Why Agencies Cannot Skip This
Recruitment agencies in the UK are legally required to verify the right to work status of every worker they supply. This isn’t optional guidance — it’s a legal obligation under the Immigration, Asylum and Nationality Act 2006.
Current civil penalties:
£45,000 per illegal worker
Tripled from £15,000 in February 2024
£60,000 per illegal worker
Plus potential criminal prosecution
The Home Office specifically targets recruitment agencies and employment businesses because they supply workers to multiple end clients. A single agency placing 50 workers without proper checks could face penalties exceeding £2 million.
Conducting a proper check before the worker starts their assignment establishes a statutory excuse — a legal defence that protects your agency if the worker is later found to be working illegally. Without this excuse, your agency is liable regardless of intent.
The Three-Step Check Process
The Home Office prescribes a three-step process that must be followed in order. Cutting corners on any step invalidates your statutory excuse.
Obtain — Get the original document
The worker must provide an original document from the acceptable documents list (see Section 3). You cannot accept photocopies, scanned copies, or photos of documents at this stage. The document must be provided by the worker themselves.
Check — Verify the document is genuine
- • Photos and dates of birth are consistent across documents
- • Dates for right to work have not expired
- • Photos are of the person presenting the document
- • Documents are not obviously tampered with
- • You are satisfied the document is genuine and belongs to the holder
Copy — Make and retain a clear copy
- • Copy the document in a format that cannot be altered (scan or photograph)
- • For passports: copy the front cover and any page with the holder’s details
- • For biometric cards: copy both sides
- • Record the date you made the check
- • Retain securely for 2 years after employment ends
Timing is critical
The check must be completed before the worker starts their first assignment. A check done on their second day is too late — you’ve already lost your statutory excuse for that period.
Acceptable Document List
The Home Office divides acceptable documents into two lists. List A documents prove an ongoing right to work with no expiry. List B documents prove a time-limited right to work and require follow-up checks.
List A — Permanent Right to Work
UK or Irish passport
Current or expired. Single document sufficient.
UK birth/adoption certificate + NI evidence
Birth certificate alone is not enough. Must be combined with P45, P60, or NI card.
Certificate of registration/naturalisation as a British citizen
Combined with official evidence of NI number.
List B — Time-Limited Right to Work
Biometric Residence Permit (BRP)
Shows current immigration permission to work. Follow-up check required at expiry. Note: BRPs are being replaced by eVisas — check via the Home Office online service where possible.
Frontier Worker Permit
For EU/EEA/Swiss citizens working in the UK while living abroad.
Passport with visa or endorsement
Valid passport showing permission to do the type of work being offered.
Home Office online check (share code)
Candidate provides a share code at gov.uk/prove-right-to-work. You verify at gov.uk/view-right-to-work.
Documents that are NOT acceptable
- • Driving licences (do not prove right to work)
- • National Insurance number cards alone (must be combined with birth certificate)
- • Council tax bills, utility bills, or bank statements
- • Letters from previous employers
- • CRB/DBS certificates
Collect Right to Work Documents Securely
Send candidates a single encrypted link. They upload from any device. You get an audit trail. GDPR sorted.
Digital vs Manual Checks
Since April 2022, the Home Office has allowed three methods for conducting right to work checks. Each has different requirements and limitations.
Manual Check (In-Person or Video Call)
Works for:
All workers, all document types
Process:
View original in person or via live video call. Copy and retain.
Video call option introduced during COVID and made permanent. Worker must hold up the original document to camera.
IDVT Digital Check (Certified Provider)
Works for:
British and Irish passport holders only
Process:
Worker scans passport NFC chip via certified app. Identity verified automatically.
Must use a Home Office certified IDVT provider. List available on gov.uk. Costs typically £1-3 per check.
Home Office Online Check (Share Code)
Works for:
Non-UK nationals with immigration status (e.g. EU settled status, visa holders)
Process:
Worker generates share code at gov.uk. Employer verifies and saves the result page.
Share codes expire after 90 days. The check must be done while the code is valid. Print/save the result as your record.
The gap between check and collection
Whichever method you use, you still need to securely collect and store the supporting documents — passport copies, visa pages, BRP scans. Asking candidates to email these is a GDPR risk. An unencrypted passport photo sitting in a shared inbox is a data breach waiting to happen.
Common Mistakes That Void Your Defence
The Home Office publishes enforcement data showing why statutory excuses are rejected. These are the most common mistakes recruitment agencies make.
Checking after the start date
The check must be done before the worker begins their first assignment. Even one day late means no statutory excuse for that period.
Accepting photocopies instead of originals
You must see the original document (in person or via video call). A scan sent by email is not an original. The copy you retain is made after you've verified the original.
Not recording the date of the check
Your retained copy must include the date the check was performed. Without it, you cannot prove when the check happened.
Missing follow-up checks on time-limited documents
List B documents require repeat checks before the permission expires. Miss the follow-up and your excuse lapses.
Relying on the end client to check
As the agency supplying the worker, you are responsible for the check. The end client may do their own check, but that doesn't cover you.
Poor document storage
Passport copies in an email thread, shared Google Drive, or unlocked filing cabinet. GDPR requires appropriate security measures for identity documents.
Secure Document Collection
The right to work check process creates a practical problem: you need high-quality copies of sensitive identity documents, often from candidates who are remote, on their phone, or in a different time zone. Here’s how to handle this without compromising GDPR compliance.
Secure Collection Checklist
Encrypted in transit and at rest — not sitting in plaintext in an email server
Access-controlled — only authorised staff can view the documents
Audit trail — record of who uploaded, who downloaded, and when
Auto-deletion — documents removed after verification, not lingering in inboxes
Device-agnostic — candidates can upload from a phone at 6pm on a Friday
No candidate registration — friction kills completion rates
The alternative is what most agencies do today: ask the candidate to email a photo of their passport to a shared recruitment inbox. That passport copy then sits unencrypted on a mail server, gets forwarded to the hiring manager, backed up to cloud storage, and never deleted. One compromised email account and every candidate’s identity documents are exposed.
Under GDPR, identity documents are sensitive personal data. The ICO expects “appropriate technical and organisational measures” to protect them. An unencrypted email attachment doesn’t meet that bar.
Right to Work Compliance Starts with Secure Collection
Send candidates a single encrypted link. They upload their passport from any device. You get AES-256 encrypted documents with a complete audit trail. GDPR compliant by design.
Written by the FileSeal security and compliance team. We specialise in document security, GDPR compliance, and data protection for UK professionals. Our guides are reviewed by industry practitioners and updated regularly.