Compliance Guide

Right-to-Work Checks: What UK SMEs Need to Know in 2026

Hire someone without a valid right-to-work check and the civil penalty starts at £45,000 per worker - £60,000 for a second offence. This guide walks UK SMEs through the three check methods, when each applies, and the records you have to keep for two years.

Published 10 June 2026 · 9 min read · Every claim sourced

Get this wrong and the civil penalty starts at £45,000 per worker

On 13 February 2024 the Home Office raised the civil penalty for employing someone without a valid right to work to a maximum of £45,000 per worker for a first breach and £60,000 per worker for a repeat breach within three years - a threefold increase from the previous £15,000 / £20,000 figures. The new figures are set out in the statutory Code of practice on preventing illegal working and remain in force in 2026.

If you are an SME founder hiring your first non-British employee, or an HR manager processing a few new starters a month, the rules have changed enough in the last 24 months that "I checked their passport once" is no longer a defence. Biometric residence permits are gone. eVisas and share codes have replaced them. Certified digital identity providers (IDSPs) now sit alongside manual checks. And the financial exposure if you get it wrong has tripled.

This guide is the clean walkthrough.

The basics: what the Home Office requires

Every employer in the UK must establish that a prospective employee has the right to do the work in question before their employment begins. The current guidance applies to all checks conducted on or after 12 February 2025 and is set out in the Employer's guide to right to work checks.

A correctly completed check gives the employer what the Home Office calls a statutory excuse: if the worker turns out not to have the right to work, but you carried out the prescribed check correctly, you are protected from the civil penalty. Without that excuse, the penalty applies whether or not you knew. (Employer's guide, 26 June 2025)

The Home Office has also published statutory guidance on the three-step process every check must follow:

  1. Obtain original documents from the prescribed list - or, if appropriate, conduct an online or digital check.
  2. Check the documents are genuine, valid, and that the person presenting them is the rightful holder.
  3. Copy the documents in an unalterable format and retain the copy securely for the duration of employment plus two years.

Skip any one step and the statutory excuse falls away.

The three check methods

There are three legal ways to complete a right-to-work check in 2026, and which one you use depends entirely on who you are hiring.

1. Manual document check

This is the original method: the worker hands you original documents from List A or List B, you physically examine them in their presence (or by live video link while holding the originals), and you take and retain a clear copy. List A documents (such as a current or expired British passport, or an Irish passport / passport card) give a continuous statutory excuse - no follow-up check required. List B documents (such as a time-limited work or student visa) give a time-limited excuse and require a follow-up check before the permission expires. (Right to work checklist)

One important 2025 update: biometric residence cards and permits are no longer acceptable for manual checks, and a clipped British or Irish passport is treated as cancelled and is not acceptable. (Employer's guide, 26 June 2025)

2. Home Office online share-code check (eVisa)

If the applicant holds an eVisa - the digital immigration status that replaced the BRP - or has settled or pre-settled status under the EU Settlement Scheme, they generate a 9-character share code at gov.uk/prove-right-to-work. The share code is valid for 90 days from the moment it is generated and can be used as many times as the holder needs in that window. (Prove your right to work to an employer, eVisa share code guidance)

The employer enters the share code and the applicant's date of birth at gov.uk/view-right-to-work. The Home Office service returns the work the applicant is allowed to do and any time limit. You print or save the profile page (including the date of the check), retain it for the same two-year-plus period, and you have a statutory excuse. (Check a job applicant's right to work: use their share code)

Anyone issued immigration status after BRP rollout is "online-only": they cannot prove right to work with a physical card any longer, and you cannot accept one even if they offer it. (eVisa guidance)

3. Digital IDSP / IDVT check

For British and Irish citizens holding a valid passport (current or expired), employers can use a certified Identity Service Provider (IDSP) to carry out the check digitally using Identity Document Validation Technology (IDVT). The applicant uploads a photo of their passport and a selfie via the IDSP's app; the IDSP verifies the document and biometric match and returns a verification report. (Digital identity certification for right to work, right to rent and criminal record checks) This is the only method that does not require an in-person or live-video meeting and is the de-facto standard for remote-first SMEs.

Which check applies when

A quick decision tree for your most common hires:

  • British or Irish citizen - use a manual passport check or a certified IDSP digital check. The online share-code service is not available to British and Irish nationals. (Checking a job applicant's right to work)
  • EU / EEA / Swiss citizen with settled or pre-settled status - use the Home Office online share-code service. Pre-Brexit blue passports and EU national ID cards are no longer acceptable on their own. (EU Settlement Scheme right to work)
  • Non-EU national on a Skilled Worker, Health and Care Worker, or other sponsored visa - use the Home Office online share-code service. You will also need a sponsor licence and a Certificate of Sponsorship to employ most of these workers in the first place. (Workers and Temporary Workers sponsor guidance)
  • Student visa holder taking term-time work - use the share-code service. The Home Office profile will show the term-time hours limit (usually 20 hours per week during term, full-time outside term). Recording these limits in writing is part of your statutory excuse. (Employer's guide, 26 June 2025)
  • Anyone with a pending Home Office application - request a Positive Verification Notice from the Employer Checking Service. The notice gives a six-month statutory excuse. (Employer Checking Service)

The IDSP option in detail

The Home Office maintains the list of certified IDSPs through the UK Digital Verification Services Trust Framework. The framework moved to version 1.0 in 2026 and the live register is published via the Office for Digital Identities and Attributes (OFDIA). Long-standing certified IDSPs include Yoti, TrustID, Post Office EasyID, and Onfido. Always check the live published list before signing a contract; certification has a defined expiry date. (Digital identity certification)

An IDSP check typically costs £3 to £8 depending on provider and volume, runs in 5-10 minutes, and produces a PDF verification report you store alongside the employee record. One important caveat: the IDSP route is only for British and Irish citizens. For everyone else you still need the online share-code service.

Civil penalty exposure (2024-2026 figures)

The numbers from the 13 February 2024 statutory Code of Practice:

  • First breach: up to £45,000 per illegal worker (raised from £15,000)
  • Repeat breach within three years: up to £60,000 per illegal worker (raised from £20,000)
  • Criminal offence of knowingly employing someone without the right to work: up to five years' imprisonment plus an unlimited fine (s.21 Immigration, Asylum and Nationality Act 2006, as amended)

These are maximums: the Home Office discounts the penalty for mitigating factors such as reporting a suspected illegal worker, co-operating with enforcement, and having "effective document checking practices" in place. A starting penalty of £45,000 can fall to around £30,000 with full mitigation on a first offence. (Code of practice)

Record-keeping: two years after employment ends

The Home Office requires you to keep a clear, unaltered copy of every document or online check for the duration of the employee's employment and for two years after they stop working for you, then destroy the copy securely. (Checking a job applicant's right to work)

Acceptable formats include scanned PDFs or photocopies that cannot be edited after the fact. For passports you must copy any page showing the document expiry date, holder's photograph, nationality, date of birth, signature, biometric details, and any visa endorsement. For share-code checks you save the profile page returned by the Home Office service, including the date the check was performed. The cover page of a British passport no longer needs to be copied as of the February 2025 update. (Employer's guide, 26 June 2025)

Two GDPR considerations:

  1. Storage limitation (Article 5(1)(e) UK GDPR). You can lawfully retain right-to-work copies for the two-year window because it is required by the Home Office to evidence the statutory excuse. After two years, securely delete. The ICO's guidance on keeping employment records confirms employers must set retention periods and dispose of records when no longer needed.
  2. Lawful basis. "Legal obligation" (Article 6(1)(c)) is the appropriate basis for the right-to-work copy itself. Document this in your privacy notice and your Record of Processing Activities (ROPA).

Three common mistakes

Mistake 1: Accepting a biometric residence permit (BRP) in 2026. BRPs were phased out at the end of 2024 and although some workers can still travel on an expired card, employers cannot accept a BRP as right-to-work evidence. Use the share-code service instead. (Biometric residence permits)

Mistake 2: Doing the check after the start date. The check must be completed before the employee starts work. A check done in week two is too late: you have lost the statutory excuse for the days they worked uncovered, even if you discover they are fully eligible. (Employer's guide, 26 June 2025)

Mistake 3: Forgetting the follow-up. For workers on time-limited permission (List B / temporary visas), you must repeat the check before the expiry date. Diarise it the day you complete the first check. The Home Office's civil-penalty inspectors target lapsed follow-ups precisely because they are the most common compliance failure. (Right to work checklist)

Closing thought

Right-to-work compliance is a workflow problem dressed up as a legal one. The rules are not complicated - the three check types fit on a postcard - but the cost of one missed check has tripled in 24 months and the operational discipline required to do this consistently across every new hire is more than most SMEs realise until they are audited.

A modern HR portal that captures the document, records the check method, time-stamps the verification, sets the two-year deletion clock, and reminds you of expiring visas removes most of the risk. WagePerks' HR Management and Document Management modules do exactly that - and they sit alongside the rota, payslip, and onboarding tools your team already needs. If you want to see how it works for your team, book a 20-minute demo or look at the WagePerks SME solution.

See WagePerks in 20 minutes

Eleven modules at £4.50 per employee per month. White-label included. Rolling monthly — cancel any month.

Book a demo

More guides from WagePerks

All guides

Sourced UK SME guides covering pricing, contracts, compliance, and HR essentials.

Browse the library →

Compare 28 platforms

Seven WagePerks-vs-X pages plus 21 head-to-head competitor comparisons. All sourced.

Open the comparison hub →

Savings calculator

ONS-sourced methodology, conservative midpoint £270 per employee per year. Try it on your team.

Run the numbers →