Article 2: Rethinking Pre-Employment Screening: Building Proportionate, Risk-Led Workforce Assurance

Workforce assurance in critical infrastructure series

Executive Summary

Pre-employment screening is often treated as an administrative gateway: a set of standard checks applied uniformly to every role, regardless of consequence or risk embodied in the role. In Australia’s critical infrastructure environment, this approach is no longer adequate, and in some cases, it may even create new vulnerabilities.

Importantly, most organisations already do a significant amount of checking during recruitment. Identity and right-to-work verification, qualification and licence checks, referee checks, police checks, conflict-of-interest declarations and basic probity reviews are routine. The opportunity is not to build something entirely new, but to organise and utilise what already exists into a coherent, risk-led assurance capability and add features if necessary.

Government and outsourced background checks, including programs such as AusCheck, have a role to play. However, they cannot replace an organisation’s own responsibility to understand role-specific security risk and design screening that is proportionate to the potential consequences. This article focuses on how that capability can be built using processes many organisations already have, refined and aligned to risk.

Effective screening is not about adding more checks, gathering more data, or outsourcing more processes. Instead, it is about aligning existing recruitment practices to the real security risks associated with specific roles, the environment in which they operate, and the consequences if those roles were compromised. With thoughtful design, this can often be achieved without large new investment, and, over time, may reduce duplication and unnecessary reliance on third parties.

Drawing on the Commonwealth Government Protective Security Policy Framework (PSPF), AS 4811:2022 Workforce Screening, international adjudicative guidelines, and the broader expectations of the Security of Critical Infrastructure (SOCI) legislative framework, we outline a shift from generic background checking toward proportionate, risk-led workforce assurance.

That shift begins with understanding why a role matters. Screening becomes tiered rather than uniform, lighter where risk is low, deeper where consequences are high, and always grounded in fairness, relevance, transparency, and privacy.

Just as importantly, screening must avoid stigmatising individuals. Risk factors such as financial stress, conflicts of interest, or behavioural concerns are not judgements about character. When interpreted ethically, they help organisations identify where support, dialogue or proportionate controls may be appropriate, protecting both the person and the organisation.

This second article in the series sets out the key principles of proportionate screening, explains how eligibility differs from suitability, and shows how existing recruitment checks can be integrated into a structured, defensible framework. Pre-employment screening, however, is only the beginning. The third and final article in this series will explore ongoing suitability and offboarding, and how organisations can continue to support trusted workforce while managing personnel security risk across the employment lifecycle.

What pre-employment screening is — and is not

Across many organisations, pre-employment screening has evolved gradually over time. Checks have been added ad hoc in response to incidents, policies, procurement requirements or regulatory expectations. As a result, screening is often seen as a transactional step at the end of recruitment rather than as a deliberate part of workforce assurance.

Before designing or refining screening, it is important to be clear about what it is and what it is not.

Pre-employment screening is not…

It is not an integrity test. Screening is not designed to determine whether someone is “good” or “bad”. People are complex; there are no inherently good or bad people. What matters are the behaviours, actions (and inactions) and circumstances that may create risk. Screening cannot predict future behaviour and should never be used as a character judgement.

It is not a punishment. Screening should not be framed as something that happens because people cannot be trusted. When it is positioned this way, it can undermine morale and discourage applicants from being open about legitimate issues.

It is not a duplication of AusCheck or other external checks. Government background checks have specific statutory purposes. Organisational screening should complement, not replicate, these processes, and should be anchored in the organisation’s own risk profile.

It is not a simple yes/no trust decision. Screening is not about deciding who is inherently trustworthy. Many issues identified can be managed through proportionate controls, support, or conditions, rather than exclusion of the person.

Pre-employment screening is…

A structured security control. Screening is one element of the organisation’s broader protective security and risk management framework. It helps decision-makers understand potential vulnerabilities associated with particular roles.

Focused on role risk and consequences. The depth of screening should be driven by the sensitivity of the role, the access involved, and the potential consequences if it were compromised, not by the individual as a person.

A way to support fair, proportionate suitability decisions. Screening provides information to help determine whether a person is suitable for a specific role right now, and whether any additional supports or safeguards may be appropriate.

Part of broader CIRMP and PSPF thinking. Within the Security of Critical Infrastructure environment, screening contributes to managing personnel hazards across the lifecycle. It aligns closely with the Protective Security Policy Framework and with principles in AS4811:2022, which emphasise proportionality, relevance and respect for individuals.

When framed this way, screening shifts from being a compliance checkpoint to becoming an informed, ethical and defensible decision-making process, one that supports both organisational resilience and a trusted workforce.

Start with risk — not with checks

One of the most common mistakes in pre-employment screening is starting with a list of checks and then trying to justify why they are needed. This reverses the logic. In a critical infrastructure environment, screening should begin not with the tools available, but with the risks that need to be managed.

The question is never, “What checks should we do?”

The more precise question is, “What could go wrong if this role is compromised by the person filling it, and what information genuinely helps us manage that risk?”

Understand the enterprise risk environment first

Every organisation operates within a broader threat landscape. For critical infrastructure entities, this includes risks such as:

• insider threat — intentional and unintentional

• foreign interference and coercion

• misuse of privileged access

• fraud, corruption and procurement manipulation

• disruption to essential services

• erosion of public trust or reputational harm.

The starting point for screening is, therefore,  the same starting point as any other security control: What are the credible threats — and what are the consequences if they materialise?

By anchoring screening in the organisation’s existing threat and risk assessments, we avoid arbitrary decisions and, therefore, ensure screening remains proportionate, defensible and directly linked to operational realities.

Then consider role-specific risk

Not all roles carry the same risk exposure. Two people may work in the same organisation, under the same policies, but the risk associated with their roles may be very different.

Some roles are more critical as they create elevated risk exposure because they involve:

• privileged access to networks, data or operational systems

• authority to approve payments, contracts or suppliers

• visibility of sensitive or protected information

• influence over safety-critical processes

• the power to bypass controls or override safeguards

• trusted access to restricted facilities or assets.

At this point, the key question shifts from “who is this person? to: “What risk sits in this role, and what assurance is reasonable given the consequences if things go wrong?”

This distinction matters. Screening becomes targeted, fair and proportionate, rather than blanket, intrusive or unnecessarily burdensome.

Identifying critical positions and critical workers

Within the SOCI legislative framework, some roles will meet the threshold of “critical” because compromise, absence or misconduct could materially affect essential services. Individuals occupying these roles are defined as critical workers.

Identifying critical workers is, therefore, not about status or seniority. It is about:

• access — to systems, facilities, people and data

• influence — formal and informal decision-making power

• authority — capacity to approve, commit or direct resources

• privilege — ability to disable controls, bypass oversight or make untraceable changes.

Equally important is avoiding over-designation. If too many roles are classified as critical, attention and resources are spread too thin, and the meaning of “critical” is diluted. If too few are identified, key vulnerabilities remain invisible.

The principle that flows from this is simple and central to proportionate screening: We screen because of the role, not because of the person.

The person comes later. The role comes first.

Once the risk profile of the role is understood, screening can be calibrated to that level of exposure, rather than driven by habit, fear or assumption. This creates clarity for decision-makers, fairness for applicants, and assurance that screening genuinely contributes to the management of personnel-related security risks.

Principles of proportionate, ethical screening

If screening is to support genuine workforce assurance, rather than simply collect more information, it needs to be guided by clear principles. The Australian Workforce Screening Standard (AS 4811:2022), together with the Protective Security Policy Framework (PSPF), offers a strong foundation for doing this well.

These principles matter for two reasons:

• They protect the organisation, by ensuring screening is proportionate, defensible and risk led.

• And they protect the individual, by ensuring screening is fair, respectful and ethical.

Proportionality

Screening should always be calibrated to the risk of the role.

Higher-risk roles may justify deeper checks, but most roles do not. Over-screening creates unnecessary cost and delay, resentment, false reassurance and privacy risk, while distracting attention from genuinely critical positions.

The depth of screening should increase only where the consequences of compromise clearly justify it.

Necessity and relevance

Every check included in a screening program should answer a simple question: “How does this help us understand role-related risk?”

Checks that are interesting, but not relevant to the role, should not be included. Gathering information “just in case” increases risk and complexity without improving assurance.

Transparency and informed consent

Screening should not feel secretive or punitive. Applicants and employees should clearly understand:

• what information is being collected

• why it is needed

• how it will be used

• how long it will be retained

• who will have access to it.

Transparency builds trust. It also helps ensure candidates can correct inaccuracies and participate fairly in the process.

Fairness and non-discrimination

Screening must avoid unfairly disadvantaging people because of background, circumstance or past issues that are unrelated to the role. Risk should be assessed in context, considering:

• time elapsed

• remediation or rehabilitation

• relevance to the role

• mitigating controls.

The goal is not exclusion. The goal is understanding where vulnerability may exist and whether it can be managed safely and proportionately.

Privacy protection

Screening necessarily involves handling sensitive personal information. That creates risk in itself. Strong governance, secure handling, access controls and clear retention policies are essential. Information should only be collected, stored and shared where legally justified and operationally necessary, and disposed of when no longer required.

Protecting privacy is not just a legal obligation. It is part of maintaining trust in the workforce assurance system.

Defensibility and documentation

Decisions made during screening must be explainable. This means documenting:

• why certain checks were chosen

• what was considered

• how risk was assessed

• why a decision was made.

Defensible screening does not rely on gut feelings or informal judgement. It demonstrates a clear link between role risk, evidence, organisational policy and the final decision.

A wellbeing-centred approach

Finally, effective screening recognises that people are not problems to be solved. They are part of the resilience of critical infrastructure. Where vulnerabilities are identified, the response should aim to:

• support the individual

• reduce pressure and coercion risk

• apply reasonable controls

• avoid unnecessary stigma.

In many cases, vulnerabilities can be managed safely through role design, supervision, access control, conditions, or wellbeing support, not by excluding capable people from employment.

Designing role-based screening tiers

Once screening is anchored in risk, the next question becomes: How deeply should we screen different types of roles?

The answer is not to screen everyone the same way. Instead, mature organisations align screening depth to role exposure and consequence, a tiered approach.

This concept is strongly supported by AS 4811:2022, the PSPF, and the intent of the CIRMP personnel hazard provisions: apply controls proportionately, and only where they make sense.

Example of the tiered screening model

A tiered model recognises that not all roles present the same level of security risk.

Tier	Role exposure	Typical examples	Screening focus (high level)	Why this level?
Tier 1: Baseline assurance	Low access Limited autonomy Minimal consequences if compromised	Administrative support Customer service roles Supervised operations Short-term interns	Identity and right-to-work verification Basic employment history confirmation Referees where relevant	Avoids over-screening Protects privacy Provides essential assurance without unnecessary intrusion
Tier 2: Enhanced assurance	Moderate access Some decision-making Potential business disruption if compromised	Supervisors Analysts Engineers Finance staff Procurement support Vendor management roles	All Tier 1 checks  Police check where justified Qualifications and licences verified Conflict-of-interest declaration Targeted referee checks	Balanced assurance aligned to role exposure and consequences Focuses on relevance, fairness and proportionality
Tier 3: High assurance (critical roles)	Privileged access Authority over critical assets Significant operational or security impact if compromised	System administrators Control-room operators Cyber roles with privileged access Executive decision-makers Key contractors Critical suppliers’ personnel	All Tier 2 checks Deeper verification where risk warrants it Structured suitability assessment Additional controls where appropriate (segregation of duties, monitoring, governance)	Consequences justify deeper assurance Designed to understand vulnerabilities, not to “exclude by default” Ethical, proportionate and documented

Why tiering matters

A tiered model:

• prevents over-screening and privacy intrusion

• concentrates effort where risk truly sits

• reduces cost and unnecessary delay

• provides clear governance and defensibility

• links workforce assurance to CIRMP personnel hazards

creates the minimal necessary data-holding for decision making

This alignment ensures that screening supports the organisation’s broader governance settings, rather than becoming an ad-hoc HR activity or an outsourced procedural requirement.

Eligibility vs suitability, why the distinction matters

A powerful way to strengthen workforce assurance is to separate eligibility from suitability criteria. These terms are often used interchangeably, yet they serve very different purposes.

Eligibility is about whether a person can lawfully and legitimately be employed. It generally involves verifying identity, confirming the right to work, and ensuring any legally required qualifications, licences or registrations are valid. These checks tend to be binary: the conditions are either met, or they are not.

Suitability is different. It considers whether a person is appropriate for a particular role, at a particular time, given the responsibilities and exposures involved. Suitability reflects on reliability, judgement, level of integrity, conflicts of interest, sound and stable character, and whether life circumstances could reasonably increase vulnerability to pressure, coercion or misuse of privileged access. It is a contextual assessment of alignment between the role, the individual, and the safeguards available to manage risk fairly and proportionately.

This way of thinking is consistent with mature adjudicative guidelines internationally. It is not harsher; it is more transparent, ethical and defensible.

Using risk factor frameworks without stigmatising people

Risk factor frameworks, including those reflected in the PSPF and international adjudicative guidelines, provide structure for thinking about vulnerability. When used well, they help organisations avoid guesswork and apply consistent reasoning. When used poorly, they stigmatise people and create fear.

The starting point is recognising that vulnerability does not equal misconduct. Financial pressures, family obligations, health or psychological challenges, or complex overseas connections are part of normal human life. They only become relevant when they intersect with roles that carry elevated access, authority or exposure.

Context matters greatly. The same issue may be insignificant in one role and require careful management in another. Time elapsed, evidence of rehabilitation, support systems and organisational controls all shape what the appropriate response should be.

In many situations, the most ethical and effective response is not exclusion, but support, monitoring, or small adjustments to role design or access arrangements. Screening, when done well, becomes a way of looking after people while protecting the organisation, not a process for disqualifying individuals. This mindset is of particular importance when seeking people with rare skills and capabilities essential for your operations.

Practical screening components — chosen carefully

Pre-employment screening works best when every element has a clear purpose. The aim is not to collect as much information as possible, but to gather only what is necessary to make fair, risk-informed decisions.

In practice, screening will often include core elements such as identity and right-to-work verification, confirmation of qualifications and licences, structured referee conversations, and where justified, targeted probity checks and assessments. For higher-exposure roles, additional verification may sometimes be appropriate, but only when there is a clear and defensible link to the risk profile of the position.

Unnecessary duplication or intrusive checks that are only loosely related to risk should be avoided. They increase privacy exposure, generate frustration and rarely strengthen assurance.

Where applicants have lived or worked predominantly overseas, verification may be more difficult. In these cases, fairness and proportionality are crucial. Rather than defaulting to refusal, organisations may consider staged access, closer supervision, time-limited conditions, or other reasonable controls while confidence is built.

Governance: preventing ad-hoc decisions

Without governance, screening decisions can quickly become inconsistent, personality driven and legally vulnerable. Clear roles and processes help ensure decisions are made objectively and transparently.

A sound governance approach sets out who is authorised to make screening decisions, what suitability criteria apply, when matters should be escalated, and how privacy will be protected. It also requires disciplined recordkeeping so that decisions can be explained and defended if questioned later.

Embedding screening governance into broader CIRMP oversight reinforces the principle that personnel hazards are managed systematically, not informally.

Communication, trust and workforce culture

Technical design alone does not determine whether screening succeeds. How it is communicated shapes whether the workforce experiences screening as supportive or intrusive.

Screening should be positioned as something done with people, not to them. It is the journey taken together. When leaders explain the purpose clearly, emphasise fairness and dignity, and provide clarity, opportunities for questions and feedback, trust grows. When screening is poorly communicated, it can create anxiety, discourage disclosure and undermine the very resilience it is meant to support.

Strong leadership tone, honest messaging, and visible respect for privacy are key ingredients. In this sense, screening becomes part of broader security culture, reinforcing the message that people are central to resilience, not simply seen as risks being controlled.

Pre-employment screening for existing critical workers

As organisations identify critical roles, they often discover that many of those positions are already filled. Applying improved screening standards retrospectively must be handled carefully.

Re-screening existing workers should be phased, well-explained and grounded in fairness. Communication should focus on the purpose, protecting essential services, supporting trusted workforce and aligning with evolving regulatory expectations, rather than implying suspicion. Where concerns arise, responses should be measured, respectful and solutions focused.

Collaboration with HR, legal teams and, where appropriate, unions or workforce representatives can help ensure the process remains proportionate and ethical.

Conclusion

For Australia’s critical infrastructure entities, pre-employment screening is no longer a procedural formality. It is a deliberate security control that helps organisations understand where role-related vulnerabilities may exist and how they can be managed fairly, proportionately and ethically.

Most organisations already hold many of the building blocks: identity checks, right-to-work verification, qualifications, referees, conflict-of-interest declarations and basic probity. When these are reorganised into a tiered, risk-led framework, grounded in AS 4811:2022, the PSPF and CIRMP expectations, screening shifts from “ticking boxes” to genuinely supporting resilience.

The principle is simple. We screen because of the role, not because of the person. Higher-risk roles justify deeper assurance; lower-risk roles shallower assurance. When screening is anchored in role consequences, supported by clear governance and strong privacy protections, it becomes both defensible and humane. It avoids unnecessary exclusion, reduces reliance on generic external programs, and builds confidence without intruding where risk does not warrant it.

Pre-employment screening is only the beginning. Most personnel security risk emerges later, as responsibilities grow, circumstances change, and people eventually transition out of organisations. The final article in this series will focus on what comes next: building practical, ethical models for ongoing suitability and secure, well-managed offboarding, ensuring that trust is supported across the entire employment lifecycle, not just at the point of hiring.