One of the ways in which employers can check whether an individual has the right to work in the UK is by instructing a Digital Identity Service Provider (IDSP). Organisations should remember, however, that it is the employer - as data controller - that is responsible for ensuring that any technology it deploys is compliant with data protection law.

Checking the right to work in the UK

Although there is no legal requirement to carry out right to work checks, doing so gives you a defence against a civil penalty if it transpires that you have employed someone who is not entitled to work in the UK in the capacity you have employed them. The government has recently announced that the maximum civil penalty is set to increase from £20,000 to £60,000.

Right to work checks should form part of your standard recruitment process. To reduce the risk of discrimination, it is best practice to do them at the same stage for all applicants regardless of nationality.

There are three different types of right to work check:

  • Manual: you must be in physical possession of the worker's original documents and carry out the check with them in person or via video link.
  • Online: a Home Office online right to work check is compulsory for some individuals e.g. those with biometric residence permits, biometric residence cards, frontier worker permits or eVisas.
  • Using a Digital Identity Service Provider: for individuals with valid British or Irish passports (or an Irish passport card) you can instruct a Digital Identity Service Provider (IDSP) to carry out digital identity checks. You then have to verify that the details match those of the worker.

Data protection obligations arise whatever type of right to work check is carried out. In this blog we consider the particular issues for an employer using an IDSP.

Contracting with an IDSP

There is a list of certified IDSPs to choose from. As an IDSP will be processing personal data on your behalf, UK GDPR requires the written agreement with a third-party data processor to meet certain compliance requirements, as set out in this ICO guidance.

Compliance with data protection law

You can't assume that just because a vendor is selling a right to work check service that it (or your use of it) will comply with data protection law. As a data controller you will be responsible for ensuring that any technology or service used for pre-employment checks is lawful and is configured in a way that enables you to comply with your data protection obligations.

Check the IDSP The first step should be to find out exactly what service the IDSP provides, what information will be processed, how data will be collected etc.
Identify a lawful basis for processing

Under data protection law, you must be able identify a lawful basis for processing personal data. In the context of right to work checks this is likely to be 'to enter or carry out the contract' and/or 'to comply with a legal obligation'.

If the IDSP captures special category data when carrying out the right to work check (for example biometric data used for the purposes of identification) then a special category processing condition must be identified as well as a lawful basis (e.g. 'processing is necessary in relation to the employer's employment law rights or obligations or those of the individual'). This is the case even if the special category data is captured inadvertently.

Even with a lawful basis for processing, you need to also consider whether collecting all the information provided by the IDSP is necessary. If the IDSP is collecting more personal data than is necessary (or doing additional checks that are not needed to verify a right to work in the UK – e.g. a credit check) then that would be a breach of data protection law.

Carry out a data protection impact assessment

A data protection impact assessment (DPIA) is a process for assessing the impact of data processing activities. A DPIA will identify privacy risks and steps to minimise those risks and evaluate whether your activities are justified under data protection law.

DPIAs are mandatory if monitoring (including pre-employment checks) involves the processing of personal data which is likely to result in a high risk to individuals’ rights and freedoms. It is good practice to carry out a DPIA whenever you are using an IDSP for the first time.

Think about the data protection principles (see below) when carrying out a DPIA. What are the privacy implications for workers? Is there a less intrusive way of checking? Does the digital check gather more information than is necessary to demonstrate a right to work in the UK?

Carrying out a DPIA requires you to think critically about the basis for, and specific purpose of, using the digital right to work check service and is something which should be revisited to ensure there is no function creep over time.

Due diligence Carry out appropriate diligence on the IDSP and how it handles personal data. For example, you will want to satisfy yourself that the IDSP has appropriate technical and organisational security measures in place; and understand the IDSP's supply chain and where personal data is being processed. Ensure that this is reviewed regularly.
Review the IDSP's contract

The contract terms and conditions will need to comply with Article 28 of UK GDPR. In particular, you will want to ensure that the contract contains appropriate controls over the use of sub-processors.

You will also want to consider whether the contract deals with other issues such as cyber security and the IDSP's business continuity and disaster recovery procedures.

Follow the data protection principles

You must process all workers' personal data in line with the data protection principles. This means that:

  • Personal data must be processed fairly, lawfully, in a transparent manner and in line with the permitted grounds for processing.
  • You must only collect personal data for specified, explicit and legitimate purposes, and only process it in line with those purposes.
  • Personal data must be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.
  • Personal data must be accurate and, where necessary, kept up-to-date.
  • You should not keep personal data for longer than necessary, in relation to the purpose for which it is processed. The right to work guidance requires employers to retain this data for two years after employment ends.
  • You need to ensure appropriate data security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage.
You will need to satisfy yourself that the IDSP's processes and procedures enable you to comply with these principles. For example, can you specify the retention period of data? Does the IDSP use any of the data collected for other purposes? Can you specify the privacy notice that is provided to employees when they use the platform?

Review your privacy notice

Workers have the right to be informed about the collection and use of their personal data. Therefore, your privacy notice should be clear about the (i) the type of data collected via the IDSP; (ii) where the data comes from; (iii) the basis on which you are processing the data; and (iv) what you will use it for. The privacy notice should also contain details of the data access procedures, security and retention rules etc.

Transparency is important. Communications with workers regarding data protection, including privacy notices, must be easily accessible and in clear and plain language. Ensure that you are able to use your own notice rather than a pro forma provided by the IDSP.

If you would like to discuss anything raised in this blog, please contact a member of the Employment and Immigration or IP, Technology and Data teams. Users of Workbox by Brodies, our award-winning HR and employment law site, will find useful FAQs and guidance at Checking the Right to Work in the UK and Data Protection: Employee Monitoring.


Julie Keir

Practice Development Lawyer

Martin Sloan