Digital onboarding in the UK covers two distinct compliance tasks: identity verification (including right-to-work checks via certified Identity Service Providers or the Home Office share-code service) and first-day workflow automation (contract signing, payroll setup, policy acknowledgement). Since April 2022, UK employers can verify British and Irish citizens digitally via IDSP-certified providers such as Yoti, Onfido, and HireRight. ICO guidance governs how identity data collected during onboarding must be stored and deleted.
Last reviewed May 2026
Digital onboarding has moved from a pandemic-era workaround to a permanent feature of UK employment practice. The Home Office's decision in April 2022 to permit certified digital identity verification for right-to-work checks fundamentally changed what employers can do remotely - but it also introduced a two-tier system that many HR teams are still navigating. This article separates the compliance layer (what the law requires) from the workflow layer (what good onboarding software automates) and explains the ICO's requirements for handling identity data collected during the process. For platform comparisons, see employee onboarding software. For the right-to-work check process specifically, see right-to-work checks UK.
The Two-Tier Digital Identity Framework
The UK's digital right-to-work regime distinguishes between two categories of worker. For British and Irish citizens who hold a valid passport (or Irish passport card), employers may use a certified Identity Service Provider (IDSP) to conduct a digital identity check. This creates a statutory excuse against a civil penalty if the IDSP is certified under the UK Digital Identity and Attributes Trust Framework and the employer follows the IDSP's process. The Home Office guidance on using IDSPs lists certified providers and sets out the required process.
For all other workers - those with a biometric residence permit, a biometric residence card, a UK Visas and Immigration (UKVI) status, or EU Settlement Scheme pre-settled or settled status - digital verification is conducted exclusively via the Home Office's online right-to-work checking service using a share code provided by the worker. Employers cannot use an IDSP for this group; attempting to do so does not create a statutory excuse. The share code is valid for 90 days from the date the worker generates it.
This distinction matters for platform selection. Some onboarding tools integrate only with IDSP providers and have no share-code workflow. Others handle the share-code process (by guiding the HR user to the correct GOV.UK URL) but do not integrate with any IDSP. Employers with a mixed workforce need a platform that handles both pathways or clear documented processes for each.
ICO Requirements for Identity Data Collected at Onboarding
Identity documents - passport scans, biometric residence permits, IDSP verification outputs - are personal data subject to UK GDPR. The ICO's guidance on keeping employment records applies in full. The key requirements that onboarding processes frequently breach are as follows.
Data minimisation: employers should collect and retain only what is necessary to demonstrate a compliant right-to-work check. A copy of the relevant document pages (plus the IDSP output or share-code check result) is sufficient. Storing full passport scans where a certified IDSP output already constitutes the statutory evidence is excessive and increases data breach risk without legal benefit.
Retention: the Home Office requires right-to-work check records to be kept for the duration of employment plus two years. After that period, the identity documents should be deleted, not archived indefinitely. Onboarding platforms must either enforce this automatically or provide tools to identify and delete records past their retention date.
Access controls: identity documents are sensitive personal data in practice even if they are not classified as special category data under UK GDPR. Access should be restricted to HR personnel with a documented need - not shared across all platform users. Any breach involving identity documents is likely to be reportable to the ICO under the 72-hour notification rule.
|
First-Day Workflow Automation: What Digital Onboarding Should Cover
Beyond identity verification, digital onboarding encompasses the administrative tasks that traditionally consumed a new hire's first morning. A well-configured onboarding workflow automates the following sequence, typically triggered by the offer acceptance event in an ATS or HR system.
Contract and written statement of particulars: under the Employment Rights Act 1996 (as amended by the Good Work Plan provisions that took effect April 2020), the written statement must be provided on or before day one. Electronically signed contracts delivered via a platform such as DocuSign, Adobe Sign, or a native HR tool e-signature module satisfy this requirement provided the worker can reliably access, read, and save the document. A signed copy should be stored in the employee's HR record with a timestamp.
Payroll setup: starter declaration (HMRC Starter Checklist replacing the P46), bank account details, and National Insurance number collection. These can be collected via a digital form before day one, enabling the payroll team to set up the employee record in advance. This is one of the highest-value automation steps - it removes the common scenario where a new employee's first payslip is delayed or incorrect because payroll data arrived late.
Policy acknowledgement: handbook receipt, IT acceptable use policy, data protection awareness, and any role-specific policies (for example, a conflict of interest declaration for finance roles). Digital acknowledgement with a timestamp creates an evidential record that is valuable in disciplinary proceedings.
System access provisioning: ideally triggered automatically from the HR system when the new hire record is marked as active. Integration between the HRIS and IT service management (e.g., via Microsoft Entra ID or Okta) removes the manual ticket-raising step and reduces the risk of access being provisioned after the employee's first day.
Selecting a Digital Onboarding Platform for UK Compliance
UK-specific compliance requirements narrow the shortlist for digital onboarding tools. The following criteria should be applied before any product demonstration.
Does the platform integrate with a certified IDSP, and which ones? Major certified IDSPs include Yoti, Onfido, HireRight, and Sterling. Integration quality varies - some HR platforms pass the check output as a PDF attachment to the employee record; others create a structured data entry with the verification result, document type, and expiry date queryable from the HR system.
Does the platform support the share-code workflow? At minimum, this means prompting the HR user to conduct the check via the GOV.UK online service and recording the outcome (date checked, checker's name, result) in a structured field. Better implementations present the GOV.UK URL in-platform and guide the user through recording the outcome in a structured form.
Where is onboarding data stored, and for how long? Check whether the platform applies automated retention rules or whether retention management is a manual task left to the HR team. Manual retention management is frequently neglected, resulting in identity documents being held indefinitely in violation of UK GDPR.
| Feature | Must-have | Nice-to-have |
|---|---|---|
| IDSP integration | Yes (for British/Irish citizens) | Multiple IDSP options |
| Share-code workflow | Yes (for non-British/Irish) | In-platform GOV.UK link |
| E-signature for contracts | Yes | DocuSign/Adobe Sign integration |
| HMRC starter checklist | Yes (digital form) | Auto-populates payroll system |
| Automated retention rules | Strongly recommended | ICO-aligned default periods |
FAQ
Can a UK employer conduct a fully digital right-to-work check for all workers?
No. Digital IDSP verification is available only for British and Irish citizens with a valid passport or Irish passport card. Workers with other immigration statuses must use the Home Office share-code system via the GOV.UK online checking service. Employers who apply IDSP checks to non-British/Irish workers do not obtain a statutory excuse.
Is an electronically signed contract legally binding in the UK?
Yes. Under the Electronic Communications Act 2000 and the eIDAS-derived UK framework, electronic signatures are legally valid for employment contracts. The key requirements are that the signatory intended to sign, and that the signed document is reliably linked to them. A platform-generated timestamp and audit trail satisfies this in practice for most employment law purposes.
How long must onboarding identity documents be kept?
The Home Office requires right-to-work check records - the copy documents or IDSP output - to be retained for the duration of employment plus two years. After that point, ICO guidance on data minimisation supports deletion. Retaining them indefinitely creates unnecessary data breach risk and is likely non-compliant with UK GDPR's storage limitation principle.
What is an IDSP and which ones are certified for UK right-to-work checks?
An Identity Service Provider (IDSP) is a certified third party that conducts digital identity verification on behalf of an employer. Certified providers include Yoti, Onfido, HireRight, and Sterling, among others. The Home Office publishes an updated list of certified IDSPs. Employers must use a provider that holds current certification under the UK Digital Identity and Attributes Trust Framework.
Does digital onboarding need to comply with ICO guidance even for small employers?
Yes. UK GDPR and the Data Protection Act 2018 apply to all organisations that process personal data, regardless of size. Small employers conducting digital onboarding collect identity documents, financial data, and potentially special category data (such as health information for sick pay purposes), all of which are subject to the full ICO framework.
How We Verified
This article draws on Home Office guidance on right-to-work checks and IDSP certification, ICO guidance on employment records and data protection, and CIPD resources on onboarding practice. Legislation was checked against current text on legislation.gov.uk. The IDSP certified provider list was reviewed against the Home Office's published register. Platform capability descriptions are based on publicly available product documentation as of May 2026. No vendor paid for inclusion in this article.
