Supplementary code for digital right to work checks (1. 0) pre-release
Published 3 March 2026
© Crown copyright 2026
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/supplementary-code-for-digital-right-to-work-checks-1-0/supplementary-code-for-digital-right-to-work-checks-1-0-pre-release
0. Version and certification validity notes
0.a. This 1.0 publication of the supplementary code for digital right to work checks (‘the RtW supplementary code’) made using powers under the Data (Use and Access) Act 2025 comes into force on [date of final publication].
0.b. It is published by the Office for Digital Identities and Attributes (‘OfDIA’), part of the Department for Science, Innovation and Technology (‘DSIT’). It sets out rules for digital verification services (‘DVS’) conducting right to work checks on holders of British and Irish passports or passport cards. OfDIA is responsible for the maintenance of this supplementary code.
0.e. Certifications against the rules that were set out in the non-statutory and statutory 0.4 publications of the supplementary code will remain valid until [date to be confirmed] or one of the following conditions occurs:
- a digital verification service uplifts its certification to this publication (including through an annual surveillance audit), thereby replacing the earlier certification; or
- the digital verification service’s certification against the 0.4 publications of the UK digital identity and attributes trust framework expires; or
- the digital verification service’s certification against the 0.4 publications of the RtW supplementary codes expires.
0.f. To be certified against the RtW supplementary code, services will need to also be certified against a current publication of the UK digital verification services trust framework (formerly known as the ‘UK digital identity and attributes trust framework’), from 1.0 publication onwards.
Part 1 - Background and context
1. Introduction
1.a. This is the 1.0 publication of the RtW supplementary code for digital right to work checks. It sets out rules DVS must follow, and the recommendations they can follow, in order to be certified against the RtW supplementary code.
1.b. A DVS’s certification against the RtW supplementary code assures employers who choose to conduct digital right to work checks that they can use the service to help meet Home Office requirements and recommendations (for example, regarding the level of confidence or authenticator quality) for digital right to work checks for holders of British and Irish passports, or Irish passport cards.
1.c. Employers will also need to comply with requirements for digital right to work checks, set out in Home Office regulations and guidance to obtain and retain certain data from the DVS and to check that the individual whose identity was verified is the same person who presents themself for work.
1.d. This RtW supplementary code builds on the rules set out in the 1.0 version of the UK digital verification services trust framework (the ‘trust framework’). DVS can only certify against this RtW supplementary code if they are certified against the trust framework.
1.e. Terms in this document are defined as set out in the trust framework’s definitions and glossary. In this document, ‘you’ and ‘your service’ are used to direct a provider to the specific rules their organisation and service(s) must follow, and the recommendations they can follow, to be certified.
1.f. The RtW supplementary code does not set any new requirements on, or recommendations for, employers for conducting compliant right to work checks. These are set by the Home Office, not OfDIA or DSIT. The RtW supplementary code helps DVS show they can be used by employers to fulfil their obligations.
Part 2 - Rules of the RtW supplementary code
2. Applicable roles
2.a. You must perform at least the role of identity service provider as described in the trust framework to be certified against the RtW supplementary code. You must additionally perform the role of holder service provider to be certified against the rules in section 5.
3. Identity verification
3.a. You must follow the rules for identity service providers set out in the trust framework.
3.1. Acceptable documents
3.1.a. For the purposes of digital right to work checks, the identity must be created using one of the following documents:
- A British passport, or
- An Irish passport, or
- An Irish passport card.
3.1.b. The passport or passport card must be valid according to GPG 45 and not be expired or visibly clipped.
3.2. Acceptable GPG 45 Profiles
3.2.a. For the purposes of digital right to work checks, the identity check must meet a medium level of confidence or above according to GPG 45.
4. Data to share with employers
4.a. If the check is successful, you must provide the following information to the employer relying on your service in a clear, legible format which cannot be altered:
| Data field | Note |
|---|---|
| Given name(s) | |
| Family name(s) | |
| Date of birth | |
| Image of the passport or passport card | This must be an image of the full biometric page of the passport or, in the case of an Irish passport card, an image of the front of the document in full. |
| The holder’s name, date of birth and nationality must be clearly visible in the image, as must their photo and the date of expiry of the document. | |
| Photograph of the user | You must verify that the photograph matches the image of the passport or passport card. |
| Date of identity check | |
| Evidence checked by | The name of your service, as it appears on your certificate |
| GPG 45 profile met by the check | The identity profile according to which the identity was created |
| GPG 44 authenticator quality | Only required if you are a holder service conducting the digital right to work check in accordance with section 5. |
| Identity verified | The response must be ‘Y’ if the identity was verified and ‘N’ if it was not verified. |
4.b. You must provide the employer with a record that your service was certified against a valid version of the trust framework and the RtW supplementary code at the time the check was conducted, specifying which version of each, so they can retain that record for compliance purposes.
4.c. You could retain your own record that you conducted the check. Retention of information listed in 4.a. is the employer’s responsibility, as set out in Home Office regulations and guidance. Your service does not need to retain this information.
4.d. You could use the trust framework data schema to support a standardised approach to sharing data with employers.
5. Using a holder service to conduct a right to work check
5.a. Passports and passport cards can be withdrawn or cancelled, and right to work checks are not transferrable from one employer to another. As such, if you want to use a pre-existing identity stored in a holder service to conduct a right to work check, you must be able to assure the employer that the user holds a British passport, Irish passport or Irish passport card at the time the check is conducted, and that the passport or passport card is not expired or visibly clipped by conducting a GPG 45 validity check on it.
5.b. If a holder service is used to conduct a right to work check, you must follow the rules for holder service providers set out in the trust framework and the holder service must have medium protection using medium quality authenticators as a minimum according to GPG 44.
5.c. To be used as described in 5.a, the pre-existing identity must have been created in line with 3.2, and the data in 4.a must be shared with the employer.