The Employment Rights Act: What It Means for the People with Access to Your Systems

TL;DR

The cost of weak process and thin documentation is going up.

In higher-trust roles, scrutiny isn’t just “were checks done?” It’s “was the decision process reasonable, consistent, and evidenced, and can you prove it quickly?”

Most “online checks” still fail that test: subjective, inconsistent, and hard to defend after the fact.

The answer isn’t more checking. It’s governed checking: role-relevant, bounded, and auditable.

I will be writing a fuller joint paper in the coming weeks. This is the shorter warning: if your process can’t be described, repeated, and evidenced, it’s weaker than it looks.

The real shift: hiring is a governance decision

Most commentary focuses on obligations once somebody is already in the organisation, which matters. But the more important pressure is upstream.

In roles involving trust, systems access, vulnerable people, sensitive data, financial authority, or public representation, recruitment isn’t just an HR workflow. It’s a governance decision.

The scrutiny question is no longer simply, “Did we hire well?”

It’s: “Was our process reasonable, consistent, and evidenced, and could we demonstrate that fast if challenged?”

The post-hire window is narrower than it looks

On paper, organisations still have routes to deal with misconduct, poor judgment, or emerging concerns after hire.

In reality, the room to act often feels much smaller.

A safeguarding concern doesn’t stay neatly inside HR. A reputational issue doesn’t wait for a formal process. A bad access decision can become data loss, disruption, regulatory attention, or a leadership crisis before you’ve even got your footing.

You may still be able to act later. Later is just already expensive.

And as legal and procedural expectations become more specific, inconsistency becomes more costly, and weak documentation becomes harder to defend.

Where “online checks” unravel

Traditional checks still matter: references, right-to-work, qualifications, statutory checks such as DBS (England & Wales), PVG (Scotland), or AccessNI (Northern Ireland).

However, they mostly confirm recorded or declared information. They weren’t built to surface role-relevant digital risk signals - the kind that often only become “obvious” after something goes wrong.

So organisations reach for the informal online check.

And that’s often where the control disappears.

A manager runs a quick search. Someone forwards screenshots. A concern is raised informally. Nobody’s clear what was in scope, what thresholds apply, who owns the judgment, or what should be recorded.

This isn’t control. It’s undefined discretion.

And undefined discretion is very hard to defend once scrutiny arrives.

If two managers would search differently, notice different things, and reach different conclusions for the same role, you don’t have a due diligence standard. You have variation dressed up as common sense.

What “defensible” looks like now

The answer isn’t broader snooping. It isn’t a reputational trawl. It isn’t treating public information as a free-for-all.

The answer is a governed, consistent process.

Be clear which roles justify additional due diligence, what signals are relevant, who is permitted to review them, where escalation sits, and how rationale is documented.

Human judgment stays in the process. Guesswork comes out of it.

Used properly, Digital Risk Screening isn’t “Googling with better branding.” It’s a structured, auditable, role-relevant step designed to surface signals standard checks may never reveal - then route them into a fair, documented decision path.

The important word isn’t digital. It’s governed.

What protects an organisation isn’t simply finding more. It’s being able to show that what was reviewed was relevant, proportionate, and handled consistently.

Final thought

The Employment Rights Act isn’t really the story here. It’s the forcing function.

When the cost of weak process goes up, the quality of your pre-hire judgment matters a lot more.

If your current online checking process can’t be described, repeated, quality-assured, and evidenced, it probably isn’t protecting you as much as you think.

Get the decision process right before access is granted.

That’s where the risk now sits.