Personnel security vetting policyPublished: 03 April 2023
Freedom of information class: How we manage our resources
Registers of Scotland's (RoS) policy on Personnel Security Vetting in compliance with National Security, Cabinet Office and the Centre for the Protection of National Infrastructure (CPNI) guidance.
Personnel security vetting standard operating procedure
RoS is subject to UK Government security requirements and follows National Security, Cabinet Office and National Protective Security Authority (NPSA) guidelines. The purpose of this policy is to provide assurance as to the trustworthiness, integrity and reliability of RoS employees, contractors and temporary staff to ensure the security of our assets and our data.
RoS requires all new employees or contractors to meet the Baseline Personnel Security Standard (BPSS). (This includes all RoS employees and non-RoS employees who work in or regularly visit our premises, for example temporary staff, contractors, consultants, and business partners, or those who require access to RoS data or equipment.)
We have assessed the vast majority of employee roles within RoS as low risk that require a BPSS check, which will be conducted by Human Resources (HR) as part of normal pre-employment checks. This BPSS check must be completed before a contract of employment is issued. In exceptional circumstances, this requirement may be waived, but only by written approval from the appropriate Head of Service or Director.
Where approval is given, all pre-employment checks required as part of the BPSS must be completed within three months of employment starting. Where the clearance required for the post is higher than BPSS this will be authorised exclusively by the RoS Departmental Security Officer. Decisions must be based on an assessment of the security risk and the justification and approval will be recorded, with regular reporting to the Departmental Security Group. Please contact HR if further guidance is required.
The BPSS check includes a requirement to provide a Basic Disclosure Scotland certificate; Disclosure certificates will be considered valid for one year from the date of issue.
Similarly, we have assessed a default low risk categorisation for non-RoS employees. Their BPSS checks or equivalent should be provided for as part of any contractual arrangements and the appropriate RoS sponsor should satisfy themselves through contract monitoring that adequate arrangements are in place.
The Estates Team will ensure that BPSS checks have been undertaken on all contractors or engaged personnel who provide or support facilities management activities. IT Service Team will ensure security checks have been undertaken on all contractors or engaged personnel working on RoS information systems.
Directors are responsible for identifying and designating any RoS posts or roles that require a higher level of security clearance and for reviewing this regularly to ensure it is appropriate in accordance with any general or specific guidelines.
Where access to more sensitive assets is required, higher levels of security clearance such as National Security Vetting (NSV) Security Check (SC), Counter Terrorist Check (CTC); Developed Vetting (DV) may be applied to ensure that such posts are filled by individuals who are unlikely to be susceptible to influence or pressure which might cause them to abuse their position. Human Resources will ensure that appropriate level security checks are undertaken for such posts.
The RoS Departmental Security Officer will review the list of posts that require a higher level of security clearance annually or more frequently in the event of a change in security policy, posture, or risk assessment.
Where an individual is refused a post on the grounds of security or their security clearance level is not given or is revoked, they may submit an appeal to the RoS Departmental Security Officer using the RoS Grievance procedures (for employees) or the RoS complaints procedure (for non-employees).
Approval and review
This policy will be reviewed and approved by the Policy and Practice Group annually, unless earlier review is appropriate.
|Author||Employee Relations Manager|
|Reviewed||Head of People and Change|
|Cleared||Director of People|
|Approval||Policy and Practice Group|
|Approval date||Existing policy|
|Review responsibility||Policy and Practice Group|
|Review date||April 2024|
|Suitable for publication||Y|