigger issues to worry about.
We don't have 27001 and are working on projects and handling confidential information to the very highest level of national security. I'd better let our security team know the error of their ways immediately.
A previous employer had everybody get an Enhanced Disclosure/DBS with credit check done for a new client* a good few years ago, but all the employer got was a pass or fail from the vetting agency.
If you refused the credit check, you weren't allowed to work on any of the clients vehicles, or paperwork relating to them.
If you refused the DBS/Disclosure, HR were wanting a 'chat', as it was part of our contracts background checks could be done.
Ironically, the only person in our depot that got a Disclosure fail was the union rep. They'd got him mixed up with somebody else with the same name, who'd apparently been in jail for murder and drug dealing. Took HR a few weeks to find out about the fail, and the union rep had to point out that he'd been employed by the company during the time the Disclosure showed him as being in jail. Took him a good few weeks to get that sorted, as it involved going to a police station to get his fingerprints taken to prove who he was, and then the checks re-run.
*The client in this case was a government agency, that if you searched for, would return no relevant results.
We don't have 27001 and are working on projects and handling confidential information to the very highest level of national security. I'd better let our security team know the error of their ways immediately.
Fair enough. Although I would assume you have documented procedures and training related to security? If one day someone decided you had to be ISO 27001 compliant it wouldn't be like starting from scratch because the requirements aren't normally unique.
I can't imagine there are many security requirements that don't have a strong training element.
What the OP is describing feels more like vibes-based security. Especially as they are on an internet forum asking what is going on.
Love the automatic assumption that money equals integrity.
I'd imagine t's not necessarily money or the lack of it, but debt, and in particular unmanageable debt. In that sense it doesn't matter how much you're getting paid (otherwise you'd have no reason to do a credit check as you can just look at the payroll) but well paid people aren't immune from getting into financial difficulty
If someones in marked financial difficulty for whatever reason, beyond what you'd expect from general cost of living pressures - something more problematic may be at play like gambling, drugs or whatever then that could mark them out as either being of a higher risk of resorting to desperate measures themselves or vulnerable to coercion from others. Coercion and exploitation from others could be the reason for debt in itself.
(I know someone who brought a whole company down and in doing so ****ed up a whole supply chain too after he became 'addicted to prostitutes')
By the way, does everyone realise that things like quarterly earnings reports aren't actually printed prior to release?
They are released digitally and then within less than a second the documents are automatically parsed and thousands of trades are executed based on the results.
A long long time after the documents have been released, dissected, and acted upon (honestly, it could be as much as a minute later) somebody hits print and the paper version is spat out and sent to shareholders.
I'm sure there is other data that could be confidential but for some reason has to go to a commercial printer. However, it is most definitely not the quarterly earnings reports.