Data laws push firms to check suppliers' vetting procedures

Companies will increasingly have to insist that suppliers carry out background checks on their IT staff in order to meet data...

Companies will increasingly have to insist that suppliers carry out background checks on their IT staff in order to meet data protection regulations and safeguard confidential information, legal experts said this week.

Last month, a circular from investment bank Citigroup asked its suppliers to confirm that their employees had been vetted before they were given access to Citigroup premises or information. Those whose contract with Citigroup did not include a vetting clause were asked to provide evidence of pre-employment checks.

Legal experts said vetting contract staff along the supply chain is becoming more common for projects involving systems that contain sensitive commercial data.

If a supplier breaches the Data Protection Act, the company that hired them - the prime contractor - will be held legally responsible.

"What Citigroup is asking for is not unusual and is something that prime contractors are advised to do," said James Mulloch, technology partner at law firm Osborne Clarke.

"IT directors will have to act very swiftly if there is a problem [with a supplier breaching data regulations] and they will need to know the legal situation."

However, one City IT manager said, "Employee vetting is one of those things that will hit some sort of critical mass and everyone will be obliged to do it. I personally think it is of marginal value in stopping the professional hacker. And do companies have the CVs of all their staff? One bloke I work with was hired in the pub."

Employee vetting specialists said the growth of offshore outsourcing has made it more difficult to check the details on IT workers' CVs.

Polly Archer, business development director at Kroll Background Europe, said, "Many employers do not have the internal resources to do a thorough background check, which makes it easy for less honest applicants to disguise problems in their career history.

A spokeswoman for Citigroup said its vetting procedures had been in place for a number of years and applied to all third-party suppliers, not just IT companies.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.