RECRUITMENT & HIRING · PDPA COMPLIANCE
What background and reference checks can a Malaysian employer legally run before hiring?
PDPA 2010 puts real limits on what you can check and how you ask for it — but skipping the checks altogether has cost employers real cases in the Industrial Court. Here is exactly what you can check, how to ask for it properly, and what happens when employers get it wrong.

A Malaysian employer can legally run background and reference checks before hiring — identity, employment history, qualifications, licensing, criminal record, credit standing, and references — provided it first gets the candidate's consent and written notice of what is being collected, why, and who it may be shared with, both required under the Personal Data Protection Act 2010 (PDPA).
- Consent AND written notice are both required. The Personal Data Protection Act 2010 requires the candidate's consent (its General Principle, section 6) plus written notice of what is being collected, why, and who it may be shared with (its Notice and Choice Principle, section 7) before you start screening; processing without consent carries a fine of up to RM500,000 and/or up to three years' imprisonment, and general non-compliance with the Act's principles can reach RM1,000,000.
- Nine checks cover most roles. Identity/NRIC, employment history, academic qualifications and MQA accreditation, professional licence for regulated roles, criminal record, credit status (financial roles only), social media, medical/health clearance (physical roles only), and professional references.
- There is no blanket ban on hiring someone with a criminal record. Malaysian practice requires you to assess how relevant the offence is to the role — disqualifying automatically, without that assessment, risks looking discriminatory.
- Malaysian courts have ruled on resume lies both ways. The Industrial Court upheld a dismissal over a false legal qualification in Azman Idrus v SGA Services (M) Sdn Bhd [2015] 2 MELR 722 — but per Donovan & Ho's account of Anthony Dass S Rajagopal v Strategic Research & Consultancy Sdn Bhd [2012] 2 MELR 47, it cut the employer's compensation because the employer never verified the credential before hiring.
- Checks take days, not weeks. Identity and reference checks typically clear in 1–2 days; academic, licence and criminal checks can take up to a week or longer — so build the time in before you extend an offer, not after.
Not sure your current process would hold up? WhatsApp Steph and we will walk through what to check for your next hire.
Hiring in Malaysia comes down to a trade-off employers rarely think through in advance: check too little, and a false qualification or an unverified reference becomes your problem the day something goes wrong; check the wrong way, and you are the one exposed under the Personal Data Protection Act 2010. Both failure modes are avoidable, and both have already played out in real Malaysian cases — alongside the wider Employment Act obligations every employer already carries.
What can you actually check before hiring in Malaysia?
A Malaysian employer can legally run a background check covering a candidate's identity, employment history, qualifications and licensing, criminal record, credit standing, social media conduct, medical fitness and references before hiring, provided each specific check is genuinely relevant to the role being filled.
There is no statute that forces you to run any of them, and nothing stops you either, as long as you handle the candidate's data properly. The table below sets out the standard pre-employment screening set per AJobThing, with professional licensing and medical clearance added to complete it for regulated and site-based roles.
| Check | What it verifies | Typical timeframe |
|---|---|---|
| Identity / NRIC verification | The candidate is who their application says they are | 1–2 days |
| Employment history | Previous job titles, dates and, where the referee agrees, performance | 1–2 days |
| Academic qualifications | Degrees, diplomas and certificates against the issuing institution and its MQA accreditation | Up to a week or more |
| Professional licence / registration | Registration with the relevant statutory body for regulated roles — e.g. the Board of Engineers Malaysia (BEM), which graduate engineers must register with before taking up an engineering post, with employers able to verify status via BEM's own directory | A few days to a week |
| Criminal record | Convictions relevant to the role; in practice run via a licensed screening provider or the candidate's own Certificate of Good Conduct from the Royal Malaysian Police (PDRM), rather than the employer approaching PDRM directly | Up to a week or more |
| Credit / bankruptcy status | Financial reliability — only justified for roles handling cash or funds | A few days |
| Social media screening | Publicly visible professional conduct | Same day |
| Medical / health clearance | Physical fitness for the role — only justified where the job itself has a genuine physical requirement | A few days |
| Professional references | A former manager or colleague's account of the candidate's work and conduct | 1–2 days |
Two of these deserve a note of caution. Credit and social media checks are the easiest to over-reach on: run a credit check on a warehouse picker and you have collected data you cannot justify, and a social media review that strays into a candidate's religion, race or political views turns a legitimate check into a discrimination risk. A medical or health-clearance check belongs on this list only where the role itself has a genuine physical requirement (site-based logistics and manufacturing roles are the common case) — keep every check tied to a real requirement of the job.
How do you actually run a good reference check?
The shortest route to a reference check worth trusting is calling the referee directly rather than emailing, confirming you are speaking to the person the candidate actually named, and asking every candidate for the role the same standardised set of questions.
- Call, don't just email. A phone conversation surfaces hesitation and tone a written reference letter never will.
- Confirm you have the right person. Check you are speaking to the referee the candidate actually named, not a friend standing in for them.
- Ask the same questions every time. Dates and title, strengths, one honest development area, and whether the referee would rehire the person — asked identically across every candidate for the role.
- Note evasiveness as a signal. A referee who goes vague on dates or dodges direct questions is itself worth flagging, not just what they do answer.
Do you need the candidate's consent before running a check?
Yes — the Personal Data Protection Act 2010 requires two separate things before you screen a candidate: their consent, under the Act's General Principle (section 6), and written notice of what is being collected, why, and who it may be shared with, under its separate Notice and Choice Principle (section 7).
Skip either step and the check is unlawful, whatever it turns up — and this is the step Malaysian employers skip most often, usually by assuming a verbal heads-up in an interview covers both duties. It does not. The Personal Data Protection Act 2010 (Act 709) treats a candidate's identity, employment and academic details as personal data, and per Malaysian law firm Sabrina Hashim & Co, consent and notice are two of the Act's seven numbered principles — distinct obligations that both have to be met, not one substituting for the other.
The cost of getting this wrong is not theoretical. According to Edwin Lee & Partners, processing a person's data without consent carries a fine of up to RM500,000 and/or imprisonment of up to three years, while general non-compliance with the Act's data protection principles — the wider category a sloppy background-check process can fall into — now carries a fine of up to RM1,000,000.
In practice, a compliant consent step is short: tell the candidate which checks you plan to run, why, and how long you will keep the results, then get their written agreement before you start. Verbal agreement in an interview is not enough on its own — keep the paper trail, the same way you would for any other Employment Act obligation.
What happens if you skip the checks and a hire lied on their resume?
Skipping verification does not just risk a bad hire — it can weaken your legal position when you later dismiss that hire over the lie: Malaysian Industrial Court rulings have gone both ways, upholding some dismissals over a false qualification while cutting one employer's compensation because it never checked the credential first.
In Azman Idrus v SGA Services (M) Sdn Bhd [2015] 2 MELR 722 — reported by both Malaysian employment law firm Donovan & Ho and legal-explainer site AskLegal.my — an employee had misrepresented having a legal qualification. The Industrial Court upheld the dismissal, noting that “the portfolio of a Legal Advisor would by implication require the employee to have a legal qualification.” Similarly, per Donovan & Ho's account of Royal Sungei Ujong Club v Vijaysankar Arumugam [2009] 3 MELR 65, a dismissal for falsely claiming an MBA was also upheld.
But the more instructive case for employers, per Donovan & Ho's account, is the one that went the other way. In Anthony Dass S Rajagopal v Strategic Research & Consultancy Sdn Bhd [2012] 2 MELR 47, an employee had claimed an unrecognised PhD. The Industrial Court still found the dismissal procedurally unfair and reduced the compensation payable — on the basis that the employer should have verified the credential before making the hire, not after. As Donovan & Ho puts it, pretending to have qualifications you do not have “is a fast way to dismissal” for the employee — but the Anthony Dass ruling is the reminder that the employer's own failure to check can blunt that protection. If a credential problem does surface once someone is already on the payroll, how you handle it during probation or termination matters just as much as catching it would have upfront.
The lesson is not that you can always dismiss your way out of a bad hire. It is that verifying a credential before you hire is cheaper, in money and in Industrial Court time, than discovering the gap after the fact and hoping a dismissal holds up.
Can you reject a candidate because of a criminal record?
Not automatically — Malaysian law does not impose a blanket ban on hiring someone with a criminal record, and disqualifying every candidate with any conviction, without weighing how relevant it is to the role, risks looking discriminatory rather than diligent under Malaysian employment practice.
The check that matters is relevance: a fraud conviction is a legitimate concern for a role handling cash or client funds, while an old, unrelated offence with no repeat pattern is a much weaker basis to reject someone outright.
The same relevance test should guide everything else you screen for. Steer clear of questions or checks built around a candidate's religion, gender identity, marital status, race or political views — none of these predict job performance, and asking about them turns a defensible screening process into a discrimination exposure you did not need to create.
How long does a background check take, and when should you run it?
Budget a day or two for quick checks like identity verification and a reference call, and up to a week or longer for the slower ones — academic, licence and criminal record checks — once a screening provider or the relevant institution is involved.
Run the checks before you extend a firm offer, not after — build screening into your hiring timeline from the shortlist stage rather than the final week. A background check that surfaces a problem once someone has already resigned from their previous job, or worse, already started with you, leaves you with a far worse set of options than a short delay at the offer stage.
Should you outsource background checks to a recruitment agency?
You can run every background and reference check in this guide yourself, but most Malaysian SMEs do not have the in-house time or dedicated expertise to do it properly on every single hire, and that is exactly where an experienced recruitment agency can help.
This is also where Carriera's approach differs from a high-volume agency: our six-step process is built on manual screening rather than a high-volume pipeline, with a small team that deals with you directly rather than passing your brief down a chain. We have served 50+ companies across Peninsular Malaysia this way — if that closer, more hands-on way of assessing and screening candidates is what your next hire needs, that is exactly what a recruitment engagement is for.
Frequently asked questions about background checks in Malaysia
Sources: Personal Data Protection Act 2010 (Act 709) penalties for processing without consent (up to RM500,000 and/or 3 years' imprisonment) and general non-compliance (up to RM1,000,000), per Edwin Lee & Partners; the Act's section 6 General Principle (consent) and section 7 Notice and Choice Principle (written disclosure) per Sabrina Hashim & Co; the standard check types, absence of a legal mandate to run them, and discriminatory-question guidance per AJobThing; the Board of Engineers Malaysia's registration role per Wikipedia; Industrial Court cases on resume misrepresentation (Azman Idrus v SGA Services (M) Sdn Bhd [2015] 2 MELR 722; Royal Sungei Ujong Club v Vijaysankar Arumugam [2009] 3 MELR 65; Anthony Dass S Rajagopal v Strategic Research & Consultancy Sdn Bhd [2012] 2 MELR 47), per the accounts given by Donovan & Ho and, for the Azman Idrus case, also AskLegal.my; criminal-record hiring guidance per Verity Intelligence. Verified 2 July 2026; always confirm current requirements against the official PDPA text and JTKSM guidance, as rules may be updated. This article is general information, not legal advice.
Want your next hire properly vetted before day one?
Carriera's recruitment process is built on manual screening, not high-volume placement — tell us the role and we will help you get it right.
WhatsApp Carriera →