Private hiring operates on trust and verification. The two are not the same. Trust is built over time, through observed behaviour and track record. Verification is done up front, through structured background checks, reference work, and legal agreements. Neither substitutes for the other.
This article describes how confidentiality, NDAs, and vetting actually work in UHNW private hiring. It is written for principals and family office directors who need to structure the right level of protection, and for candidates who want to understand what legitimate process looks like before they are asked to sign anything.
For current opportunities, see our job board. To discuss a search, see our Private Households & Estates page and Family Office recruitment page.
Private hiring protection rests on three layers: process discipline, written agreements, and verification. Each does a different job, and skipping one weakens the others.
Process discipline governs how information moves during the search itself. Who sees the brief, how candidates are approached, how the household's identity is disclosed, and how records are kept.
Written agreements establish legal commitments between the candidate and the employer. NDAs, employment contracts, and post-employment obligations.
Verification checks the candidate's history, identity, right to work, and relevant background. It is the evidence base for trust.
Most serious breaches are not caused by bad candidates signing good NDAs. They are caused by weak process during the search, or by skipped verification steps that would have flagged a problem earlier.
The first information exposure in any private search is the brief itself. Who sees it, in what format, and how it circulates determines whether the search starts with a leak or not.
We operate by a simple principle. Candidates do not see the household's name until we have assessed them and the household has agreed they are viable. Before that, candidates receive a non-identifying brief: role scope, location in broad terms (London, South of France, New York tri-state), salary band, and key requirements. Nothing that narrows the household to a specific family.
Advertised roles are rarely compatible with this principle. We do not advertise senior private roles. The pool is small enough to be approached directly, and advertising invites identification by elimination.
Internal communications follow the same discipline. Our internal records refer to searches by code, not by client name. Candidate files do not link to the client file without a separate look-up. This is not theatre. It is what process discipline looks like when it is taken seriously.
Non-disclosure agreements are common at senior levels. They are not universal. The question is what legitimate protection the agreement provides, not whether one exists.
When an NDA is appropriate.
Before interview, when the candidate needs to understand the household's identity, business interests, or family structure to assess the role honestly. Examples: senior Chief of Staff roles, Head of Household at named principal residences, certain investment roles with specific strategy disclosure.
During employment, as a standard term of the contract, with clear scope around what constitutes confidential information and what does not.
Post-employment, with reasonable duration and scope. Two to five years for most roles. Longer for sovereign or royal household roles.
When an NDA is not needed.
Before initial interview, for most roles where the brief can be understood without identifying the household. Asking candidates to sign an NDA to receive the household's name is often a process failure rather than a protection. The better approach is to assess fit first, then disclose.
For very junior or very general roles, where the information exposure is minimal. A housekeeper at a specific residence does not typically require an NDA beyond a confidentiality clause in the contract.
Overreach erodes credibility. NDAs that prohibit the candidate from ever confirming they worked for the employer, or that apply to information already in the public domain, attract legal challenge and signal a household that is difficult to work with. Reasonable NDAs are accepted by good candidates. Overreaching NDAs filter out the best ones.
The other signal of a serious process is traceability. The fastest way to lose confidence in a private office is a decision or a document that cannot be traced back to who approved it. Confidentiality frameworks that cannot be audited provide the appearance of protection without the substance. A small office benefits from simple, written records as much as a large one does.
A well-drafted NDA includes:
Definition of confidential information. Clear enough to be enforceable. Typically includes financial information, personal information about family members, health matters, staffing arrangements, security arrangements, business interests, and details of residences. Excludes information already public.
Duration. Indefinite for some categories (health, financial detail of family members). Time-limited for others (business information).
Permitted disclosures. To legal, medical, or financial advisers under professional privilege. To regulators where legally required.
Return or destruction of materials. What happens to documents, keys, devices, and data on departure.
Governing law and jurisdiction. Clear, appropriate to the employer's home jurisdiction.
Proportionate remedies. Enforceability depends on remedies being reasonable. Unlimited liability clauses are often unenforceable and usually signal a drafting lawyer who has not understood the relationship.
For candidates, a sensible approach is to have the NDA reviewed by independent employment counsel before signing. The household is usually comfortable with this. Candidates who sign without review, particularly for long-duration obligations, risk accepting terms they will later regret.
Background checks verify identity, history, and relevant conduct. The depth of check depends on the role and the access it grants.
Standard checks (most roles):
Identity verification (passport, residency)
Right to work (UK, US, relevant jurisdiction)
Employment history confirmation (last five to ten years, verified with previous employers)
Professional qualifications confirmation
Basic criminal record check (DBS in the UK, equivalent elsewhere)
Financial sanctions screening
Enhanced checks (senior or sensitive roles):
Enhanced or Standard DBS depending on role content
Adverse media screening (news and public records)
Social media review (identifying risk factors, not general surveillance)
Professional reference verification (specific questions on conduct, not just confirmation)
Financial history check where the role handles funds
Specific regulator checks (FCA, SEC, relevant professional bodies for investment roles)
Deep checks (principal households, royal or sovereign, senior investment roles):
Independent investigative vetting by a specialist firm
Enhanced financial history including undisclosed liabilities
International record checks across jurisdictions where the candidate has lived
Reputation interviews conducted outside the candidate's nominated references
Depth should match risk, not paranoia. Over-checking a housekeeper signals a difficult household. Under-checking a Chief of Staff signals a household that has not thought seriously about what the seat involves.
Background checks confirm the record. References confirm the character. The two do different jobs. References, properly done, are often the most informative part of vetting.
We reference candidates with previous principals, family office directors, Chiefs of Staff, or direct senior colleagues. Not with HR departments. The questions that produce useful answers are specific: would you hire them again, for what role, at what salary, why or why not, describe a moment when their judgement was tested. The answers reveal the candidate in ways their CV cannot.
We listen for hesitation, specificity, and honesty. A reference that offers only generic praise is usually either a relationship the candidate has managed, or a referee who has reason not to say more. Both are signals.
No vetting process is complete. New information emerges after placement. Previous employers disclose context they had not previously shared. A candidate reveals a background detail in the first month that adds nuance to the picture. Every mature private office has a framework for handling these disclosures.
A well-run office maintains a record of matters that required judgement during employment. Not a log of breaches in a confrontational sense, but a quiet register of exceptions, decisions, and precedents. The register's existence is not a sign that breaches are frequent. It is an acknowledgement that exceptions are inevitable, and the office needs to handle them consistently. Consistency is trust-building. Ad hoc responses are trust-eroding.
For candidates, the vetting experience varies widely. At the most rigorous end, candidates should expect:
Extended timelines. Vetting for principal households can take four to twelve weeks. Plan for it.
Personal information requests. Passport, residency, qualifications, financial history (where relevant), references, social media access. Providing clearly and accurately accelerates the process.
Direct contact with referees. Some vetting firms contact referees by phone, at length. Brief your referees in advance so they are not surprised.
Follow-up questions. If something in the record requires explanation (a gap, a short tenure, a company that is no longer in business), you will be asked. Answer fully and in writing when asked.
Negotiable terms. Parts of the NDA or background check scope may be negotiable. Seek advice before signing, particularly on post-employment clauses.
Candidates who resist reasonable vetting are rarely a fit for senior private roles. Candidates who accept reasonable vetting but push back on overreach tend to be the candidates principals want anyway.
In the UK, EU, and comparable jurisdictions, private employers are data controllers subject to general data protection law. This shapes how candidate information is stored, accessed, and disposed of.
Key principles:
Data is collected for specified, clear purposes
It is held only as long as necessary
Access is restricted to authorised people
Candidates have rights of access and correction
Cross-border transfers follow relevant frameworks
Families who treat vetting information casually create legal exposure. Specialist vetting firms handle this professionally. Internal handling by small offices is often the weak link. Documenting a clear data handling policy, even for a small office, is inexpensive insurance.
Oplu operates a tiered confidentiality framework. Standard engagements use a non-identifying brief format, verified candidate intake, and controlled disclosure of the household's identity only after a candidate is approved for introduction. Senior or royal household searches add additional steps: coded internal references, specialist vetting firms, and controlled document handling.
We do not request NDAs from candidates at initial contact. We do request professional confidentiality, which candidates at this level understand as a baseline. NDAs are introduced at the appropriate stage, usually pre-interview with the client, and reviewed by the candidate's advisers before signing.
Our reference work is conducted by the Oplu team, not outsourced. Reference conversations are summarised in the candidate profile presented to the client, including specific observations that affect fit, not only strengths. Clients see the honest picture, including the risks, before deciding.
For current opportunities, see our job board. To discuss a search, get in touch.
Many do, especially at senior levels or in roles with significant personal access to the principal. A well-drafted NDA defines confidential information clearly, includes reasonable duration, and permits disclosures to legal or medical advisers. NDAs that are overreaching or indefinite in scope often fail in court and filter out the best candidates.
7 min
7 min
9 min
8 min
