Supplementary code for digital right to work checks (1.0)
Updated 9 June 2026
© Crown copyright 2026
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/supplementary-code-for-digital-right-to-work-checks-1-0/supplementary-code-for-digital-right-to-work-checks-1-0-pre-release
0. Version and certification validity notes
0.a. This 1.0 publication of the supplementary code for digital right to work checks (‘the RtW supplementary code’) will come into force under section 29 of the Data (Use and Access) Act 2025 on the date the first conformity assessment body (‘CAB’) is accredited to certify against it, which will be no earlier than 1 September 2026.
0.b. It is published by the Office for Digital Identities and Attributes (‘OfDIA’), part of the Department for Science, Innovation and Technology (‘DSIT’). It sets out rules for digital verification services (‘DVS’) conducting right to work checks on holders of British and Irish passports or passport cards. OfDIA is responsible for the maintenance of this supplementary code.
0.c. To be certified against the RtW supplementary code, services will need to also be certified against a current publication of the UK digital verification services trust framework (formerly known as the ‘UK digital identity and attributes trust framework’).
0.d. The non-statutory gamma (0.4) version of the RtW supplementary code, published on 26 June 2025 and the statutory gamma (0.4) published on 1 December 2025 will remain valid for a limited period of time for the purposes of:
-
certification, such that certificates issued against those versions will remain valid and any audit and surveillance in respect of those certificates are conducted against those versions as relevant, subject to 0.e below; and
-
Part 2 of the Act (where relevant and where there exist certificates which are valid against them) such that references to supplementary code are to be read as references to the non-statutory gamma (0.4) and the statutory gamma (0.4) versions.
0.e. The statutory gamma (0.4) version of the RtW supplementary code is only to remain valid for new certifications following the coming into force date of this 1.0 RtW supplementary code in the circumstances below:
-
The DVS applied for certification against the statutory gamma (0.4) RtW supplementary code before the day on which this 1.0 RtW supplementary code comes into force but the certification process had not been completed by that date, such that a certificate was issued by an accredited CAB after that date; or
-
The DVS applying for certification, at the point at which they apply for new certification, holds a certificate confirming they comply with the requirements under the non-statutory gamma (0.4) or the statutory gamma (0.4) versions of the RtW supplementary code and the application is made by that DVS before the certificate expires and within 15 months of the day on which this 1.0 RtW supplementary code comes into force.
0.f. The non-statutory gamma (0.4) and the statutory gamma (0.4) versions of the RtW supplementary code referred to in 0.c will no longer apply for the purposes of certification and Part 2 of the Act, and certificates issued against them will expire and should be ignored for those purposes if any of the following apply:
-
27 months have elapsed since the day on which this 1.0 RtW supplementary code comes into force (including that day);
-
a service uplifts to the 1.0 publication and has a certificate issued to confirm that;
-
the service’s non-statutory gamma (0.4) or statutory gamma (0.4) certification against the RtW supplementary code expires; or
-
the service’s non-statutory gamma (0.4) or statutory gamma (0.4) certification against the UK digital verification services trust framework expires.
Part 1 - Background and context
1. Introduction
1.a. This is the 1.0 publication of the RtW supplementary code for digital right to work checks. It sets out rules DVS must follow, and the recommendations they can follow, in order to be certified against the RtW supplementary code.
1.b. A DVS’s certification against the RtW supplementary code assures employers who choose to conduct digital right to work checks that they can use the service to help meet Home Office requirements and recommendations (for example, regarding the level of confidence or authenticator quality) for digital right to work checks for holders of British and Irish passports, or Irish passport cards.
1.c. Employers will also need to comply with requirements for digital right to work checks, set out in Home Office regulations and guidance to obtain and retain certain data from the DVS and to check that the individual whose identity was verified is the same person who presents themself for work.
1.d. This RtW supplementary code builds on the rules set out in the 1.0 version of the UK digital verification services trust framework (the ‘trust framework’). DVS can only certify against this RtW supplementary code if they are certified against the trust framework.
1.e. Terms in this document are defined as set out in the trust framework’s definitions and glossary. In this document, ‘you’ and ‘your service’ are used to direct a provider to the specific rules their organisation and service(s) must follow, and the recommendations they can follow, to be certified.
1.f. The RtW supplementary code does not set any new requirements on, or recommendations for, employers for conducting compliant right to work checks. These are set by the Home Office, not OfDIA or DSIT. The RtW supplementary code helps DVS show they can be used by employers to fulfil their obligations.
Part 2 - Rules of the RtW supplementary code
2. Applicable roles
2.a. You must perform at least the role of identity service provider as described in the trust framework to be certified against the RtW supplementary code. You must additionally perform the role of holder service provider to be certified against the rules in section 5.
3. Identity verification
3.a. You must follow the rules for identity service providers set out in the trust framework.
3.1. Acceptable documents
3.1.a. For the purposes of digital right to work checks, the identity must be created using one of the following documents:
- A British passport, or
- An Irish passport, or
- An Irish passport card.
3.1.b. The passport or passport card must be valid according to GPG 45 and not be expired or visibly clipped.
3.2. Acceptable GPG 45 Profiles
3.2.a. For the purposes of digital right to work checks, the identity check must meet a medium level of confidence or above according to GPG 45.
4. Data to share with employers
4.a. If the check is successful, you must provide the following information to the employer relying on your service in a clear, legible format which cannot be altered:
| Data field | Note |
|---|---|
| Given name(s) | |
| Family name(s) | |
| Date of birth | |
| Image of the passport or passport card | This must be an image of the full biometric page of the passport or, in the case of an Irish passport card, an image of the front of the document in full. The holder’s name, date of birth and nationality must be clearly visible in the image, as must their photo and the date of expiry of the document. |
| Photograph of the user | You must verify that the photograph matches the image of the passport or passport card. |
| Date of identity check | |
| Evidence checked by | The name of your service, as it appears on your certificate |
| GPG 45 profile met by the check | The identity profile according to which the identity was created |
| GPG 44 authenticator quality | Only required if you are a holder service conducting the digital right to work check in accordance with section 5. |
| Identity verified | The response must be ‘Y’ if the identity was verified and ‘N’ if it was not verified. |
4.b. You must provide the employer with a record that your service was certified against a valid version of the trust framework and the RtW supplementary code at the time the check was conducted, specifying which version of each, so they can retain that record for compliance purposes.
4.c. You could retain your own record that you conducted the check. Retention of information listed in 4.a. is the employer’s responsibility, as set out in Home Office regulations and guidance. Your service does not need to retain this information.
4.d. You could use the trust framework data schema to support a standardised approach to sharing data with employers.
5. Using a holder service to conduct a right to work check
5.a. Passports and passport cards can be withdrawn or cancelled, and right to work checks are not transferrable from one employer to another. As such, if you want to use a pre-existing identity stored in a holder service to conduct a right to work check, you must be able to assure the employer that the user holds a British passport, Irish passport or Irish passport card at the time the check is conducted, and that the passport or passport card is not expired or visibly clipped by conducting a GPG 45 validity check on it.
5.b. If a holder service is used to conduct a right to work check, you must follow the rules for holder service providers set out in the trust framework and the holder service must have medium protection using medium quality authenticators as a minimum according to GPG 44.
5.c. To be used as described in 5.a, the pre-existing identity must have been created in line with 3.2, and the data in 4.a must be shared with the employer.