Continuous vetting: moving beyond the checkbox

Background checks aren't "tick box and forget." Risks evolve, circumstances change. Statutory requirements in the UK and South Africa already mandate periodic rechecks (requiring UK schools to update DBS checks after service breaks or through the Update Service, while South African educators must maintain SACE-mandated police clearances and sex offender registry vetting). The aim is to build smarter systems that keep you compliant, protect vulnerable people, and reduce admin overhead - not create unnecessary burden. Nevertheless, getting it right means clear policies, proper contractual terms, and understanding what tools - like the DBS Update Service - actually enable.

Understanding what you're already required to do

Let's start with the basics: you're probably already supposed to be doing periodic checks.

In the UK, organisations working with vulnerable groups are required to renew DBS checks at regular intervals - typically every three years, though some sectors require more frequent rechecks. In South Africa, similar requirements exist for police clearance certificates.

These aren't optional. They're statutory requirements designed to ensure that safguarding stays current.

The problem? Most organisations handle these renewals manually. HR chases people for updated certificates. Deadlines get missed. And in the meantime, you're operating with outdated information.

This is where tools like the DBS Update Service become valuable. For £16 per year (free for volunteers), individuals can keep their DBS certificate current – and with their permission, employers can check the status online at any time.

It doesn't replace the need for periodic rechecks. But it does make the process cleaner, faster, and less prone to human error.

The gap between statutory requirements and real risk

Statutory rechecks are necessary, but they're not sufficient.

Why? Being on a register only proves that you’ve been caught.

A three-year cycle - remember this is only recommended, not mandatory (in the UK) - means someone could be flagged on a barred list, have their professional credentials revoked, or be charged with a serious offence - and you wouldn't know until the next scheduled check.

This isn't hypothetical. It happens. And when it does, "we were waiting for the next statutory recheck" isnot a good look during an investigation.

The question organisations need to ask is: what level of risk are we comfortable with between statutory checks?

For some roles, the answer might be "we'll stick to the minimum." For others - particularly those involving direct access to children and vulnerable adults - the answer should probably be "we need to know sooner."

Look at continuous vetting as something that gives you reasonable visibility beyond registers.

What continuous vetting actually means

Continuous vetting doesn’t mean real-time monitoring of staff. That would be intrusive, costly, and often disproportionate. Instead, it means checking the right risk indicators at sensible intervals, based on role and safeguarding exposure.

In the UK, this might include DBS Update Service checks, right to work re-checks, and professional credential validation.

In South Africa, it may look like annual re-screening, role-change triggers, and using providers like TPN for fast, repeatable on-demand checks (for example identity, credit, and criminal record checks) as part of a structured compliance cycle.

Safehire.ai supports this with whole workforce monitoring, annual background re-checks, and deeper searches of the surface and the dark web that can surface risk signals not yet on registers.

The goal is to have fewer blind spots, while respecting the right to privacy and not creating admin overload.

The legal and contractual foundations

Here’s is something you may not be immediately aware of:

you can’t simply start running annual or continuous re-checks on existing employees unless you’ve laid the legal and contractual groundwork.

If your employment contract and safeguarding policies only cover initial vetting at hire, then expanding into whole workforce monitoring later may require consultation, consent, or a formal contract variation.

You have two sensible routes:

1. Write it into contracts from day one (best going forward)

The cleanest approach is to make periodic re-vetting a clear condition of employment in safeguarding roles. Your contract should state:

• An initial check will be completed at hire
• Further checks may be completed at defined intervals
• Checks may also be triggered by role changes or risk events
• This is part of the organisation’s safeguarding duty of care

2. Future-proof with policies you can evolve

A more flexible approach is to reference a safeguarding and vetting policy that can be updated from time to time. That way, as risks change (and regulation evolves), your approach can evolve too, without rewriting every contract.

For existing staff, changes must still be reasonable, proportionate, and clearly communicated, and may require consultation.

Your approach should be lawful, defensible vetting that keeps pace with real-world safeguarding risk.

Making it work in practice

Effective continuous vetting should feel invisible until it matters.

Here's are some thoughts on good implementation:

• Clear contractual terms or policy provisions from the start
• Automated monitoring aligned with statutory requirements and risk appetite
• Alerts delivered only when status changes or a check is due
• Defined processes for acting on findings - suspend access, investigate, escalate as needed
• Full audit trails for compliance and transparency

Do this, and you will no longer have to chase HR for renewal dates. Rely on people to self-report issues. Hope the last check was recent enough.

The shift we need to make

Safeguarding isn't a point-in-time activity. It's ongoing. And while statutory requirements set a baseline, they really aren’t designed to cover every scenario or catch every risk as it emerges.

The organisations that get this right tend not to be doing more checks for the sake of it. They do smarter checks – at the right intervals, with the right tools, and with proper processes in place.

Be transparent, promote why you are doing this, and build it into your systems, contracts, and culture from the beginning. The safety of our children and the right to privacy of our staff can exist in the same sentence.

So, what now?

If you want to move beyond “tick-box vetting”, don’t start by doing more checks. Start by building a system that’s repeatable, lawful, and proportionate.

Here’s a practical next step plan:

• Map your safeguarding roles: who has access to children or vulnerable people, and what level of risk that creates
• Define your baseline intervals: what’s statutory, what’s sensible, and where role-based triggers should apply
• Check your legal foundations: update contracts for new hires and ensure policies allow periodic re-checks (with consultation where needed)
• Reduce admin overhead: automate reminders, due dates, and audit trails so HR isn’t chasing paperwork
• Choose the right tools: use registers and update services where they exist, and add deeper screening where registers don’t tell the full story

Platforms like Safehire.ai help organisations operationalise this through whole workforce monitoring, annual re-checks, and deeper searches that can surface risks not yet on formal registers.

‍