UK Employers: Prepare for Digital Work Checks
On January 15th 2026, the Parliamentary Secretary to the Cabinet Office stood in the House of Commons and said six words that every UK employer needs to hear. There will be checks, they will be digital and they will be mandatory. That is not a consultation. It is a statement of government intent. The question for your organisation is not whether digital Right to Work checks are coming. The question is whether what you are doing right now will actually meet the standard when they do.
GPG45 is the government's framework for digital identity verification. For years it existed as guidance that organisations were encouraged to follow. That changed on 5th February 2026 when major provisions of the Data Use and Access Act 2025 came into force, placing the Digital Identity and Attributes Trust Framework on a statutory footing. Three weeks later, on 26th February 2026, HM Treasury and the Department for Science, Innovation and Technology published guidance making one thing explicitly clear. Only certified Identity Service Providers meet the compliance standard. Everything else does not.
This guide explains what GPG45 is, what it requires, what has changed in 2026 and what every UK employer and business owner needs to do about it now.
Table of Contents
- What GPG45 Actually Is
- The Five Dimensions of Identity Verification
- The Three Confidence Levels and Why Medium Matters
- How the DUAA 2025 Changed Everything
- The IDSP Rule Most Employers Are Getting Wrong
- Section 48 of the Border Security Act 2026
- Digital Right to Work: Mandatory by End of Parliament
- What This Means for Business Owners
- What to Do Right Now
What GPG45 Actually Is
GPG45 stands for Good Practice Guide 45. It is the UK government's framework for how identity verification should be carried out. It was developed jointly by public and private sector representatives and sets out the standards organisations must meet when verifying that a person is who they say they are.
The important thing to understand about GPG45 is that it does not tell you which specific tool or platform to use. It sets out the outcome you need to achieve and the evidence you need to gather. What matters is not the method. What matters is whether the verification meets the required level of confidence.
For most employers GPG45 comes into the picture in three main contexts. Digital Right to Work checks. DBS identity verification. And digital identity checks more broadly under the DUAA 2025 framework. The rules across each context share the same underlying principles, but the specific requirements differ in important ways that every employer needs to understand.
The Five Dimensions of Identity Verification
GPG45 assesses identity evidence across five dimensions. Understanding what these are matters because they determine whether the verification your organisation is carrying out actually meets the standard or simply appears to.
The first dimension is Strength. This concerns the type of document or evidence being used. A current biometric passport scores higher than a driving licence. The stronger the document, the stronger the starting point for the verification.
The second is Validity. This asks whether the document is genuine, unaltered and currently valid. It is not enough for a document to look right. GPG45 requires that you have assessed whether it actually is.
The third is Identity Fraud. This dimension looks at whether there are indicators that the identity has been stolen or compromised. A certified Identity Service Provider will check the identity against fraud databases as part of this assessment. This is directly relevant to the growing threat of AI generated documents and deepfake identity fraud, which we have covered in detail separately.
The fourth is Activity History. This looks at whether the claimed identity has a history consistent with a real person. Addresses, financial history and other verifiable markers that the identity is genuine rather than synthetic.
The fifth is Verification. This is the confirmation that the person presenting the identity is the same person the identity belongs to. For Right to Work checks this means the employer confirming that the person who arrives for work matches the identity verified by the provider.
Meeting GPG45 means satisfying each of these five dimensions to the required standard for the confidence level you are trying to achieve.
The Three Confidence Levels and Why Medium Matters
GPG45 sets out three levels of confidence. Low, Medium and High. Each requires a different combination of evidence and process to achieve.
For Right to Work verification, the Home Office requires checks to meet at least Medium Level of Confidence. This is not a recommendation. If your digital check does not meet Medium confidence it will not give you a statutory excuse against a civil penalty if something goes wrong.
Medium confidence requires evidence from multiple dimensions meeting specified thresholds. A document scan alone, without the fraud and activity history checks, will not achieve it. This is one of the most common gaps between what employers think they are doing and what the framework actually demands.
High confidence goes further. It is required for some regulated sectors and certain types of DBS check. Understanding which level applies to your organisation and whether your current process actually achieves it is the starting point for any compliance review.
Our GPG45 Identity Verification Decision Log, which is Toolkit 13 inside your Vetting Hub platform, gives you a practical working framework for recording and evidencing your assessments at the correct confidence level for every check you carry out.
How the DUAA 2025 Changed Everything
The Data Use and Access Act 2025 received Royal Assent on 19th June 2025. Its provisions have been coming into force in stages. On 5th February 2026, a significant tranche of provisions entered into force.
The single most important change for employers thinking about digital identity verification is this. The Digital Identity and Attributes Trust Framework, previously a voluntary framework that organisations were encouraged to follow, is now on a statutory footing. It is no longer guidance you might choose to follow. It is the legal framework within which compliant digital identity verification sits.
On 26th February 2026, HM Treasury and the Department for Science, Innovation and Technology published updated guidance on using digital identities with the Money Laundering Regulations. The guidance drew a clear line with implications beyond the financial sector. Only certified Identity Service Providers, certified against the Digital Identity and Attributes Trust Framework, meet the standard required for compliant digital identity verification. Informal checks, unregulated platforms and in-house processes that do not align with the Trust Framework cannot provide the same level of regulatory assurance.
More significant changes under the DUAA are scheduled for Stage 3 in 2026, and complaints handling procedures will be required by June 2026. The window to get compliant processes in place is narrowing.
The IDSP Rule Most Employers Are Getting Wrong
An Identity Service Provider, or IDSP, is an organisation certified against the UK government's Digital Identity and Attributes Trust Framework to carry out digital identity verification. Not every organisation offering digital identity checks is a certified IDSP. This distinction is one of the most important and least understood aspects of digital Right to Work compliance.
For DBS checks, using a certified IDSP is already a requirement. You cannot complete digital DBS identity verification without one.
For digital Right to Work checks, using a certified IDSP is currently strongly recommended but not yet a legal requirement. However the practical consequence of not using one is this. Only a check carried out using a certified IDSP meeting at least Medium Level of Confidence under GPG45 will give you a statutory excuse against a civil penalty if you are found to have employed someone without the right to work.
You can carry out a digital check without a certified IDSP. But if it goes wrong, you have no statutory defence to fall back on.
The practical message for employers and business owners is straightforward. Check that the provider you are using is on the official certified IDSP list published by the government. If they are not on that list, you do not have the protection you believe you have.
We have written a detailed breakdown of the key differences between manual and digital identity checking approaches that covers how these standards apply across different verification methods.
Course 9 inside your Vetting Hub platform, Digital Identity Verification: GPG45 and DUAA 2025, walks through exactly how to assess your current provider and what questions to ask before committing to any digital verification process.
Section 48 of the Border Security Act 2026
This is the development that most UK employers have not yet fully understood, and it may be the most significant change coming later this year.
Section 48 of the Border Security Act extends Right to Work check responsibilities to all work models. Contractors, freelancers, gig economy workers and people providing services through third parties will come within the scope of Right to Work obligations in a way they previously have not.
The second change is shared liability across the chain. Under the Border Security Act, all organisations involved in the engagement of a worker, including the end client, may find themselves with shared liability if a Right to Work check was not carried out properly somewhere in the chain. If the recruitment agency or umbrella company you use fails to carry out a compliant check, the liability does not remain only with them. It can reach you.
For business owners who use contractors and rely on agencies to handle their Right to Work checks, this changes the risk calculation entirely. You will no longer be able to assume that compliance sits with the agency.
Our post on the specific risks of agency Right to Work arrangements covers this in more detail and is essential reading alongside this guide.
Digital Right to Work: Mandatory by End of Parliament
In September 2025, the government confirmed that digital Right to Work checks will be mandatory by the end of this Parliament. In January 2026, the Parliamentary Secretary to the Cabinet Office confirmed in the House of Commons: "There will be checks, they will be digital and they will be mandatory."
In March 2026, the government published a consultation on plans for a national digital ID scheme. The direction of travel is clear. The legislative groundwork is being laid. And the timeline runs to 2029 at the latest.
For those whose Right to Work process still relies heavily on paper documents and manual checks, this is not a distant future consideration. The government has also confirmed that the current paper-based system, and the absence of any central record of checks taking place, is precisely what they are trying to fix. Digital checks will create an audit trail. That audit trail will make enforcement easier and more frequent.
There have also been important changes in March 2026 to Right to Work rules for asylum seekers who have waited 12 months or more for a decision, allowing them to work in skilled occupations at RQF level 6 or above. Any organisation that employs individuals in this category needs to ensure its checking process reflects the latest guidance.
If you need the full picture on your Right to Work obligations including manual checks, eVisa procedures and the BRP phase out, our complete Right to Work employer guide covers every element. We also have a dedicated post covering the BRP phase out, Right to Work and eVisa changes in full detail.
What This Means for Business Owners
Everything covered in this guide applies to HR managers and compliance specialists. It applies equally to business owners, operations directors and everyone responsible for taking on staff, contractors or service providers.
You do not need to be a compliance professional to face the consequences of getting this wrong. Civil penalties for Right to Work failures reach £45,000 for a first breach and £60,000 for a repeat breach. Criminal liability, reputational harm and Home Office enforcement action are all real outcomes, regardless of the size of your organisation.
Most business owners handling their own hiring have never heard of GPG45. They may be using a digital tool to check someone's identity and assuming that is sufficient. In many cases it is not. The tool may not be a certified IDSP. The check may not meet Medium confidence. There may be no documented evidence of how the check was carried out. Any one of these gaps removes the statutory excuse you thought you had.
This is not about adding complexity to your business. It is about making sure that the process you already have in place actually delivers the legal protection it is supposed to deliver.
What to Do Right Now
There are five practical steps every UK employer should take now.
First, check whether your digital identity verification provider is on the government's certified IDSP list. If they are not, your checks may not be giving you the protection you believe they are.
Second, confirm that your digital Right to Work process is meeting at least Medium Level of Confidence under GPG45. This means verifying that your provider is assessing all five dimensions, not just scanning documents.
Third, document every check. The date, the provider used, the outcome and the likeness confirmation you carried out before the person started work. Evidence of a compliant process is what protects you when something is challenged.
Fourth, review your contractor and agency arrangements now, before Section 48 of the Border Security Act comes into force. Understand where the liability sits in your supply chain and make sure the checks being carried out on your behalf meet the required standard.
Fifth, brief the people in your organisation who handle onboarding and make hiring decisions. They need to know what a compliant check looks like and what the consequences of a non-compliant one are.
Our GPG45 Identity Verification Decision Log, Toolkit 13 inside your Vetting Hub platform, gives you a practical working document for recording and evidencing every digital identity check in a format that is immediately useful for any audit or inspection.
If you want your whole team to understand this properly from the ground up, Course 9 in your Hub, Digital Identity Verification: GPG45 and DUAA 2025, covers everything from the five dimensions to the confidence levels, the IDSP requirements and the practical steps your organisation needs to take. Every team member who completes it earns an automatically issued CPD certificate that becomes part of your audit-ready compliance record.
Conclusion
GPG45 is no longer background knowledge for compliance specialists. It is the legal framework against which your digital identity verification process will be measured. The DUAA 2025 gave it statutory force. The Border Security Act 2026 is expanding the scope of who it applies to. The government has confirmed digital Right to Work checks will be mandatory within this Parliament. And the window to get compliant processes in place is getting shorter.
The organisations that will navigate this well are the ones that understand what GPG45 actually requires, have compliant processes in place and can evidence them. That is not a complicated standard to meet. But it does require knowing what you are measuring against.
If you would like to see how the Vetting Hub platform gives your organisation everything it needs to get this right, book a free 30 minute demonstration and we will walk you through exactly what your organisation gets from day one.
