Background checking company requesting sensitive documents via email

Question

In the UK it is standard for IT workers in financial services to have background checks before starting a role.

It is also now normal for these background checks to be outsourced to a "specialist" company. There are only two or three companies that do this checking in the UK that I know of.

This would all be fine, but I find one (dominant) company in particular insists on requesting sensitive documents being sent to them via email, including:

A passport scan
Scan of a recent utility bill or council tax bill with full address
Scans of a recent bank statement

Now this is not the sort of information that I would ever like to send via email.

What is the best way to deal with this situation, especially when dealing with a large employer and anonymous HR department. There is always a veiled threat that non-compliance with their request will result in the position being lost.

Nope, not a security job. As this type of thing is all too common for IT jobs (in the UK at least). — JonnyWizz, Dec 02 '15 at 12:43
@JonnyWizz When I have had to do this I have just brought the required documents with me on the first day. — Burgi, Dec 03 '15 at 13:40

score 7 · Answer 1 · answered Dec 01 '15 at 23:33

First thought that comes to mind is whether it is even legal to require all those documents. Passport makes sense (what happens if you don't have a current passport?), but demanding bank statements is a bit skeezy. Common, but skeezy (just because many companies insist on something, doesn't make it legal). That said, this is an issue to ask a local lawyer, as these things are different between countries.

Furthermore, even if it is legal, the question is are you comfortable sending these documents to them (especially bills and statements). In my opinion, you should never agree to this type of thing - however, if you are committed to getting this job, you might have to comply with whatever they insist. You could still try discussing it with them - explain that you're not comfortable with it, and ask the employer (NOT the specialist company) if it is absolutely necessary (it usually isn't, but they ask anyway), and only if they still insist go along with it.

However, all the above is a Workplace.SE type of answer, not a SECURITY answer... so here are some options for you (assuming you want to be sending these documents to them):

Ask them for their public key (PGP or S/MIME, whatever your flavour) and simply send it to them encrypted;
Zip up all the documents and encrypt the archive, send them the password out of band (e.g. call and tell them verbally). Of course, strong passphrase, etc.
Ask if they have a secure service to upload files to, via their website / file safe / etc.

You should probably also ask for some assurance that your documents will be adequately protected once they've received the files (though don't be TOO optimistic about this being forthcoming (i.e. I doubt it)).

The utility bill/bank statement is meant to prove that you live at the address you say you do. It is a common practise in the UK — Burgi, Dec 03 '15 at 13:14
@Burgi there are other, better solutions for this, that are more effective and less invasive. Also, as I said, just because it is common, does not mean that it is okay. — AviD, Dec 03 '15 at 14:05
Requesting bank statements is rather common here too, but I would never ever give my employer a copy of my bank statement. And, when pushed, they are always happy to have my just write down my bank details - for payment purposes, you see. Why on earth would they need me to *prove* where I live? Many companies are just happy to collect as much information about you as possible, "just in case", without regard to privacy implications or even securing that information. — AviD, Dec 03 '15 at 14:08

Background checking company requesting sensitive documents via email

1 Answers1