Supplementary code for digital right to work checks (0.4)
This publication sets out rules for digital verification services supporting employers who choose to conduct digital right to work checks.
0. Version and certification validity notes
0.a. This (0.4) publication of the supplementary code for digital right to work digital identity checks (‘the RtW supplementary code’) comes into force on 1 July 2025.
0.b. It is the first publication of the RtW supplementary code by the Office for Digital Identities and Attributes (OfDIA), part of the Department for Science, Innovation and Technology (DSIT). It sets out rules for digital verification services (DVS) conducting right to work checks on holders of British and Irish passports or passport cards. OfDIA is responsible for maintenance of the supplementary code.
0.c. DVS have been able to undergo certification for this purpose since 6 April 2022 as part of the UK digital identity and attributes trust framework certification scheme, by being certified against rules previously set out in Home Office regulations and guidance for employers. The most recent version of the Home Office employer’s guide to right to work checks was published on 12 February 2025 and can be accessed on the National Archives.
0.d. This publication is designed to support continuity, and the auditable requirements on DVS are designed to be unchanged. This RtW code either precisely replicates DVS facing rules from the previous Home Office regulations and guidance for employers, omits them where they repeat the trust framework or constitute un-auditable recommendations, or reflects them in clearer, more auditable language. It also adds some new ‘could’ rules that providers do not need to follow but might support OfDIA and Home Office policy aims.
0.e. Certifications against the rules that were set out in Home Office guidance will remain valid until one of the following occurs:
-
a digital verification service uplifts its certification to this publication (including through an annual surveillance audit), thereby replacing the earlier certification; or
-
the digital verification service’s certification against the beta (0.3) publication of the UK digital identity and attributes trust framework expires; or
-
the digital verification service’s certification against the rules in Home Office guidance expires.
0.f. To be certified against the RtW supplementary code, services will need to also be certified against a current publication of the UK digital identity and attributes trust framework, from the gamma (0.4) publication onwards.
Part 1 - Background and context
1. Introduction
1.a. This is the (0.4) publication of the RtW supplementary code for digital right to work checks. It sets out rules DVS must follow, and the recommendations they can follow, in order to be certified against the RtW supplementary code.
1.b. A DVS’s certification against the RtW supplementary code assures employers who choose to conduct digital right to work checks that they can use the service to help meet Home Office requirements and recommendations (for example, regarding the level of confidence or authenticator quality) for digital right to work checks for holders of British and Irish passports, or Irish passport cards.
1.c. Employers will also need to comply with requirements for digital right to work checks, set out in Home Office regulations and guidance, to obtain and retain certain data from the DVS and to check that the individual whose identity was verified is the same person who presents themself for work.
1.d. This RtW supplementary code builds on the rules set out in the 0.4 version of the UK digital identity and attributes trust framework, (the ‘trust framework’). DVS can only certify against this RtW supplementary code if they are certified against the trust framework.
1.e. Terms in this document are defined as set out in the trust framework’s definitions and glossary. In this document, ‘you’ and ‘your service’ are used to direct a provider to the specific rules their organisation and service(s) must follow, and the recommendations they can follow, to be certified.
1.f. The RtW supplementary code does not set any new requirements on, or recommendations for, employers for conducting compliant right to work checks. These are set by the Home Office, not OfDIA or DSIT. The RtW supplementary code helps DVS show they can be used by employers to fulfil their obligations.
Part 2 - Rules of the RtW supplementary code
2. Applicable roles
2.a. You must perform at least the role of identity service provider as described in the trust framework to be certified against the RtW supplementary code. You must additionally perform the role of holder service provider to be certified against the rules in section 5.
3. Identity verification
3.a. You must follow the rules for identity service providers set out in the trust framework.
3.1. Acceptable documents
3.1.a. For the purposes of digital right to work checks, the identity must be created using one of the following documents:
-
A British passport, or
-
An Irish passport, or
-
An Irish passport card.
3.1.b. The passport or passport card must be valid according to GPG 45 and not be expired or visibly clipped.
3.2. Acceptable GPG 45 Profiles
3.2.a. For the purposes of digital right to work checks, the identity check must meet a medium level of confidence or above according to GPG 45.
4. Data to share with employers
4.a. If the check is successful, you must provide the following information to the employer relying on your service in a clear, legible format which cannot be altered:
| Data field | Note |
|---|---|
| Forename | |
| Middle name(s) | Only required if the user has a middle name(s) |
| Present surname(s) | |
| Date of birth | |
| Image of the passport or passport card | This must be an image of the full biometric page of the passport or, in the case of an Irish passport card, an image of the front of the document in full. The holder’s name, date of birth and nationality must be clearly visible in the image, as must their photo and the date of expiry of the document. |
| Photograph / image | An image of the prospective user. You must verify that the image matches the passport or passport card, and the user. |
| Date of identity check | |
| Evidence checked by | The name of your service, as it appears on your certificate |
| Identity verified | The response must be ‘Y’ if the identity was verified and ‘N’ if it was not verified. |
4.b. You must know what GPG 45 profile the check was conducted according to. You could provide the GPG 45 profile to the employer.
4.c. You could provide the employer with a record that your service was certified at the time the check was conducted, so they can retain that record for compliance purposes.
4.d. You could retain your own record that you conducted the check. Retention of information listed in 4.a is the employer’s responsibility, as set out in Home Office regulations and guidance. Your service does not need to retain this information.
4.e. You could use the trust framework data schema to support a standardised approach to sharing data with employers.
5. Using a holder service to conduct a right to work check
5.a. Passports and passport cards can be withdrawn or cancelled, and right to work checks are not transferrable from one employer to another. As such, if you want to use a pre-existing identity stored in a holder service to conduct a right to work check, you must be able to assure the employer that the user holds a British passport, Irish passport or Irish passport card at the time the check is conducted, and that the passport or passport card is not expired or visibly clipped by conducting a GPG 45 validity check on it.
5.b. If a holder service is used to conduct a right to work check, you must follow the rules for holder service providers set out in the trust framework and the holder service must have medium protection using medium quality authenticators as a minimum according to GPG 44.
5.c. To be used as described in 5.a, the pre-existing identity must have been created in line with 3.2, and the data in 4.a must be shared with the employer.