Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
Hiring your first (or next) team member is exciting - but it also comes with a non-negotiable compliance step: you need to check someone’s right to work in the UK before they start.
If you miss this, you can expose your business to serious penalties. If you do it badly (for example, inconsistently), you can also create discrimination risk. The good news is that the right-to-work process is usually straightforward once you know what you’re looking for and how to record it properly.
This guide breaks down how to check someone’s right to work in a practical, small-business-friendly way, including what evidence to accept, when follow-up checks are needed, and how to store records in a UK GDPR-compliant way.
Why You Need To Check Someone’s Right To Work (And What The Risks Are)
In the UK, employers have a legal duty to prevent illegal working. The key idea is simple: you must check an employee’s right to work before employment begins, and you must do it in a way that meets Home Office requirements.
When you carry out a compliant right to work check, you may establish what’s commonly called a “statutory excuse” - meaning that if it later turns out the individual did not have the right to work (or did not have the right to do the work you employed them to do), you have a legal defence against certain civil penalties, as long as your check was done correctly.
If you don’t do the check (or you do it incorrectly), the risks can include:
- Civil penalties (fines) for employing someone illegally.
- Criminal liability in serious cases (for example, if you knew or had reasonable cause to believe the person didn’t have the right to work).
- Operational disruption if you have to suspend or terminate employment quickly after discovering an issue.
- Reputational damage - especially if you’re working with public-sector clients or regulated partners.
It’s worth remembering that right-to-work compliance sits alongside your other employment fundamentals. For example, having a clear Employment Contract in place helps set expectations about documentation, start dates, and what happens if someone can’t provide required evidence.
When Should You Check An Applicant’s Right To Work?
The timing matters. To stay compliant, you should carry out right to work checks:
- Before employment starts (ideally after you’ve made a conditional offer and before the first day).
- Before the work is actually carried out (not “within the first week” or “after onboarding”).
- Again, later on if the person has a time-limited right to work.
A common best practice is to make offers conditional on:
- satisfactory references (if you take them),
- eligibility to work in the UK, and
- any role-specific checks you need (for example, qualifications).
Also, be consistent. If you only check certain candidates based on nationality, accent, name, or “gut feel”, you can create discrimination risk. The safer approach is to check every successful candidate in the same way, at the same stage of your recruitment process.
And remember: right to work checks are separate from whether you issue written terms. Even though the UK doesn’t require a single formal contract document in all cases, you still need to get the legal basics right - including clarity around status and terms. If this is something you’re reviewing, it may help to read work without a contract considerations so you’re not relying on assumptions.
How To Check Someone’s Right To Work: The Main Methods
In practice, there are three recognised ways to check an employee’s right to work, depending on their immigration status and documents:
- Online right to work checks using the Home Office service (typically with a share code) - in some cases, this is the only permitted method.
- Manual document checks for eligible original documents (checking the originals in person).
- Digital checks via an IDSP (Identity Service Provider) for eligible British and Irish passport holders (using an Identity Document Validation Technology (IDVT) process), if you choose to use one.
The right method depends on the type of documents/status the individual holds.
1) Online Right To Work Checks (Share Code Checks)
Many people now prove their right to work digitally. Typically, the person will provide you with:
- a share code, and
- their date of birth.
You then use the Home Office online service to view their right to work status. If you use the online system correctly, you’ll be shown what work they’re allowed to do and whether there’s an expiry date.
Important: for many people with an eVisa or digital immigration status (including most holders of biometric residence permits/cards and status granted under the EU Settlement Scheme), the Home Office requires employers to use the online service - you can’t rely on a manual document check to get a statutory excuse.
Practical tips:
- Match the photo shown online to the person you’re hiring (this is crucial).
- Check the conditions carefully (for example, restrictions on hours or role types can apply in some situations).
- Save evidence of the check (for example, a PDF or screenshot) and record the date you carried it out.
If the online status shows a time-limited right to work, you’ll need to diarise a follow-up check before it expires (more on this below).
2) Manual Right To Work Checks (Original Documents)
In some cases, you may be permitted to do a manual check using original documents. A compliant manual check generally involves three parts:
- Obtain the original document(s) from the individual.
- Check the document(s) are genuine and belong to the person presenting them.
- Copy and keep a record in a compliant way (including the date of the check).
When checking documents, you should look for:
- consistency of names and dates of birth across documents,
- photos that clearly match the individual,
- signs of alteration, damage, or poor print quality that might suggest tampering, and
- any restrictions (for example, expiry dates or work conditions).
Important: the Home Office has specific lists of acceptable documents and rules about what combinations are valid. Also, some individuals can’t be checked this way at all (they must be checked online). If you’re ever unsure, it’s worth getting advice rather than guessing, because “close enough” doesn’t protect you if the check is later challenged.
3) Digital Right To Work Checks Using An IDSP (British And Irish Passport Holders)
For eligible British and Irish citizens with a valid passport (or Irish passport card), you may choose to use a certified IDSP to carry out a digital identity check. This is different to the Home Office online right to work service: it’s an IDVT-based process and must be done through a provider that meets the Home Office requirements.
If you use an IDSP, make sure you:
- confirm the check is within scope (the right person, the right document, the right process),
- keep the output/report from the IDSP as evidence, and
- record the date the check was completed.
What If The Person Can’t Provide Evidence Yet?
This comes up a lot with small businesses hiring quickly (for example, someone who says they’re waiting for an updated status or replacement document). The key point is: don’t allow them to start working until you’ve completed a compliant check.
If timing is tight, you can:
- move the start date back,
- keep the offer conditional, and/or
- seek professional guidance on the correct process for their specific situation.
This is also where strong onboarding processes matter. During probation, you’re often assessing performance and fit - but you should already have the right-to-work box ticked before day one. If you’re building a structured onboarding workflow, a clear probation periods policy can complement your recruitment compliance so nothing slips through the cracks.
Follow-Up Checks, Time-Limited Permission, And Ongoing Compliance
Not every right to work check is “one and done”. If an employee has time-limited permission to work in the UK, you must carry out a follow-up check before their permission expires, otherwise you lose your statutory excuse going forward.
A good small-business approach is to build a simple compliance system:
- Record the expiry date (if any) immediately after the initial check.
- Set reminders well in advance (for example, 90 days and 30 days before expiry).
- Re-check using the correct method (online, manual, or IDSP where applicable) before the expiry date.
- Keep evidence of the follow-up check, just like the initial check.
If the employee’s permission is expiring and they’re renewing or changing immigration status, don’t leave this to the last minute. You’ll want to manage this carefully and sensitively (and ideally in writing), because it can become both a legal risk and a human issue within your team.
If You Sponsor Workers
Some small businesses eventually grow into hiring from overseas under sponsorship routes. If that’s on your radar, you’ll likely need a sponsor licence and you’ll need robust HR processes to maintain it.
If you’re dealing with a business partner, supplier, or acquisition target and sponsorship is part of the picture, it can also be useful to understand how to check a sponsorship licence as part of your due diligence and risk checks.
How To Record And Store Right To Work Checks (Without Creating GDPR Headaches)
Doing the check is only half the job. You also need to be able to prove you did it properly.
That means keeping clear records of:
- what you checked (documents, online status, or IDSP output),
- when you checked it (date), and
- who checked it (the person in your business who carried out the check).
In practice, businesses often keep:
- a copy of the relevant document(s) (for manual checks), or
- a PDF/screenshot of the online check result page (for online checks),
- and/or the IDSP result/report (for IDSP checks),
- plus a short note confirming the date the check was completed.
Because these records include personal data (and often sensitive identifiers), you should store them securely and only allow access to those who genuinely need it (for example, HR or the person responsible for onboarding).
UK GDPR And Data Protection Basics For Employers
Right to work evidence contains personal data, so your handling of it needs to align with the UK GDPR and the Data Protection Act 2018. A few practical principles to follow:
- Data minimisation: only collect what you need for the check - don’t take unnecessary extra documents “just in case”.
- Security: store copies in a secure HR folder or HR system, not in a shared drive accessible to the whole team.
- Retention: as a general rule, keep right to work check records for the duration of employment plus 2 years, then securely delete them.
- Transparency: tell staff (and candidates, where relevant) how you handle their personal data.
For many small businesses, this is a good moment to ensure you have the right internal privacy documentation in place - for example, an employee privacy notice (or staff privacy notice) and clear HR data handling practices that match what you actually do day-to-day.
Common Mistakes Employers Make (And How To Avoid Them)
Most right-to-work issues don’t happen because an employer doesn’t care. They happen because a business is busy, hiring quickly, and trying to do the right thing without a clear process.
Here are some of the most common pitfalls we see - and the simple ways to avoid them.
1) Checking Too Late
If you let someone start before you complete the check, you’re immediately exposed.
Fix: build the check into your onboarding workflow as a hard gate before day one.
2) Accepting The Wrong Evidence (Or Not Checking It Properly)
It’s easy to assume that “a document that looks official” is good enough. It isn’t. The Home Office is particular about what is acceptable, what combinations are valid, and when the online service must be used.
Fix: train whoever does onboarding in your business and ensure they know what a compliant check involves (obtain, check, copy, record date - or use the correct online/IDSP route where required).
3) Inconsistent Checks (Discrimination Risk)
If you only check someone’s right to work when they “seem foreign”, you can create serious legal risk. Right to work checks should be applied consistently to avoid discrimination claims.
Fix: check every successful candidate the same way, at the same point in the hiring process.
4) Poor Record Keeping
Even if you did the check correctly, it won’t help you if you can’t evidence it later.
Fix: store copies centrally, record the date of the check, and restrict access to the records.
5) Forgetting Follow-Up Checks
For time-limited permissions, forgetting a follow-up check can undo the protection you thought you had.
Fix: diarise expiry dates and set multiple reminders well in advance.
6) Confusing Right To Work Checks With Other Checks
Right to work checks are not the same as reference checks, DBS checks (where relevant), or general screening. You may choose to do other screening depending on your role and sector, but you should avoid collecting excessive personal information that you don’t actually need.
If you’re looking at broader hiring checks, it’s a good idea to understand the compliance boundaries around free background checks so your recruitment process stays both lawful and proportionate.
Key Takeaways
- You must check someone’s right to work before they start working, and you should apply the same process consistently across hires.
- There are recognised routes: online checks (share code), manual checks (eligible original documents), and IDSP digital checks (for eligible British and Irish passport holders) - the correct method depends on the person’s status and documents, and sometimes the online service is mandatory.
- A compliant check isn’t just “looking at a passport”; it’s a process: obtain evidence via the correct route, verify identity and permissions, and keep clear dated records.
- If an employee has time-limited permission to work, you’ll need follow-up checks before expiry to maintain protection.
- Right to work records include personal data, so store them securely, keep them (generally) for the duration of employment plus 2 years, and handle them in line with UK GDPR and the Data Protection Act 2018.
- Strong hiring foundations (including a clear Employment Contract and well-run onboarding) reduce the chance of compliance steps being missed when you’re busy.
If you’d like help getting your hiring process right - including right to work processes, onboarding documents, and employment paperwork - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
