diff --git a/loads/models.py b/loads/models.py
index 8b11b63..0ba580c 100644
--- a/loads/models.py
+++ b/loads/models.py
@@ -655,9 +655,9 @@ class Staff(models.Model):
     is_external = models.BooleanField(default=False)
     has_workload = models.BooleanField(default=True)
     job_title = models.CharField(max_length=100, null=True, blank=True)
-    school = models.ForeignKey(School, null=True, on_delete=models.SET_NULL)
-    faculty = models.ForeignKey(Faculty, null=True, on_delete=models.SET_NULL)
-    campus = models.ForeignKey(Campus, null=True, on_delete=models.SET_NULL)
+    school = models.ForeignKey(School, null=True, blank=True, on_delete=models.SET_NULL)
+    faculty = models.ForeignKey(Faculty, null=True, blank=True, on_delete=models.SET_NULL)
+    campus = models.ForeignKey(Campus, null=True, blank=True, on_delete=models.SET_NULL)
     package = models.ForeignKey(WorkPackage, null=True, on_delete=models.SET_NULL)
 
     objects = StaffManager()
diff --git a/loads/views.py b/loads/views.py
index f84f6fe..b52b47f 100644
--- a/loads/views.py
+++ b/loads/views.py
@@ -22,7 +22,7 @@
 from django.utils.decorators import method_decorator
 from django.http import HttpResponse, HttpResponseRedirect
 from django.template import loader
-from django.contrib.auth.models import User, Group
+from django.contrib.auth.models import User, Group, Permission
 
 from .models import ActivityGenerator, Category
 from .models import AssessmentResource
@@ -964,9 +964,18 @@ def create_staff_user(request):
     if request.method == 'POST':
         form = StaffCreationForm(request.POST)
         if form.is_valid():
-            form.save()
             new_username = form.cleaned_data['username']
+            groups = form.cleaned_data['groups']
+
+            for group in groups:
+                permissions = group.permissions.all()
+                logger.debug("[%s] checking group %s with %u permissions" % (request.user, group, permissions.count()))
+                if permissions.count() > 0:
+                    logger.critical(
+                        "[%s] cannot add group %s with built in permissions" % (request.user, group))
+                    raise PermissionDenied(f"Cannot add group '{group.name}' as it has built in permissions")
 
+            form.save()
             messages.success(request, 'Account created successfully')
 
             logger.info("[%s] (admin) created a staff user %s" % (request.user, new_username), extra={'form': form})