Compliance and Risk — Agency Reference Checking

Recruitment agency reference checking compliance — GDPR, audit trails, consent and liability

Recruitment agencies face compliance obligations in reference checking that go beyond simply obtaining a reference. GDPR requires documented candidate consent before referee contact. Regulated sector clients require audit trail evidence. Agency liability depends on having a documented process. RefAssure addresses all of these automatically from 99p per reference.

GDPR compliant Candidate consent documented Full audit trail Client SLA evidence Employment agency regulations No monthly fees

Get Started Agency Overview

GDPR

Compliant by design — consent first

100%

Written, timestamped consent every reference

Full

Audit trail — every reference

99p

From per reference — no subscription

Agency reference checking compliance — GDPR consent, audit trail and client SLA evidence in one PDF

Every RefAssure reference generates a PDF containing written candidate consent with timestamp, direct referee contact record, full written reference responses and a complete timestamped audit trail. This single document satisfies GDPR documentation requirements, client SLA evidence obligations, regulated sector compliance requirements and agency liability documentation — automatically on every reference without additional administration.

99p

From per reference

£0

Monthly fees

What RefAssure Provides

Compliance and Risk

Candidate consent — GDPR compliant, always first

GDPR requires documented candidate consent before approaching referees about a third party's personal data. RefAssure collects written, timestamped consent by email and SMS before any referee is contacted. Consent is documented in every PDF report.

Full audit trail — inspection and client SLA evidence

Every reference generates a complete timestamped audit trail — when consent was collected, when the request was sent, when chasers were sent, when the reference was returned. Produced immediately for client SLA audits or regulatory inspection.

Agency liability — documented process evidence

An agency that places a candidate without adequate references faces liability if something goes wrong. RefAssure provides documented evidence that a proper reference process was followed for every placement — reducing agency exposure significantly.

Regulated sector compliance — CQC, Ofsted, NHS

Agencies placing into care, education and healthcare face sector-specific compliance requirements. RefAssure templates address CQC Regulation 19, KCSIE safeguarding and NHS Employment Check Standards simultaneously — one process, multiple compliance frameworks satisfied.

In-Depth Guides

Compliance and Risk — every guide

Recruitment Agency GDPR References

GDPR compliance in recruitment agency reference checking.

Read the guide

Reference Checking Audit Trail for Agencies

What a compliant agency reference audit trail must contain.

Read the guide

Client SLA Reference Checking

Meeting client SLA requirements for reference turnaround and documentation.

Read the guide

Candidate Consent Reference Checking

GDPR-compliant candidate consent before referee contact.

Read the guide

Reference Checking Liability for Agencies

Agency liability in reference checking — what documentation protects you.

Read the guide

Employment Agency Regulations References

Reference checking obligations under the Employment Agencies Act.

Read the guide

Recruitment agency reference checking compliance — the full picture

GDPR and candidate consent — the most overlooked compliance gap

GDPR requires a lawful basis for processing personal data about a third party. When an agency contacts a referee about a candidate, it is processing the referee's personal data — and doing so on the basis of the candidate's consent and legitimate interest. Best practice and the ICO's guidance on employment references require agencies to inform candidates that references will be sought, obtain their consent, and document that consent before approaching any referee. Most agencies do not do this systematically — they obtain verbal consent in passing or assume consent from the act of applying. RefAssure makes documented, written, timestamped consent automatic on every reference, satisfying GDPR documentation requirements without additional administration.

The consequences of inadequate GDPR compliance in reference checking are primarily reputational and regulatory rather than immediately financial — but an ICO complaint from a candidate who did not consent to their referee being contacted, or a client who discovers their agency's reference process is not GDPR-compliant, can damage client relationships and agency reputation significantly. RefAssure eliminates this risk by making consent documentation automatic and irreversible.

Agency liability and reference checking documentation

An agency that places a candidate without completing adequate pre-employment checks — including employment references — faces potential liability if the placed candidate causes harm in their role. In regulated sectors, this liability is more acute — an agency that places a care worker without CQC-compliant references may face regulatory and civil liability if the worker causes harm to a service user. Documented evidence of a proper reference process — written references obtained, consent documented, audit trail retained — is the agency's primary protection against this liability. RefAssure generates this documentation automatically for every reference, ensuring the agency has evidence of a proper process regardless of which consultant managed the placement.

FAQ

Compliance and Risk — questions answered

Yes. GDPR applies to the processing of referee personal data during reference checking. Agencies should inform candidates that references will be sought, obtain documented consent, and process referee data only for the purpose of verifying the candidate's employment history. RefAssure collects documented consent automatically before any referee is contacted.

Agencies should retain: written candidate consent with timestamp, the reference request sent to the referee, the written reference response, and a record of when the reference was obtained relative to the candidate's start date. RefAssure generates all of this in one PDF automatically.

Yes. Agencies have a duty of care in the placement process. In regulated sectors, inadequate pre-employment checking — including reference checking — can result in regulatory action and civil liability. Documented evidence of a proper reference process is the agency's primary protection.

The Employment Agencies Act 1973 and its regulations require agencies to take reasonable steps to verify a work-seeker's suitability for positions they are introduced to. Employment references are a key part of this verification obligation, particularly for positions involving contact with vulnerable people.

Explore