A medium-sized care provider in Essex conducts right to work checks diligently. Every passport is photocopied, every share code result is printed, every visa page is scanned. The HR manager stores these documents in a shared drive folder labelled "RTW Docs," accessible to the entire management team. Files are never deleted — the logic being "better to keep everything, just in case."
In 2025, a former employee submits a Subject Access Request. The data protection officer discovers that the shared drive contains passport copies, visa details, and biometric information for 340 current and former workers — including 58 people who left the organisation more than three years ago. The retention policy exists on paper. Nobody follows it. The ICO takes an interest.
Right to work compliance and data protection compliance are not separate obligations. They intersect directly, and getting one right while ignoring the other creates a different kind of legal exposure.
The tension between two legal regimes
Right to work checks require employers to collect, verify, and retain personal data. The Home Office employer's guide specifies that employers must keep a copy of documents checked, together with a record of the date the check was conducted. This retention is necessary to maintain a statutory excuse.
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 impose strict requirements on how personal data is collected, processed, stored, and deleted. The core principles include purpose limitation (data collected for one purpose cannot be used for another), data minimisation (collect only what is necessary), storage limitation (do not keep data longer than needed), and security (protect data against unauthorised access).
These two regimes create a direct tension. Immigration compliance says: keep copies of everything you checked. Data protection says: keep only what you need, for as long as you need it, and no longer.
Navigating this tension requires understanding exactly what you must keep, for how long, and under what conditions.
What you must keep
The Home Office guidance specifies the minimum records required to maintain your statutory excuse.
For manual checks (inspecting original documents):
- A clear copy of every document inspected. For passports, this means the front cover, the photo page, and any pages containing visa endorsements, stamps, or other relevant information.
- A record of the date the check was conducted.
- A record of who conducted the check (name and role).
For online share code checks:
- A printed or saved copy of the result page from the Employer Checking Service, showing the individual's photograph, their immigration status, and any conditions on their right to work.
- The share code used and the date of the check.
For IDSP (digital identity) checks:
- The verification result from the certified Identity Service Provider, confirming the individual's identity was verified, together with the date.
These records constitute the evidence of your statutory excuse. Without them, you cannot demonstrate that a compliant check was conducted.
What you must not keep
Here is where employers routinely overcollect.
Full biometric data. Some employers scan entire BRPs — including the chip data and biometric information encoded on the card. This is unnecessary. A clear copy of the front and back of the BRP is sufficient. Extracting or retaining biometric data (fingerprint templates, facial recognition data) from identity documents goes beyond what is needed for right to work compliance and creates a significant data protection liability.
Additional documents not required for the check. If a worker provides their passport and a utility bill to prove their address, only the passport copy is needed for right to work purposes. The utility bill should not be retained in the right to work file. Keeping unnecessary documents increases your data footprint without improving your statutory excuse.
Notes about immigration status beyond what the check revealed. Recording factual outcomes — "right to work confirmed, unrestricted" or "Skilled Worker visa, expires 15 March 2027" — is appropriate. Recording subjective assessments about the worker's immigration history, speculations about their status, or information volunteered during the check that is not relevant to the right to work outcome is not appropriate and may constitute processing of data without a lawful basis.
Multiple copies. One secure, accessible copy of each document is sufficient. Keeping copies in the HR file, the manager's drawer, the shared drive, and the email archive creates multiple data protection exposures without improving compliance.
How long to keep records
The retention period for right to work records is prescribed by immigration law and is straightforward.
During employment: You must retain the records for the entire duration of the person's employment. This is uncontentious — you need the records to demonstrate ongoing compliance.
After employment ends: You must retain the records for two years after the end of employment. The Home Office specifies this period as the window during which enforcement action may be taken and during which you may need to demonstrate your statutory excuse.
After the two-year post-employment period, the legal basis for retention expires. The records should be securely destroyed. Continuing to hold passport copies and visa details for former employees beyond this period is a data protection risk without a compliance benefit.
The ICO's guidance on retention periods is clear: personal data must not be kept for longer than is necessary for the purposes for which it was processed. Once the two-year post-employment retention period ends, the right to work data is no longer necessary, and its retention becomes a data protection compliance issue rather than an immigration compliance safeguard.
Secure storage requirements
The UK GDPR requires that personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, and against accidental loss, destruction, or damage.
For right to work records — which contain passport numbers, visa details, photographs, and potentially biometric information — this means:
Access control. Not everyone in the organisation needs access to right to work records. Access should be limited to those with a legitimate need: HR administrators, compliance officers, and — if necessary — senior managers. A shared drive accessible to the entire company is not appropriate.
Encryption. Digital copies of identity documents should be encrypted at rest and in transit. This means the files themselves should be encrypted on the storage system, and any transmission of these files (for example, to an auditor or compliance officer) should be via encrypted channels.
Physical security. If you retain paper copies — which is increasingly rare but still common in smaller businesses — they should be stored in a locked cabinet with controlled access, not in an open filing area.
Audit logging. You should be able to demonstrate who accessed right to work records and when. This is both a data protection requirement (accountability principle) and an immigration compliance benefit — if a document is altered or lost, you need to know when and by whom.
Destruction. When records reach the end of their retention period, they must be securely destroyed. For digital records, this means permanent deletion from all storage locations, including backups. For paper records, this means shredding, not simply placing in a recycling bin.
Subject Access Requests
Under the UK GDPR, any individual has the right to request a copy of the personal data you hold about them. This includes right to work records.
If a current or former employee submits a Subject Access Request (SAR), you must provide copies of any right to work data you still hold within one month. This includes passport copies, visa records, share code verification results, and any notes or records associated with their right to work check.
This is where poor data hygiene becomes visible. If you are holding records for former employees beyond the two-year retention period, a SAR will reveal this. If you are holding unnecessary data (biometric extracts, subjective notes, duplicate copies in multiple locations), a SAR will reveal this too.
The ICO has the power to investigate data protection practices following a SAR complaint. A pattern of over-retention or poor data security can result in enforcement action, including fines of up to £17.5 million or 4% of annual turnover — dwarfing even the most severe immigration penalty.
The practical challenge for multi-site businesses
For businesses with multiple locations, the data protection challenge around right to work records multiplies. Each site may conduct its own checks, create its own copies, and store records in its own systems. The result is fragmented data across multiple locations, with inconsistent retention practices and variable security standards.
A national care provider with 30 sites may have right to work records stored in 30 different offices, 30 different shared drives, and 30 different filing cabinets. Some sites may follow the retention policy. Others may not. Some may use encrypted storage. Others may use an unlocked drawer.
Centralising right to work records — storing them in a single, secure, access-controlled system rather than distributing them across sites — addresses both the immigration compliance need (audit-ready records that can be produced quickly) and the data protection need (consistent security, controlled access, enforceable retention).
GDPR-compliant right to work processes
A compliant process addresses both regulatory regimes simultaneously.
1. Collect only what is needed. At the point of the check, collect the documents required for a statutory excuse and nothing more. Do not ask for documents that are not on the acceptable list. Do not copy documents that are not required.
2. Use the correct lawful basis. The lawful basis for processing right to work data is legal obligation (Article 6(1)(c) UK GDPR) — you are required by immigration law to conduct the check and retain the records. This is straightforward, but it must be documented in your privacy notice and data processing records.
3. Inform the individual. Your privacy notice should explain that you collect right to work data, why you collect it, how long you retain it, who has access to it, and the individual's rights regarding their data. This should be provided at the point of the check, not buried in a 40-page employee handbook.
4. Store securely with access controls. As described above: encrypted, access-controlled, audit-logged, and physically secured if paper-based.
5. Apply retention consistently. Set an automated process to flag records that have reached the end of their retention period (two years post-employment). Review and securely destroy them. Do not wait for a Subject Access Request or an ICO investigation to discover that you are holding data you should have deleted years ago.
6. Respond to SARs promptly. Have a process in place to locate and compile right to work data within the one-month SAR response window. If your records are scattered across multiple systems and locations, this becomes a significant operational challenge.
The regulatory direction
The ICO and the Home Office operate in separate regulatory spheres but their requirements converge on the same data. Employers sit at the intersection, required to collect and retain data by one regulator while being constrained in how they handle that data by another.
The direction of travel is towards digital-first processes that address both requirements by design. Digital verification creates a precise, auditable record of exactly what was checked, when, and by whom — without the need to hold physical copies of sensitive documents. Automated retention management ensures records are destroyed on schedule. Access controls are built into the system rather than relying on human discipline.
Certifyd's Right to Work Portal is built with data protection at its core — automated retention management, encrypted storage, role-based access controls, and full audit logging. You get the compliance records you need for your statutory excuse, stored in the way the ICO expects, destroyed on schedule without manual intervention.