Checkback provides many pre-employment checks for companies in the UK. BPSS , BS7848 , DBS checks or Right to Work checks are a few examples of the services we provide. As part of this work, we handle a lot of personal & sensitive data. Ensuring this data is at all times safe and secure is our main priority.

ISO 27001:2013/2022 – Encryption as a Core Control

Checkback International is certified to ISO/IEC 27001 (current 2022 standard), indicating a robust Information Security Management System (ISMS) is in place. ISO 27001 requires organizations to implement controls for confidentiality and integrity of data, including strong cryptographic controls.

In practice, this means Checkback has formal policies for using encryption to protect sensitive information. ISO 27001’s Annex controls (e.g. Annex A control on cryptography) ensure data at rest and in transit are encrypted whenever appropriate. Under this standard, confidential or personal screening data (such as candidates’ identity details, background check results, etc.) is typically encrypted in storage (e.g. databases, file repositories) and during transmission across networks.

By adhering to ISO 27001, Checkback manages encryption keys securely, use approved encryption algorithms, and regularly assess risks to data.

The standard’s “use of cryptography” control explicitly requires defining and implementing rules for effective encryption (covering key management and algorithm strength).

This means that Checkback’s digital screening platform is designed so that any sensitive vetting data cannot be read or altered by unauthorized parties – whether the data is being stored in their system or sent between systems.

Being ISO 27001 certified means routine audits and continuous improvement, so encryption practices are regularly reviewed and kept up to date with evolving threats and compliance requirements.

Cyber Essentials Certification – Secure Configuration & Data in Transit

In addition to ISO 27001, Checkback holds the UK Cyber Essentials certification. Cyber Essentials is a government-backed scheme that enforces baseline security controls – including secure configuration, access control, malware protection, patch management, and network security.

One key aspect of network security in Cyber Essentials is ensuring that data transmitted over the internet is adequately protected. For example, organizations must use firewall protection and encrypt sensitive data in transit (typically by using HTTPS/TLS or VPNs for remote access) to prevent eavesdropping.

In line with this, Checkback’s web portals and APIs only operate over encrypted connections (HTTPS TLS 1.2+), which is standard practice to meet Cyber Essentials requirements.

Cyber Essentials also means that default settings are hardened, and insecure services (like outdated protocols) are disabled, reducing the risk of any data being exposed in plaintext.

By meeting this certification, Checkback demonstrates that all external interfaces of our system – such as the Vetting Solutions online portal for applicants/employers – are protected by encryption and other security measures.

In practical terms, any personal data an applicant enters, or any screening report a client retrieves from Checkback’s system is transmitted over a secure, encrypted channel. This baseline complements ISO 27001 by enforcing technical measures (like TLS configuration, secure remote access, etc.) that keep data in transit safe from interception.

Other Security Certifications and Frameworks

Beyond ISO 27001 and Cyber Essentials, Checkback adheres to additional standards that reinforce its encryption and data protection posture.

They are certified to ISO 9001 for quality management and are a Home Office “Identity Service Provider” under the UK Digital Identity and Attributes Trust Framework (DIATF). Being an approved provider of Right to Work and ID verification checks means Checkback had to meet strict government criteria for data security and privacy.

This framework incorporates GDPR principles and requires strong protection of personal data – including encryption of identity data at rest and in transit – to prevent identity fraud or leakage. In essence, Checkback’s participation in the DIATF scheme further validates that we use industry best practices like encryption, secure hosting, and rigorous access control when handling sensitive identity documents or background check data.

Encryption of Data Shared with Third Parties

A critical part of Checkback’s service is interfacing with third-party agencies – such as the DBS for criminal record checks, the DVLA for driver license checks, Home Office systems for immigration/right-to-work verifications, and credit reference agencies for financial history checks.

Checkback explicitly confirms that “all data shared with 3rd parties, including Clients, Applicants and Inspectorates such as DBS, credit agencies, DVLA and the Home Office, is fully encrypted at source.”.

By encrypting data at the source, Checkback ensures that even when information travels outside its immediate control, it remains confidential and tamper-proof. If they send a batch of personal data to a government database for verification, that data is encrypted on Checkback’s side and only decrypted by the intended recipient (such as the Home Office or DBS system). This approach mitigates the risk of man-in-the-middle attacks or accidental exposure during transit. It also helps meet legal requirements (since UK GDPR and other regulations highly recommend encryption when sharing personal data externally).

Furthermore, as part of our ISO 27001 ISMS, any integration with third parties would undergo risk assessment – ensuring that the connections use approved cryptographic protocols (e.g. HTTPS with strong ciphers, SFTP with SSH encryption, or VPN tunnels). For clients accessing Checkback reports, the client dashboards are delivered over HTTPS and any reports or documents can only be downloaded via secure sessions, maintaining encryption up to the end-user’s browser.

Compliance and Best-Practice in Summary

Checkback’s adherence to multiple security standards directly translates into rigorous encryption practices. ISO 27001 drives a comprehensive encryption strategy for both stored data and data in motion, ensuring that sensitive digital screening data is encrypted wherever it resides or travels .

Cyber Essentials adds assurance that network interfaces and systems are configured to use secure protocols (for example, mandating TLS for all web services and preventing unencrypted channels).

In everyday operations, these measures mean that personal information collected for background checks (addresses, identity documents, criminal record results, etc.) is stored in encrypted form in the cloud and only transmitted via encrypted links.

Even internal backups or logs would be encrypted at rest, and administrative access to systems would be over secure connections in line with Cyber Essentials guidelines. When data needs to be exchanged outside of Checkback’s platform – for example, verifying a candidate’s details with an external authority – encryption is applied from the outset.

Overall, Checkback ensures encryption and compliance with industry best practices by “baking in” security to its technology and processes. The combination of certifications (ISO 27001, ISO 9001, Cyber Essentials, and Home Office trust framework approval) and the use of a secure cloud infrastructure demonstrates a defense-in-depth approach. This gives customers confidence that digital screening data handled by Checkback is consistently protected to a high standard – fulfilling both the letter of various security standards and the spirit of strong data protection.