Common BS7858 Mistakes (From 18 Years of Training)

After delivering hundreds of BS7858 training sessions across the UK, we've seen the same mistakes crop up time and again. These aren't small oversights, they're errors that can invalidate your entire screening process, expose your organisation to legal risk, and damage your reputation with clients and regulators.

In our BS7858 Screening Standard Course, we dedicate an entire module to these common pitfalls because we know that understanding what can go wrong is just as important as knowing what to do right. As we covered in our complete BS7858 training guide, the standard is comprehensive, but it's in the practical application where most employers struggle.

Let me share the mistakes we see most frequently, along with real examples from our training rooms (names and details changed, naturally) and, crucially, how to avoid them.

The "We've Always Done It This Way" Syndrome

This is the number one issue we encounter. An HR manager will attend our training session and realise with horror that their organisation has been conducting BS7858 screening incorrectly for years, sometimes decades.

Last month, a facilities management company sent their compliance officer to our course. Within the first hour, she was sending urgent messages to her MD. They'd been conducting five-year employment histories instead of the required continuous five-year period. The difference? They were checking five years of employment but ignoring gaps. Someone could have had three years of employment and two years completely unaccounted for, and they'd have sailed through their process.

The BS7858 standard requires a continuous, unbroken five-year history. Every single day must be accounted for. Employment, unemployment, education, travel, caring responsibilities, whatever someone was doing, it must be documented and verified where possible.

This mistake typically happens because organisations confuse BS7858 with basic pre-employment checks. They think "five years" means "five years of jobs" rather than "five complete years of someone's life."

Training Tip from Graham and Vivianne Johnson:

When you're auditing your current screening process against BS7858, don't just check that you're doing the components. Check that you're doing them to the correct depth and timeframe. We've created a gap analysis template in our BS7858 Employer & Applicant Guidance Pack specifically for this purpose.

The Reference Verification Shortcut

Here's a conversation we've had more times than we can count. An employer tells us they verify references by sending an email to the provided reference contact. When we ask how they verify that the email address actually belongs to the stated organisation, we're met with blank looks.

Reference fraud is sophisticated now. We're not talking about someone asking their mate to pretend to be their old manager. We're seeing:

• Fake company email addresses that look legitimate (companyname-uk.com instead of companyname.co.uk)

• Virtual phone numbers that forward to an accomplice

• Fabricated company websites complete with fake staff directories

• Professional reference services that will verify anything for £50

One security company sent someone to our training who'd just discovered that three of their "verified" references were completely fabricated. The candidate had created convincing email addresses, set up a basic website, and used a virtual receptionist service. The references checked out because nobody had independently verified that the contact details actually belonged to the stated companies.

The BS7858 standard is explicit about this. You must independently verify reference contact details. That means:

• Looking up the company's official website yourself (not using links the candidate provides)

• Finding the HR department or relevant manager's contact details independently

• Calling the company's main switchboard and asking to be transferred

• Verifying that the person giving the reference actually works there and in the capacity they claim

Our Pre-Employment Screening & Vetting Essentials Course walks through this process step by step, including how to spot red flags in reference responses.

The DBS Certificate Misconception

This mistake is so common that we've started addressing it in the first ten minutes of every training session. Employers believe that if someone has a clear DBS certificate, they don't need to conduct the full BS7858 screening. Wrong.

A DBS check is one component of BS7858 screening. It is not a substitute for the entire process. You still need:

• Continuous five-year history verification

• Employment references

• Right to work checks

• Identity verification (to BS7858 standards, which are stricter than basic ID checks)

• Address verification

• Evidence of overseas criminal record checks where applicable

We trained a care home group last year that had been relying almost entirely on DBS certificates. They'd skipped proper reference verification, hadn't verified employment histories, and had barely checked identity documents beyond confirming they looked genuine. When we explained that they weren't actually BS7858 compliant, despite having DBS certificates for all staff, it was a sobering moment.

The confusion often stems from the fact that many organisations use the terms interchangeably. "We need a BS7858" becomes shorthand for "we need a DBS check" in casual conversation. But they're not the same thing, and treating them as such leaves massive gaps in your screening.

If you're unclear on the specific requirements of DBS checks within the BS7858 framework, our Understanding DBS Checks (UK) Course provides detailed clarity.

The International Applicant Assumption

Here's a scenario we see regularly in training sessions. An organisation has a solid BS7858 process for UK residents. Then they hire someone who's spent the last three years working in Dubai, and suddenly nobody knows what to do.

The most common mistake? Assuming that because obtaining overseas criminal record checks is difficult or time-consuming, you can skip them or substitute them with something easier.

You can't. The BS7858 standard is clear that you must obtain criminal record checks from any country where the applicant has lived for six months or more during the screening period. If they've spent three years in Dubai, you need a UAE police clearance certificate. If they've lived in Australia for 18 months, you need an Australian criminal history check.

"But it takes twelve weeks to get a police clearance from some countries," employers protest. Yes, it does. That's not a reason to skip it, it's a reason to factor it into your recruitment timeline.

We trained a logistics company recently that had a Saudi national in a security-sensitive role who'd been working for them for two years. When we asked about their overseas criminal record check, they admitted they'd never obtained one. They'd tried, found it complicated, and essentially given up. That's not compliance, that's hoping nobody notices.

The other common mistake with international applicants is failing to verify overseas employment properly. You can't just accept a reference letter on headed paper and call it done. You need to verify that the company exists, that the person giving the reference is genuine, and that the employment dates are accurate.

Our Global Background Screening Awareness Course covers the specific challenges and solutions for international screening in detail.

Training Tip from Graham and Vivianne Johnson:

Build relationships with a reputable international screening provider before you need them. When you're trying to hire someone who's worked overseas, you don't want to be frantically googling "how to get police clearance from Brazil" at midnight. Have a process and a trusted partner ready to go.

The Documentation Storage Disaster

This is the mistake that only becomes apparent when something goes wrong. An incident occurs, a regulator comes calling, or a client demands to see evidence of screening, and suddenly you realise your documentation is inadequate, incomplete, or completely missing.

BS7858 requires you to retain evidence of your screening process. Not just the results, the actual evidence. That means:

• Copies of verified identity documents

• Written references (not just notes saying "reference received")

• Evidence of verification attempts (phone logs, emails, written confirmations)

• Risk assessment decisions and their rationale

• Details of any discrepancies and how they were resolved

We've seen organisations that keep a simple spreadsheet with "DBS: Clear" and "References: Obtained" as their only records. When asked to produce evidence six months later for a contractual audit, they have nothing.

A security services company came to our training after failing a client audit spectacularly. They'd conducted thousands of BS7858 screenings but had retained almost no supporting documentation. When the client asked to see evidence for a random sample of twenty employees, they could produce basic DBS certificates but nothing else. They lost the contract.

The equally common opposite mistake is keeping everything forever in chaotic filing systems. You need to retain records, but you also need to comply with GDPR, which limits how long you can keep personal data. You can't just stuff seven years of DBS certificates into a drawer and forget about them.

Our Data Protection Policies & Procedures UK Course addresses exactly this balance between retention requirements and data protection obligations.

The Gap in Employment History Panic

When reviewing employment histories during our training sessions, we always ask: "What do you do when someone has a gap?" The answers vary wildly, but the most problematic response is: "We reject them."

Having employment gaps is not, in itself, a reason to fail BS7858 screening. People have gaps for legitimate reasons: illness, caring for family members, travelling, returning to education, redundancy during a recession. What matters is that the gaps are declared, explained, and verified where possible.

The mistake is either:

1. Treating any gap as automatically disqualifying, or

2. Accepting gap explanations without any verification attempt

A manufacturing company we trained had been automatically rejecting anyone with employment gaps longer than three months. They'd inadvertently created an unlawful discriminatory practice, as this disproportionately affected women (maternity leave), disabled people (health-related gaps), and people from certain ethnic backgrounds (different cultural approaches to career gaps).

The correct approach is to:

• Request that the applicant declares all gaps

• Ask for explanations (in writing)

• Verify explanations where possible (letter from medical professional, evidence of education, travel documentation)

• Conduct a risk assessment considering the nature of the gap, its explanation, and its relevance to the role

• Document your decision-making process

The BS7858 standard doesn't require gaps to be non-existent. It requires them to be known, understood, and risk-assessed. That's a crucial distinction many employers miss.

The Address Verification Assumption

"We verified their address" usually means "we checked a utility bill matched their application form." That's not actually verification to BS7858 standards, it's confirmation that they possess a document with an address on it.

Proper address verification under BS7858 requires you to verify addresses for the full five-year period. If someone has lived at three addresses, you need evidence for all three. If they've lived at their current address for only six months, you need to know where they lived before that.

The common mistakes we see:

• Only verifying current address

• Accepting documents without checking they're recent enough (a 2020 bank statement isn't evidence of 2025 residence)

• Not questioning obvious discrepancies (application says "lived at current address for 3 years" but documents show they only moved in last year)

• Failing to verify overseas addresses (yes, this is more complicated, but it's still required)

A facilities company we trained had been accepting current address verification only. When we pointed out they should be verifying five years of addresses, someone genuinely asked, "But how are we supposed to do that?" The answer is in the standard: you obtain documentation showing residence at each address. Bank statements, utility bills, tenancy agreements, council tax bills, electoral roll entries.

It's more work, yes. It's also what BS7858 requires.

If you're struggling with the identity and address verification components specifically, our Digital ID & GPG45 Compliance Course covers modern approaches whilst maintaining BS7858 compliance.

The "Too Difficult" Exemption

This isn't a specific technical mistake, it's a mindset mistake that underpins many of the others. When something in the BS7858 process is difficult, time-consuming, or expensive, some organisations simply decide it doesn't apply to them.

"We can't get overseas criminal record checks, so we'll skip that bit."

"Five years of address history is too complicated, so we'll just do current address."

"Verifying references independently is too time-consuming, so we'll accept what we're given."

None of these are acceptable. If you're claiming BS7858 compliance, you must meet all the requirements. If you can't meet a requirement, you either need to find a way (specialist providers, extra time, additional resources) or you need to stop claiming BS7858 compliance.

We trained a transport company that had created their own "modified BS7858" process. They'd kept the bits they found easy and dropped the bits they found difficult. When we explained that "modified BS7858" is not a thing and they were not actually compliant, there was genuine surprise. They thought they had flexibility to adapt the standard to their circumstances.

You don't. BS7858 is a standard precisely because it's standardised. You meet it or you don't.

The Renewal Oversight

BS7858 screening is not a one-time event, particularly for roles requiring ongoing compliance. Many sectors require regular re-screening, yet we constantly meet employers who conducted BS7858 screening at hire and then never again, despite contractual or regulatory requirements for renewal.

The mistakes include:

• Not knowing when re-screening is required

• Having no system to track when individual screenings expire

• Assuming that if nothing's changed, re-screening is unnecessary

• Conducting partial re-screening (just a new DBS, for example) instead of full BS7858 renewal

A security contractor we trained had several staff working on government sites that required three-yearly re-screening. Their system for tracking renewals was a paper diary that someone had been maintaining until they left the company six months earlier. Nobody knew which staff were overdue for re-screening. When they checked properly, they discovered 23 people were operating on expired screenings, some by more than a year.

Our Continuous Employee Background Checks & Monitoring Course addresses exactly this issue, including how to build robust renewal tracking systems.

Training Tip from Graham and Vivianne Johnson:

Set up automated reminders for screening renewals. Whether it's a simple spreadsheet with conditional formatting or sophisticated HR software, you need a system that prompts action before screenings expire, not after. Build in a three-month warning period to allow time for the renewal process.

The Risk Assessment Avoidance

BS7858 requires you to conduct risk assessments when discrepancies or concerns arise. Many employers either skip this entirely or treat it as a box-ticking exercise.

A risk assessment is not:

• Writing "low risk" on a form with no explanation

• Automatically accepting or rejecting based on rigid rules

• Delegating the decision to a screening provider without applying any organisational context

A proper BS7858 risk assessment considers:

• The nature of the role and its responsibilities

• The specific concern or discrepancy

• The applicant's explanation and supporting evidence

• Relevant legal protections (Rehabilitation of Offenders Act considerations, for example)

• Mitigating factors

• Organisational risk appetite

We trained an HR team last month that had been automatically rejecting anyone with any criminal record, regardless of the offence, how long ago it occurred, or its relevance to the role. That's not risk assessment, that's blanket discrimination that likely violated the Rehabilitation of Offenders Act.

Equally problematic is the employer who accepts any explanation without critical assessment. "Oh, you've got a fraud conviction but you say you've changed? Welcome aboard, here are the company credit cards."

Risk assessment requires thought, documentation, and a balance between caution and fairness. Our Risk Assessment in Background Screening Course provides detailed frameworks for making these decisions properly.

What to Do If You've Made These Mistakes

If you're reading this and realising your organisation has been making one or more of these mistakes, don't panic. You're not alone, and more importantly, you can fix it.

First, conduct an honest audit of your current process against the actual BS7858 standard. Not against what you think it requires, against what it actually says. The BS7858 Employer & Applicant Guidance Pack includes an audit checklist that makes this straightforward.

Second, prioritise the gaps. If you've got current employees who haven't been screened properly, that's a more immediate issue than refining your documentation retention process. Address the biggest risks first.

Third, get proper training. Not just for your HR team, for anyone involved in the screening process. That includes managers who make hiring decisions, administrators who handle documentation, and senior leaders who sign off on policies. Our BS7858 Screening Standard Course is designed for exactly this scenario.

Fourth, document your remediation plan. If a regulator or client asks about compliance, being able to show that you identified issues and implemented corrections demonstrates good governance, even if you weren't previously compliant.

Tomorrow, we'll give you a comprehensive comparison guide to help you understand when BS7858 is required versus when other screening standards like BPSS might be more appropriate. This is a question we get asked in every single training session, and the answer isn't always straightforward. We'll break down the key differences and help you determine which standard your organisation actually needs to meet.

Common Questions from Training Sessions

Before we finish, let me address a few questions that come up repeatedly in our courses:

"Can we outsource BS7858 screening completely?"

You can outsource the administration and verification work, but you cannot outsource the responsibility. The decision to employ someone based on screening results is yours. Your screening provider can gather evidence and present findings, but the risk assessment and final decision must be yours. We cover vendor management and responsibility allocation in our Creating a Screening Policy & Framework Course.

"What if an applicant refuses to provide information required for BS7858?"

They're entitled to refuse. You're entitled not to hire them. BS7858 screening is a legitimate requirement for many roles. If someone won't engage with the process, that's a decision with consequences. However, make sure your requests are proportionate and genuinely required by the standard.

"Do we need written consent for BS7858 screening?"

Yes, absolutely. GDPR requires clear consent for processing personal data. This includes explicit consent for criminal record checks, reference approaches, and verification activities. Your consent process should explain what you're checking, why, how you'll use the information, and how long you'll retain it.

"Can we use social media checks as part of BS7858?"

BS7858 doesn't specifically require social media screening, but it doesn't prohibit it either. If you choose to include social media checks, they must be conducted lawfully, proportionately, and consistently. Our Social Media in Employment Screening Course covers this in detail, including the significant legal and ethical considerations.

Final Thoughts

The mistakes we've covered today aren't made by careless or negligent employers. They're made by busy HR teams trying to navigate complex requirements without sufficient guidance, by organisations that inherited flawed processes from predecessors, and by well-intentioned people who simply didn't know what they didn't know.

That's precisely why we created our comprehensive training programmes. BS7858 is detailed, nuanced, and easy to get wrong if you're trying to work it out alone. But with proper training, clear processes, and ongoing commitment to compliance, it becomes manageable.

The screening process protects your organisation, your clients, your existing staff, and the people you serve. Getting it right matters. Getting it wrong can have serious consequences: regulatory sanctions, contract losses, reputational damage, and in worst cases, harm that proper screening might have prevented.

If you've identified gaps in your current approach after reading this, that's actually progress. Awareness is the first step to improvement. As we discussed in our complete guide to implementing BS7858 step-by-step, building a compliant process takes time and commitment, but it's absolutely achievable.

Want to discuss your specific screening challenges? Our expert coaching sessions are designed for exactly these situations. We've helped hundreds of organisations move from problematic processes to robust, compliant systems. You can reach us at sales@vhcourses.com or explore our full range of screening and vetting training courses.