Personnel security in Scandinavia

Personnel security concerns the protection of employees, assets and information against being misused, harmed or compromised by insiders. An insider threat comes from people who take advantage of an otherwise legitimate access to the business to harm people or national interests, for example through espionage, terrorism or unauthorised disclosures. Such threats can occur knowingly or unknowingly and implementing adequate security measures is important both from a business and a national perspective.

Some companies of particular national interest are subject to personnel security requirements in national security legislation. However, the call for awareness and protection is also relevant to a number of companies not subject to the relevant security legislation. For example, given current export control regulations, there is an expectation that attempts for covert procurement of relevant goods and technology will increase, and this also includes dual-use goods which could have a military use in addition to its civilian life. 

Relevant security measures include both a more extensive vetting procedure before onboarding employees, contractors or customers than we have traditionally been used to in the Nordics. Other measures also include access control (both physical and to systems) as well as regular audits. Conducting regular risk assessments and having up-to-date internal routines is also important.

Technology has made it possible to obtain extensive information about candidates and partners. However, national legislation may imply restrictions on the ability to collate relevant information, and this is particularly relevant with regards to information about employees and candidates. Although traditional background checks such as identity control and verification of educational and work history is generally permitted, more extensive checks relating to credit history and criminal records are subject to restrictions and may not be applied as a standard check. Information relevant to the security assessment will also touch upon national legislation prohibiting discrimination for example based on national origin. The employer must be conscious of these restrictions and ensure that assessments made do not conflict with discrimination laws. The employer must also ensure that processing is compliant with data privacy regulations and applicable consultation requirements under national labour laws. I.e. there are extensive rules related to informing the candidates and partners about the information that is collected as part of a recruitment process or other relevant processes. 

“Our practice group sees an increased focus with a number of clients on the need to protect both the business and our country against hostile insider threats”, says Trine Vabø, partner at Schjødt’s Stavanger office. “Employers can no longer rely on simple background checks and for some industries and roles a more extensive vetting process will be required”, Ingrid Cathrine Nielsen, partner at the Oslo office confirms. The need and legality of different vetting procedures must be assessed on an individual and functional basis for each organisation and co-operation across functions to identify and implement relevant measures. There are also local variations in what is permitted with regards to background checks between the Scandinavian countries, and we recommend seeking advice before introducing more extensive background checks to avoid pitfalls.