I welcome our first panel of this second session on digital ID and right-to-work checks. The Committee started this inquiry in summer, before the Government’s announcements around digital ID and subsequent announcements. Working within the parameters of policy that may or may not be there, we are keen to understand how digital ID can help with right-to-work checks and what the opportunities and possible pitfalls are. I will let the panel introduce themselves, then we will go into questions.

Good morning, everyone. I am Alex Hall-Chen, the principal policy adviser for employment at the Institute of Directors. The IoD is a membership organisation representing 20,000 directors, senior business leaders and entrepreneurs across every sector and part of the UK.

Hi everyone, I am Joanna Hunt. I am an immigration lawyer. I am a partner and head of immigration at the law firm DAC Beachcroft. I specialise in business immigration and represent a whole host of different private and public sector organisations in respect of compliance and right to work.

Hello. I am David Crack, chairman of the Association of Digital Verification Professionals. I am also chairman of a DVS provider; we do right-to-work checks and are setting up a data co-operative in Wigan. The ADVP has the majority of registered digital verification providers as members. Collectively, we do 5 million right-to-work checks digitally every year, and 2 billion ID and age checks globally. We employ about 11,000 people in the UK and have attracted £0.5 billion of inward investment.

Thank you very much. We will start our questions with Lewis Atkinson.

Ms Hunt, by way of introduction, can you briefly explain employers’ current legal obligations to carry out right-to-work checks?

Sure. The right-to-work checking system has been around for decades, and for the last 20-odd years it has adapted and changed in that the penalties have become more draconian and the responsibilities that employers shoulder have become more onerous in many ways. The premise of the system is that an employer should carry out a right-to-work check before somebody starts work, to gain what we call a statutory excuse from the civil penalty. That means that, if it later emerges that a person does not in fact have the right to work in the UK, if the employer carried out the right-to-work check correctly and compliantly, it will be able to defend itself from a civil penalty. The way of carrying out right-to-work checks has changed. It has had to adapt. Ten years ago, the system was largely paper-based, and most right-to-work checks would be carried out with just a check of a person’s passport and a photocopy being taken. Now, with the advent of digital immigration status and eVisas, new methods have had to be found to carry out right-to-work checks. In 2019, the online right-to-work checking system was introduced; more colloquially known as the share code system, that is now used for checking eVisas. As we stand, an employer must choose one of three methods to carry out a right-to-work check, depending on the type of status or nationality of an individual. An employer can still carry out what we call a manual right-to-work check, which is paper-based, but that is now largely limited to British and Irish nationals, and certain people with paper-based immigration status documents. The employer can carry out the online right-to-work check that has been around for a few years, which is exclusively for those who have time-limited permission or eVisas. Then there is the new kid on the block from the right-to-work perspective, the digital verification service check, whereby for the first time an employer can use a third party to carry out right-to-work checks—that is your members, David. That will still give an employer the all-important statutory excuse that it needs to defend against the civil penalty. That is only available if it is used for British and Irish nationals. Hopefully, from that summary you have seen that we have quite a complicated system now, and it is a lot for an employer to juggle. The backdrop is that compliance action by the Home Office is increasing and the consequences are becoming more severe as well, with the increase in the civil penalty.

Thank you. In what circumstances does the Home Office have oversight of whether employers have carried out those checks?

Essentially, on a day-to-day basis, it is not unless they visit or audit a business. For an employer carrying out right-to-work checks, it is about ensuring that they have the audit trail if they are ever requested to demonstrate the right to work. That could come about particularly if an employer has a sponsor licence and employer-sponsored workers. Any company that holds a sponsor licence is at risk of a Home Office visit or audit at any time, when the Home Office can request that information or do a spot check to see it. For a business that does not have a sponsor licence the risk of getting an audit and a visit is greatly reduced, but it may increase depending on the sector it works in—the health and care sector is more at risk of Home Office compliance action, as well as hospitality and restaurants. Certain businesses may never encounter a Home Office visit, or have not for decades—if ever. One way that the Home Office is changing their approach is that they are now being a little more targeted in how they carry out compliance action, utilising methods such as data sharing with HMRC. At present, when somebody’s visa has expired, they are able to check data with HMRC and see quite clearly whether an employer has carried on employing somebody beyond their visa expiry date. They can then send the employer a civil penalty notice to say, “We believe this person has been employed illegally.” We are moving away from Home Office visits to more paper-based compliance action.

You talked about the triggers for an investigation by the Home Office, and I am sure that that is intelligence based. Is there a record of how many checks are done a year? Somebody may be employing a person who does not have a visa and is here illegally, so what checks are done on employers to see whether they are doing the checks? Obviously, it is a legal responsibility, but there is no duty to check whether employers are doing it. What triggers an investigation?

It will be intelligence-led. You potentially get tip-offs from people in the business or organisation to say they believe that there are illegal workers, and the Home Office will act on that intelligence. As I mentioned, the trigger can be data that they have gathered themselves from HMRC, where they can see that somebody has been employed illegally. It can be a stop check or a raid, so to speak, where they turn up at an address and check everybody at a building site or a car wash, and they find that people are working illegally. On a day-to-day basis, however, the Home Office does not have complete oversight over whether right-to-work checks are happening.

Are many employers potentially falling through the gaps and getting away with it?

It is hard for me to say. The employers that I work with tend to be much more community minded and are trying to do their very best in a complex system. I am sure that it is possible for businesses to decide not to do it.

The French say that the UK is an attractive place for illegal migrants to come and work, because, although the system is mandatory, there is no checking to see whether the right-to-work check has been carried out. Would you say that that is true?

I think it is much more complicated than that. There are other reasons why we may be an easier place to work illegally. Illegal working can be carried out in worker relationships that are not necessarily employment—the gig economy and things like that. A separate piece of legislation that passed last year will extend the remit of right-to-work checks beyond the employment relationship and to other forms of worker status. That is likely to make a difference, but it is hard to say whether that is the real, key issue, as there is no exact oversight of whether employers are carrying out right-to-work checks on a daily basis for each and every worker. What controls and manages the system—or the incentive in the system—is the fear of the penalty, and that penalty has increased. A few years ago, it was £20k per illegal worker, and it is now up to £60k per illegal worker. It is that penalty that acts as a deterrent and provides the impetus to abide by the rules of the system.

Do you have an idea of how often this fine of £60,000 is issued? Are thousands of people a year fined £60,000, or is it just an occasional thing?

That information is freely available; you can look it up on gov.uk. There is a list there of businesses that have received civil penalties—they are named and shamed, so to speak, and you can see it. There are definitely statistics showing how many civil penalties have been given—I don’t have those available but I can provide them—and those penalties are on the increase, significantly, from where they were, say, two or three years ago. We are seeing many more civil penalties being issued.

I want to ask a bit about the impact that right-to-work checks have. To my mind, there are three categories of people: there are the people who do the right-to-work checks and follow the rules, and that is great; there are the people who try to follow the rules but make mistakes because they are complicated; and there are the people who do not follow the rules and do not do right-to-work checks at all. I will start with you, Alex, and then open it up to the rest: what is the impact of right-to-work checks? How significant is the burden of compliance?

Of course, the vast majority of the members we have spoken to about this fall into the categories of either doing it entirely correctly or doing their absolute best in a system that can be quite complex. The short answer is that the impact varies. It seems that, in many cases, the system works fairly well in what I would term a more classic employment scenario. I am thinking, for example, of where an employer has a physical office presence, with people regularly working from that location, and they predominantly hire British and Irish nationals. They will typically do paper checks, which, even if they are not the most efficient, are well understood and clearly demonstrate compliance. I had feedback from a director of HR at a large painting and decorating company who told us that most of their staff are British; they do not find right-to-work checks an issue and they understand them well. They did note that, the few times they have used the system for non-nationals, it was relatively straightforward but required a degree of relearning each time because of the infrequency with which they engage with it. However, once you step outside that more classic employment scenario, wherein employers can easily get someone to bring a passport in to copy, it can become more complex for employers to navigate. We have heard from a director of an HR consultancy who told us that the checks are clunky, inconsistent and often outsourced, at a cost especially for smaller employers. We heard from a director of a small company who said they agree that the current system is confusing and hard to manage. They referred to the fact that they have employees on working visas whose ID cards state that their right to work has expired, even though that is not the case. We have also heard from members who feel that the Government unfairly place the entire burden on employers without sufficient support. One member said to us that the onus is on the employer to ensure that documentation is not fake, but there is only so much employers can do and more support from Government is needed. I would therefore say that the current system does represent a burden for many employers. We think that digital IDs have a role to play in addressing that, but we are concerned about the current policy direction regarding digital ID.

Thank you very much. We have heard that employers often make mistakes or struggle to navigate the system. According to the Home Office, 80% of employers got one compliance question wrong, 81% incorrectly thought that recruitment agencies checked the status of agency workers, and 70% of employers in the construction industry would accept a driving licence, which is not evidence of the right to work. How confident are you that your members, or employers generally, can check that someone has the right to work?

I think the risk, as you have identified, is that employers think they are meeting the legal requirements when they actually are not, so confidence that the system as a whole is working as it should is probably relatively low. That is partly about employer awareness and partly about more complex employer–employee relationships, such as in the gig economy, which will soon come into scope. As I said, where the relationship is simpler, employers mostly know how to navigate the system, but there are certainly instances where it is more difficult. I think you will often find that much smaller companies, particularly those without in-house HR capacity, will struggle much more than larger companies to get this right.

To open it out to the rest of the panel, what problems do you think employers encounter in fulfilling their legal obligations? Also, what do you think of the argument that the system is focusing on the wrong set of people? A lot of people are following the law and employing people legally, and they put in a lot of effort to prove that fact, but they can prove it. Then there are people who are struggling to navigate the system and making lots of mistakes, and it is not clear to them whether they are breaking the law or not. Finally, there are the people the system is actually trying to target and clamp down on, who are just not participating in the system. What do you think about that argument?

That is quite a big question.

We like asking big questions.

It is probably going to be hard to give a short answer. I want to pick up on something Joanna said, which I think is quite important, because you referenced small businesses. The offence is employing illegal workers, not not doing a right-to-work check. That is relevant because if you are a local electrician in south London and you are employing your mate’s son, who you have known since he was three years old, you know that that person is a British citizen, so the risk to the firm is low. Firms need to take a risk-based decision. Obviously, when you get into larger organisations, in the way Alex is talking about, it would be a very high-risk endeavour not to have a system for doing right-to-work checks, because you do not know the people you are employing in those larger organisations. The issue, as both Alex and Joanna said, is that it is complex for frontline staff to do these things. Usually, it is relatively low-paid staff who are doing them, and they are expected to know quite a lot about checking documents if they are doing it manually. There is a fear aspect because sitting behind getting that decision wrong are the fines Joanna spoke about. One thing we are trying to encourage the Government to do is to promote the DVS sector more. Although there is a cost to that, as Alex says, it brings consistency and reliability into an otherwise manual process. That technology can be used to support face-to-face checks, as well as remote checks on what is going on. That gives a consistent, standardised way of handling the process and takes a lot of the burden away from frontline staff who are being asked to do these things. There is another point, which you just raised. The question that is troubling us is, what is the problem we are trying to solve? A digital ID will not necessarily solve the issues around right to work, whether that is illegal working, helping people back to work—people who are excluded from the economy—or dealing with black market employers, impersonation checks, fraudulent documents and suchlike. A Government-issued digital ID is not necessarily going to help in that process. It requires a wider community aspect, and you will not be surprised to hear that we think that the private sector is mobilised and already doing that work. It has intelligence on fraud and impersonation that we would like to share with the Home Office, but there is no one to share it with.

I echo what David and Alex have said. It truly is a complex system, with severe penalties for making even minor mistakes. If an employer fails to carry out the right-to-work check before somebody starts work, and maybe does it later on, on the very same day they started work, technically that would be an uncompliant right-to-work check. If there was any issue down the line with that person being an illegal worker, the right-to-work check would not defend against a civil penalty. If somebody failed to put a date on a copy of a manual check, that would be enough to render it uncompliant, and then it would not be able to be used in defence. I think you are right to characterise those three groups in the way you did. There are employers who are trying their very best to meet the levels expected by the Home Office. They tend to be, as Alex says, the big companies that have dedicated HR teams, often with a few subject matter experts who can keep up with the pace of change we see from a policy perspective in the immigration space. Then there are those who struggle. If you look at the list of businesses who have civil penalties, it is not the big names that are on there; it is small businesses—takeaways, restaurants—that do not have HR, and that maybe have the best intentions but are unable to manage the system correctly. Yes, I agree that the burden is being placed unfairly on other groups.

Finally, what is your view on the use of paper documents? Obviously, quite a lot of smaller businesses and legacy employees will still be using paper. In 2026, does that have a big impact?

A lot of my employers will still use manual right-to-work checks. There has been a significant shift away from using physical paper-based checks, particularly since the pandemic, with the need to have a way of checking the right to work remotely. Most of the employers we work with are very happy with the online share code system, and some use DVS providers as well and are generally happy with those services. But some businesses will still use paper-based checks, and depending on the sector, they very much have to. I was working with a winery who had to employ pickers, and they were telling me that nobody has a passport, so they have to check the right to work via a birth certificate and an NI number; that is still a valid form of right-to-work evidence. The fear with this move towards purely digital right-to-work checks—even with the concession that biometric passports will be acceptable—is that you are going to exclude people who do not have passports, who are still a significant portion of the population.

Under the existing codes from the Home Office, we can only accept in-date British or Irish passports—and Irish passport cards—for remote checks. If a passport is out of date, or if someone has any other documentation, such as a birth certificate or suchlike, we cannot accept that remotely, it has to be a face-to-face check. As you will be aware, the way the legislation is written is that the worker has a choice about how they present that right-to work thing, and that is quite an important principle to retain. But I would flip your question the other way. We are working with recruitment agencies, particularly at the lower end of the employment market—the fruit pickers-type thing—that may have a phone call from a local factory or whatever, and have to find five workers to go out that evening; it is that sort of stuff. One of the other documents they can accept remotely is the share code under the eVisa system. They will more likely send someone on an eVisa code out to meet those immediate requirements, because a British citizen who just has a birth certificate has to come into the office and have their details checked before they can actually place. That puts a friction into the system that arguably discriminates against British workers who do not have the right documentation to do a remote check. So I think there is an alternative spin, which is that digital ID will actually help get those people into employment.

That picks up on Jo White’s point earlier, that the advantage of a labour market being very flexible and informal is that you can fill spaces quite easily, and that the labour market can adapt within hours to find pickers. The downside is the vulnerability of it. It is a trade-off between those two. Do you accept that those are two sides of the same coin?

Yes; the question is how you deal with that quickly and effectively. Obviously, that is why we are here today. Even if things go well with the Government-issued identity, you are not looking at that being used for right-to-work checks for a number of years yet. One of the restrictions we have in the trust framework is that once one of our members has done a right-to-work check, it expires after three months. That makes sense in a case with a share code, but when you are dealing with someone you know is a British citizen, there is no reason why we could not reissue a reusable digital right-to-work identity issued by the private sector. There are mechanics and suppliers already in the market to do that. It could be enacted this year at relatively low cost to the taxpayer. There are alternatives that the Government should look at, as well as doing a Government-issued digital ID.

We are joined today by the Chair of the Science, Innovation and Technology Committee, Dame Chi Onwurah.

That figure of 23% came from evidence we provided to the Home Office. There are not reliable stats because, generally, we do not know how many right-to-work checks are being done in the UK, so we do not know what our members’ work is a percentage of. We do know that most large employers, as Alex referred to, use some sort of system, and we are generally engaged with the larger employers. The less clear area is small and medium-sized businesses, where there are not necessarily the stats. Although each employer employs a smaller number of people, there are of course a greater proportion of them in the economy. That is what gives the difficulty on the statistics. On the question of costs, those vary quite considerably. They can be literally nothing when they are part and parcel of another pre-employment check. A stand-alone check goes from around £1 to £6 in some cases, if it is going via different providers. There is a selection in the market, and employers can do their own research and make up their minds.

Yes. What varies in the market is that sometimes there is a registration fee, which may be a few hundred quid, or there might be a minimum spend to make a transaction worth while.

It depends, again, on who the provider is. Some of our providers give web-based services that will integrate into an onboarding journey run by an employer. Others are completely stand-alone and use an app-based approach.

We do not have data on the exact proportion of our members who use digital right-to-work checks, but anecdotally our members, who tend to be predominantly SMEs, do not typically refer to them. When we talk about right-to-work checks, they all start talking about paper checks. Of course, when they hire migrants, they use digital share codes because that is compulsory, but the Home Office research alluded to earlier, which says that around 79% of businesses still use paper checks, roughly aligns with our impression. From our perspective, the introduction of the option of digital checks via IDSPs has been welcome. I can see scenarios where it could be really beneficial, especially for an organisation that operates entirely remotely, and it is still relatively cheap for an organisation to go through that route. It offers more choice and flexibility in demonstrating compliance, which can only be a good thing, but we are worried about the loss of flexibility in saying to employers that they must do a digital check. At the moment, the system works because the physical checks are there as a back-up. The example was given earlier of someone who does not have a passport. We have had feedback from members who say they do still get a lot of people coming to them who do not have passports, and they have to use birth certificates, for instance. For me, it is not clear exactly how the system will allow for that.

It will vary massively by sector. Probably, the vast majority of our members will have the requisite digital infrastructure; I would imagine that it would not be hugely significant. But there will be sectors, particularly where more informal forms of working are more typical, where it may require more of an up-front investment. That, again, is why we would have concerns about the loss of that back-up of being able to do a physical right-to-work check if need be.

If we are talking about digital right-to-work checks, it is important to always distinguish between the DVS system, which is run by the third-party IDSPs, and then what I would call the share code system that checks eVisas, which is a form of digital checks. In terms of the DVS system, a lot of my clients are now using it, and most are fairly happy with it. The costs have come down since it was launched. I think a lot of businesses see it as a welcome relief from having to manage, as I say, this complex system, so they are quite keen to engage an IDSP. My concern with the use of IDSPs is that we always have to bear in mind the limit of what they can do right now. As I mentioned at the start, when I was describing the right-to-work system, the key point is that an employer should want to obtain what we call this statutory excuse from a civil penalty. An IDSP check, via a DVS check, can only be used for a British or Irish national with an in-date passport, to gain that statutory excuse. What we have seen—I have certainly seen examples of this—is certain companies’ IDSPs slightly, potentially, over-reaching or overselling their services and saying to employers, “We can do all your checks.” The employer then says, “Okay, you can do our share code checks. That sounds great. That’s another load off our shoulders.” Although that check will tell the employer whether somebody has the right to work, so the employer will have that security, they may not be aware that they do not have the statutory excuse, because they have not carried out the check themselves. That lack of certainty is an issue that I have seen. The second issue is the lulling into the false sense of security. It is a great system, the examples I have seen. They are app-based; they are really quick. The employer gets a portal document that they can save, telling them the employee has the right to work. There is another key step that employers must then carry out, which sometimes, again, gets missed. There has to be an imposter check. They have to verify that the person in that portal is the person presenting for work, and that, unfortunately, can get missed. Certainly, with big businesses, where you have HR dealt with over here, and the person being employed on a site over there—we talked about this—I have seen more and more instances of impersonation. This tends to be more with the share code system; I don’t think I have seen it with the DVS system. Someone will essentially borrow somebody else’s share code and try and pass it off as themselves. If nobody challenges that that photo isn’t the same, you have an illegal worker.

Yes, the eVisa system. Obviously, with the DVS there is still an imposter check that must be carried out to verify that the person in the check you have coming through is the person that you are actually employing. I think employers sometimes do not realise they have that secondary check they need to do. Those are some of the issues but, by and large, it is very popular so far.

On that last point, we see that gap too. It is actually a relatively straightforward problem to solve from a technical point of view. One of the things that has been missing from the debate—certainly up until a couple of weeks ago, when there was talk about making digital ID mandatory for right to work—is the fact there are other options available that can be deployed quicker and cheaper and that will make a real difference, rather than diverting energy into talking about national digital ID for right to work. We are here talking about a policy initiative that will not deliver for another couple of years, but there are things we can all do now that would actually make a real difference.

I want to ask David how you get into the business of digital verification. Is there any sort of training or licensing that you have to do in various Government Departments? The layperson might think that these companies are given some sort of right by the Government to carry out said checks.

It would be great if they were. We have to jump through quite a few hoops to get through to that. One issue is how much that might be a barrier to innovation and new people entering the market. To pick up on an earlier question, there is a lot of downward pressure on pricing at the moment, particularly around right to work, so we are seeing consolidation taking place in the marketplace. The number of checks you have to go through is quite substantial. To answer your question more directly, each of the organisations has to be certified up to an ISO standard—ISO 27000—for security and quality. In addition to that, we go through a certification process by independent UKAS auditors to make sure the technology is working as it should do, in terms of being able to prevent presentation attacks, pick up fraudulent documents and that type of thing. Once we go through that process, we will be approved as a supplier by OfDIA. That is the process. One thing we are doing as an association is working with other organisations to see how we can improve professionalism among individuals in the area and generally improve awareness among computer professionals of what digital ID is and what we call personal data sovereignty—people being able to own their data. There is a massive education process that we see ourselves needing to undertake to progress that. We are slightly disappointed that since the Data (Use and Access) Act 2025 was passed, the Government have yet to put their weight behind talking about those reforms and what they mean for individuals. We have been deflected off on to something else, which is not helpful.

Is the amount you have to go through to get certified to do this a strain on an individual organisation or company?

I would not say it is a strain, but it is not straightforward. You have to know what you are doing, and you have to be sure about the tech. There is some controversy among our members about the hoops we have to jump through. But really, we are behind that, because this is a trust framework, and for that trust framework to work, we have to be working to standards that are rigorous, auditable and consistent. Although it is a burden, it is in all of our interests to meet that burden, because it is the bedrock—it is the infrastructure upon which everything else sits.

We have talked a lot about people who do not necessarily have all the documentation, and you talked about people sometimes coming to you with a birth certificate. There is a small cohort of people in the country who have British birth certificates but who technically do not have the right to work. Are you able to accept just a birth certificate?

That plays into the grey area that Joanna was talking about, around the differences in where the technology is at and the responsibilities that are placed on an individual employer. There is a vouching process that you can go through, which is a Home Office process, to prove someone’s identity. That vouching process, based on birth certificates and whatever, can also produce a reusable identity that we argue could, under certain circumstances, provide a reusable right-to-work digital identity to individuals. There are a couple of organisations within our membership that are very active in the digital inclusion space and running outreach programmes to marginalised groups. We have found that if you approach that with some imagination and actually talk to people in their own language—not in tech speak and suchlike—you can get more engagement, rather than having a top-down imposition where you say that they must do something. Returning to an earlier point, it is about providing incentives for individuals to receive the benefits from going through that process and having a reusable private digital identity.

Alex, have there been any technical difficulties or cyber-security issues that impact your members’ ability to carry out digital right-to-work checks? What do you do when that happens—what is the protocol?

It is not a topic we have had feedback from members on. However, we polled members on the concept of digital ID for right-to-work checks last year based on a Government-issued ID. One of the key concerns that a lot of members raised with us was cyber-security—the risk of fraud—and what the employer role within such a system would be. Although it is not something that we have had feedback on in relation to the existing system, it is certainly a concern that our members raised to us in terms of any future introduction of digital ID requirements.

Are your members using digital forms of right-to-work checks and is that having any impact on their efficiency?

Where they are in use, it is certainly helpful. I mentioned earlier that there will be some organisations that are entirely remote—something that we see more of now—and where actually it is very difficult to carry out physical right-to-work checks. I heard from one member who said they had to delay someone’s start date because they just simply could not align diaries to meet in a shared location to do the physical right-to-work checks. For organisations such as that there are clearly big advantages to having the option to go down the digital route. As I mentioned earlier, we have concerns about grey areas and around what it means for employers who wish to continue to use physical right-to-work checks because they find those easier for whatever reason.

David, in written evidence to the Committee your association, the Association of Digital Verification Professionals, said that rather than a single national digital ID, “stronger digital checks” are required to reduce the illegitimate sharing of eVisa codes and impersonation. Could you expand on that a bit?

It goes back to the earlier point: this Committee is obviously picking up on the issue of digital ID and right-to-work because of the Government’s announcements and such like. However, the whole point of the trust framework is to focus on outcomes and delivering those outcomes at speed and at a reduced cost. As an industry, we are mobilised. As I said earlier, we are doing 5 million right-to-work checks. We are out there and doing it now. Rather than talking about changes that need legislation—which are quite controversial and have generated a lot of pushback, as we will probably hear later on—there are initiatives that we can do now. The point I would like to come back to is the question of fraud signals. We have a responsibility under the trust framework to share fraud signals between us as providers—but we do not have anybody to share that with within the Home Office. As an association, we met with the Home Office—the modern slavery, fraud and right-to-work teams. We have this intelligence, and it is useful for threat and operational intelligence, but there is literally no one who wants it. That was one of the messages that we are quite keen to call out and emphasise at this Committee. That intelligence is actionable and could be used now. You do not need to wait four or five years to do it—you just need to decide to do it.

Have you literally tried to offer it to them?

It has been a campaign of ours for a number of years, and the right-to-work teams in the Home Office are very supportive of it. I think it has been raised in the Home Office on several occasions, but it has not landed.

That links to my first question about how it is reliant on the Home Office to do raids, and therefore the Home Office needs to use the intelligence that is fed to it. It is quite shocking that you have information that it does not seem to be interested in. Do you have data, in terms of numbers or percentage, on how much fraud you think is going on?

Yes. None that is specific—in the sense that there is duplication, gaps and issues around impersonation, which we were talking about earlier, or incomplete. It is a very small percentage of what is going on, but we are seeing fraudulent documents and impersonation checks in the thousands per year. Probably more interesting than the numbers is, I would have thought, that someone receiving that information from all of us—because we do not see each other’s information—could use that to analyse where the threats are. We did a project years ago with the University of Manchester to try to identify modern slavery within the construction supply chains. That type of reporting of where documents are being forged or where impersonation takes place could be very indicative of where organised crime is operating.

No, it is just us. It is just the private sector.

Correct. And it was as much a surprise to us as it was to everybody else.

I declare an interest that I used to be a solicitor at DAC Beachcroft—the same law firm as Joanna Hunt. I am also the MP for North Cornwall. I thank you all for coming in. Do you welcome the Government’s decision to abandon their plans to require a Government-issued digital ID?

To clarify what I have said, we already have a system of eVisas that are checked in a digital manner—let’s call it that way. When you hear the initial reports of the introduction of a digital ID, people who are in the UK on a time-limited visa already have an electronic form of status and have had a digital check take place. The intention to bring in digital ID for British and Irish nationals appeared to me as an intention to bring them into a system of checking similar to what already exists under the share code system. A slight reversal has taken place in that policy, in that the Government are now saying that it will not be a mandatory digital ID, but other forms of digital status will still be allowed. I think that is positive. From the reports I have read, they are indicating that you could still potentially demonstrate right to work on the basis of your biometric passport. I think that some flexibility, as we have mentioned, for sectors that are not necessarily going to have access to tech on site to do these checks, like agriculture, is of benefit. I am interested to get absolute clarity on I have read in reports about how—as we have said from the start—right now there is no penalty if you do not carry out a right-to-work check; there is only a penalty if you do not carry it out and somebody does not have the right to work. From what I have seen in reports, it seems that the Government are going to introduce a mandatory element so there could be some consequence even if you fail to carry out a right-to-work check. I understand that has still survived the changes. I would be interested to know exactly what that means for employers, because it would be a significant sea change for them to be placed under that kind of pressure and obligation.

On a small point of clarification, you mentioned the difficulty for smaller businesses to comply at the moment, and the list of businesses that is published online and how a lot of them are smaller businesses. How do you see those businesses complying with the new system, where, as you say, they may be penalised for not carrying out the right-to-work check?

They will be under the microscope. The Home Office did a survey about this around a year ago; the levels of awareness of what right to work is about, what the obligations are and how you carry out compliant right-to-work checks are relatively low beyond big employers, or the employers that have the funds to instruct lawyers to help them with it. If the Home Office intends to introduce something like that, it would have to do an information campaign that gives businesses the opportunity to fully understand what it means, because right now the level of awareness is simply not there. For those small businesses, it would be easy pickings for the Home Office. If the consequence of failing to carry out a right-to-work check is a financial penalty, then yes—they would be in the firing line for that. My hope would be that whatever the consequence for not carrying out a right-to-work check, it would be less than the civil penalty that exists for illegal working. I would hope there would be a difference.

Does anyone else want to add anything?

I echo those points. We welcome the change announced a couple of weeks ago, for a couple of reasons. First, we think the original announcement poisoned the well. It caused a lot of distraction away from the things we are talking about now—the alternatives we can use to tackle the issues right away, because we are mobilised and ready to go. It is worthwhile pointing out that the trust framework, as it is now, started in 2008 under the Brown Government, with the Sir James Crosby report into identity assurance. That policy was advanced by the coalition Government, then by various Tory Administrations, and brought into legislation through the data Act by the Labour Administration. The DVS sector is the product of a long-standing cross-party consensus over 17 years. For a U-turn to come about to say “We’re all going to be moving to a national ID scheme” is quite a big change, and it ignores that progress that has happened over the last 17 years. That is where we welcome debate. Taking the mandatory element out of it allows for a more rational conversation about what we are trying to achieve. It is legitimate for the Government to improve Government services and provide a super-app, if that is what they want to do, around the Government wallet, to make it as easy to engage with Government at national or local level as it is to buy something from Jeff Bezos. However, Amazon does not have a digital ID, so there is no need for the Government to have a digital ID to deliver those joined-up services. I own my identity; the Government do not own me. We think digital identity and personal data are better handled in the private sector, in the same way that we handle our money within banks. Our data should be in data banks, where we can share and control it. IDs are part and parcel of that. That is the conversation we need to have, and the one we might hear that would have support from the next panel. Mandatory digital ID has been a distraction away from that.

In short, we have concerns about the changes that were announced a couple of weeks ago. We were supportive of the original announcement around mandatory digital ID for right-to-work checks, because we had done some research with around 450 business leaders last summer, where we put the concept to them and 62% agreed with it. The main reason behind that agreement was the potential to simplify what, as you have already heard, is in many cases a very complex system for employers. The issue we have with the announcement a couple of weeks ago is less the fact that digital verification will still be required for employers, and more that the means of accessing that will not be as simple as it would have been under the previous approach. There may be a scenario in which an employer has to digitally verify that someone can work in the UK, but that person does not have the Government’s digital ID verification, and they also do not have a current biometric passport. Where does that leave employers? That is separate from the issue whereby employers may need to pay to access digital verification under this system, but at the moment they can do physical checks themselves. That leaves us in a slightly worrying grey area. Good policy design can address all of these points. We are waiting for those further details, but we have concerns with the details that are available at the moment.

I have one quick follow-up.

Very quickly, because we don’t have long.

Okay. I will go back to David. You mentioned the outreach programme that you run through your organisation. As a rural MP, I am particularly concerned about people who are digitally excluded, because the direction of travel is to roll out wider digital right-to-work checks. Alex also just touched on the mandatory requirement for employers, who cannot always easily access these digital systems. Can you quickly tell us what specific work your organisation is doing?

There are a number of organisations that are working on that. You can get your ID done at post offices and suchlike, but there is that vouching policy. In terms of the work that we are doing, we are particularly working in the voluntary sector with marginalised groups. We are picking up lessons that we learned from talking to the Singapore Government about where they do outreach programmes. We are looking at how we do those outreach programmes within the marginalised groups of post-industrial towns in the north-west that have more issues than we know what to do with. Some of those constituencies cover rural areas as well. We have found that, with a Government digital identity, no one necessarily has that on a badge, but if you give people an identity that they identify with, your exclusion issues begin to decrease, because we all like wearing a badge.

I have a quick follow-up question for Joanna Hunt. What are the key things that the Government would have to consider in setting guidance for the roll-out of digital right-to-work checks?

Clarity is key. The majority of right-to-work guidance is freely available on gov.uk, but it is not easily found or easily understood. I think clearer instructions could be given on that. The Home Office have got better at doing stakeholder engagement sessions with employers, and I have even seen them doing more training sessions and actually offering training to employers on right to work. I think they would need to roll that out quite significantly for digital ID. It is also about improving and making sure—this is a point that we haven’t mentioned; perhaps you will talk about it more with the next panel—that the data that the Home Office are going to hold is accurate and the employer can have faith in that. You might talk about that more with the eVisa panel. There obviously have been, as I am sure they will mention, issues with the data that has been held from a right-to-work perspective, which in some cases has been wrong or not available. The employer is then left trying to work out whether they can employ the individual, and the poor individual sometimes misses out on starting their job or even loses their job. It is about making sure that everybody can have faith in whatever system is created—that it is accurate, accessible and easily understood.

I have a quick question for David Crack. As we move towards digital, and the pathway is generally moving that way, are you concerned about data hacks?

It would be naive to say that you will have a foolproof system. Whatever controls you bring in, it is the nature of fraud and criminality to move and transform—

It is the big private companies—you were talking about the private sector—that have been hacked.

Thank you for that clarification. The thing is that if you are dealing with a company that is providing services or doing something, whatever it will be doing, its primary motivation is to sell you stuff, whatever that stuff is, and not necessarily to look after your data. I say that in contrast to what is taking place in the DVS sector, to go back to the earlier question. We are organisations whose sole responsibility is to ensure that we are combating fraud, and we are introducing trust into the organisation. You would not give your money to an organisation that is not a bank or a building society. You give it to organisations that you know are trusted and regulated, and are going to look after your interests because they have that responsibility. Within the DVS trust framework, we have that same responsibility, but it is about your data. That is the conversation that we need to have. If you are going to be giving your data to anybody, it is less of a risk to give it to a company whose job is only to protect your data. Does that answer your question?

Yes, it does; thank you. Joanna, what do you think the impact of the right-to-work checks will be on the Home Office’s ability to crack down on illegal working? From the evidence, we hear that some people will never get a visit. Do you think this is going to be progress?

Do I think digital ID will have an impact on reducing illegal working?

Yes.

It will have some impact, but I don’t believe it will be the magic bullet. As I have explained, the digital ID policy is likely to affect how most British and Irish nationals evidence their right to work. People on time-limited visas already have an eVisa. I am not sure whether the plan is to subsume the two together. The instances of illegal working or problems with right to work that I see in my practice, and with the businesses that I support, pretty much exclusively surround those on a time-limited visa. It is things like a person overstaying a visa, breaching the conditions of their visa or, as I have said, impersonating somebody with a visa. I don’t totally see how this digital ID policy will impact that world, because we already have a system of eVisas and digital right-to-work checks. As David said, is attention better focused on making those systems work better than on introducing a wholesale new digital ID system? The benefit that I do see—as Alex says, this is why employers are keen on it—is the reduction of complexity. As I said at the start, you currently have three methods of carrying out right-to-work checks. If we have this digital ID system, I imagine there will be some assimilation. Hopefully, that will produce an environment in which employers have much more clarity about what they need to do. Right now, all they want is for immigration policy to remain calm and consistent for a period of time, because the upheaval has been quite substantial over the last few years.

David, the Government has stated that the digital right-to-work checks will enable it to get a good record of checks. From a tech perspective, how easy do you think it will be for the Home Office to achieve that?

A Government rolling out digital ID is a big programme—a big undertaking. One of the issues that comes under the trust framework is that where you have personal control over your data, there is a huge uplift to the economy and a lot of benefits for individual organisations, but it also requires a massive change to the way the back-office system work. When you are looking at it from a Government point of view, or a GDS point of view, those back-office systems are not a minor thing to change. The private sector can deliver digital identity and the benefits that we were talking about from having more control of your data. It is a better use of resources to use the private sector to do that, so it is a design choice.

So you are not confident that the Home Office will find this easy to do? You are saying that the private sector would, but the Home Office possibly would not.

There is the tech issue, which is challenging, but there is also the human rights issue—the social issue. There is huge, massive resistance to it, which you will probably hear about in a moment. That resistance does not exist with the private sector. The Crosby report came about—this is the reason why this has been developed over 17 years—because of the privacy lobby. How can we do this better in the UK? That is why the trust framework came about. It has been a long time in the making. It is quite a big ask to ask a Government organisation to catch up on 17 years-worth of investment into what is now an operational industry.

I am going to have to bring the session to a close. I am very grateful to the panel for your time, for being with us today, for the answers to the questions and for the evidence you submitted previously. Witnesses: Dr Kuba Jablonowski and Monique Hawkins.

Thank you very much to our second panel. Will you please introduce yourselves?

Hello. My name is Kuba Jablonowski. I am a lecturer in digital sociology at the University of Bristol, and I was a co-investigator on a research grant that researched the transition to eVisas at the initial stage, when it was still the EU settlement scheme. It was a project funded by the Economic and Social Research Council.

Hello. Thank you very much for inviting us here. My name is Monique Hawkins. I am head of policy and advocacy at the3million, which was set up after the EU referendum to represent EU citizens. EU citizens were the first cohort—they were, as we said, the guinea pigs for the eVisa system, which has now been rolled out to 10 million people.

Thank you very much.

Thank you very much for coming today. The roll-out of any new Government scheme is always fraught with difficulties—there are always bumps as we go along—but how effective has the roll-out of the eVisa system been? What have been the challenges?

That probably depends on the perspective. From the Home Office perspective, the roll-out was quite efficient. Before Brexit, EU citizens were not registered on any kind of database; they did not have any form of regulation of their immigration status. The digitisation enabled a very quick process for registering millions of people on to the system. In that sense—in terms of the bulk—it was quite effective. But that also means that if errors occur, they occur at scale, which is a problem from the user’s perspective. From the user’s perspective, we undoubtedly saw that a lot of people who applied very quickly for status got it granted quickly, but we also saw hundreds of thousands of people who were stuck in backlogs for a number of years. We also saw a number of people who were not able to prove their immigration status through “View and prove”. The key difference to tease out is that from the perspective of the Home Office, those things are marginal, but a marginal problem in a system that has 10 million people in it might affect hundreds of thousands of people at one time. In my research work, I focus on the glitches or systemic problems in eVisas, to understand how the system works and how it could potentially work better.

From our point of view, Brexit basically provided an opportunity to introduce eVisas, but they were really rushed. A small beta trial—a really tiny trial—of digital right-to-work checks was done in 2018. It was audited by the Government Digital Service and the comments were, “Yes, this is fine as far as it goes, but you need to do much further checking. You need to do testing with people who are digitally excluded. It is definitely not okay to get rid of physical documents in favour of this digital system.” There was never any other pilot or anything; they just went for it at that point. Would it be helpful for the panel if I explained what an eVisa check actually involves? People might think, “Oh, it’s easy: you produce a share code,” but we have graphics, extending over two pages, to show the actual steps involved. Very briefly, as an individual trying to prove your status you need to find the right website. You have to go on there and put in an identity number, which is usually your latest passport number. It is not a stable number throughout your life, like a national insurance number. It can change, which itself causes problems. You enter that number and your date of birth. If you are lucky and the system recognises your details, you get sent a code, either on your phone or by email, which you then have to put in. You then get to see your status. Then you press a button saying, “I want to produce a share code.” It asks you what type of share code, because there are multiple types. Eventually, you get the share code, which is a nine-digit alphanumeric code, and give that to the employer, who then has to find a different website—not the same one you just used—and put that in, with your date of birth. It will then say you have got the right to work. Because there are so many steps, it can and absolutely does go wrong at every single one of those steps. You also have a cohort of people for whom it will never work because they are very digitally excluded. I have statistics from Digital Nation showing that, even this year, there are still 8 million people who just lack digital skills. You also have situations in which it will never work for anyone, when there is no wi-fi or internet connectivity, because the Home Office insists that it has to be a live check. There are also a lot of people whose individual record has been broken in some way. Several years ago, for example, we started reporting on cases where somebody would log in, and they were lucky enough to get through and see a status but their status had been mixed up with that of someone else. It would have someone else’s photograph but their own name, or the other way around, or it would have someone else’s expiry date, or something else was wrong with it. At that point, that basically renders the entire right to work invalid because, as Joanna explained earlier, you also have to do the impersonation check. We have examples of people’s photograph being wrong. A woman who worked for a large corporation was basically dismissed instantly, because they were doing a repeat right-to-work check and suddenly—magically—it showed a photograph of her sister. Things go wrong in all those steps, and not just in those ways. That would be okay if there was very effective mitigation to solve the problems, but we just see countless reports of people who report a problem and it takes months to fix. The Home Office have not been transparent about the level of errors reported to them. There have been lots of parliamentary questions; they have refused to divulge that. We have a report in which we have tried to estimate the number of people affected. Because we have two specific incidents for which we can compare the number of reports we got with the true number, we think that for every report we get, there are probably 500 people affected. Given that over the last few years we have had close to 2,000 reports, we have come up with the figure that close to 1 million people could have been impacted at some point. The Home Office say they do not recognise that figure, but they are not prepared to give any figures of their own.

Perhaps I could come in and explain. Some of those errors are indeed errors where two status cards are getting mixed up—someone else’s photo appears in your status card or someone else’s name appears there—but some of them stem from the programmed function of the system. For example, there were errors where people were putting in a new application under the EU settlement scheme, to upgrade from pre-settled status to settled status, and the system was displaying their status as pending application, rather than showing them as pre-settled-status holders. When we queried that with the Government Minister, who was Kevin Foster at the time, he said: “This issue was caused by the logic by which our Status services react to casework events such as applications or grants of status. When the problem was occurring, it was because our service’s logic was to overwrite old statuses with a new one, because we believed this would be the most relevant one to display. We have changed the logic in response to feedback”. So some of the problems are directly caused by the way the system operates and by the way it was designed to show the “real-life” immigration status, which quite often cannot be automatically calculated.

You have identified lots and lots of errors—I am quite shocked to hear that—and you are saying the Government are not listening on the areas you are identifying. Have the Government taken any steps to rectify some of the problems, or any of the problems you have listed or detailed?

I don’t think it is true to say they are not listening; I just think the scale of the problem is so enormous. As a result of advocacy and other pressures on our part, there is now a forum dedicated to eVisa problems, which we attend once every six weeks or so and which is a very constructive forum. We bring problems to that. We also have an escalation route through that. If we think we have identified new types of problems that look systemic, or we see problems that people have tried to get resolved via the normal routes and they are really desperate—very vulnerable—we can get cases escalated. I think that team genuinely tries to fix those individuals’ problems, but also tries to look at where the system can be improved. At the same time, it is still the case that if you report a problem via the Home Office’s reporting tool, you will get an auto-reply that says, “Due to the volume of reports we are getting, we are unable to reply within the normal two weeks.” That has been the case ever since late 2023, and they are still not willing to say how many error reports there have been. Through a freedom of information request, we found out that, in a 12-month period, 483,000 calls were made to the eVisa resolution call centre, and lots of those calls were not able to be answered; people had to be on the line for so long and could not get through. We just have no oversight of how vast the problem is and, as Kuba was saying, they are continually changing the logic. The whole system is still labelled as a beta system, even six years on—no, eight years on, because it started in 2018. Every time there are problems, fixes are introduced, and they sometimes cause further problems. You might know that in the EU settlement scheme there are automated processes to extend people’s pre-settled status as it comes up to expiry. What we found was a whole section of several thousand people—I think it was in March last year—who had achieved settled status. And then suddenly they looked online and they had gone back to pre-settled status; quite a lot of these system-wide bugs are caused by trying to fix other problems. The whole thing is fragile.

To understand why it works like that, it is useful to think about it not as a system, but as a number of systems linked together. If you look at the “view and prove” website, you will see a singularity. It does say beta on it if you go and Google it now, but that is just the interface. Behind the system there are over 90 different casework systems from which information is drawn in real time. The biometric information is in a different system from immigration records. Some identity details are in a different system, and that to us is the source of the problem. The Home Office is doing nothing to address that. If you think about immigration documentation, in the past we had the kind of singularity of a biometric residence card. If you think about digital documents, we had these fantastic covid passes—the QR code is invisible because it has now expired, but it still sits on my phone. I can screenshot it and I can WhatsApp it to you. I can generate a new covid pass should there be a need, and the NHS app. But that works on a singular NHS number. In all those 96 working systems there is no single stable user identifier, so the system is computing the identity of the person whose status is being checked on the fly at the time of generating and checking the share code, and this is where we see those errors. This is where we see the problems where somebody else’s details suddenly pop up in your account because the system confuses people, or it assigns the wrong status to the user querying it.

I am Peter Prinsley, MP for Bury St Edmunds and Stowmarket. I am interested in what you just said about the NHS number. Everybody has an NHS number: they are issued with an NHS number when they are born. Anybody who accesses NHS services has an NHS number. So do we not already have a digital ID called the NHS number? Would that not be the obvious solution to many of the difficulties we have been discussing all morning?

People born abroad would not have an NHS number; they would have to apply for it. It is not for me to prescribe a solution. I originally come from Poland. We are born with a personal ID number, all the biometric records, immigration records, and a lot of welfare and health records. I attach to that number. In December I had to go to the pharmacy to get some prescription drugs. I just recited my personal ID number and showed my ID card and that was sufficient to get the prescription. I did it all online, remotely. So, yes, that would be neat indeed. I think the problem here is that UK immigration records started being digitised in around the year 2000. There were multiple different casework databases used in that process. They would have to be retrospectively fitted with those identifiers that we talk about for the system to work in a coherent manner. I think that is why the Home Office is not undertaking that kind of exercise. But, yes, it would probably help in identifying people across different platforms.

If the Home Office were to join itself with the NHS, things might improve.

Joined-up government is something that comes up in many of our sessions.

It is definitely a smoother service of the NHS.

Yes. We know that through the Freedom of Information Act. A colleague of ours asked the Home Office to provide a list of all the immigration casework databases, and the Home Office declined that freedom of information request, saying it would be too costly to generate that list because there would have to be over 90 different casework systems on it. It is not even that. One case can be recorded on two different systems. At some point, immigration applications were being decided on one casework system, but appeals were decided on another. So you could have one case with two different outcomes on different databases.

Any solution for a new type of digital ID would inevitably have to be layered on top of the Home Office data on someone’s immigration status, because your identity and your immigration status combine to say whether you have a right to work. What we say is that the Home Office must first invest massive, genuine efforts to clean up the eVisa problems. It is not good enough to say, “Well, it works beautifully in 95%, 98% or 99% of cases.” When you are talking about 10 million migrants, as Kuba said before, a small percentage affects a huge number of people.

Ten million.

Those eVisas include children. Not everyone with an eVisa is necessarily working.

It is 60-odd million people.

We have objected to the design of the system from the start. We had alternatives. We have a whole alternative proposal that would have a stable identifier. The proof of status would sit with the individual, rather than this clunky system of repeatedly having to go to a website to get a one-off token to give to someone else. I want a system where if you report a problem, you can expect to have it fixed within two days and full transparency about the level of errors being reported. To go back to the lack of singular identifier, you have multiple passports as you go through life. Every time you get a new passport, you have to link it. That then becomes your login number, so the login number keeps changing. People also have multiple immigration applications because you have to extend your leave, and things very often go wrong with that, plus the fact that you can get refused and go for appeal—the whole thing has to keep computing a correct status. That has to be much more robust. Creating a new mandatory digital ID would not fix any of the mess unless you address that first.

The people we represent already have mandatory right-to-work checks. Nothing will change there. Those mandatory right-to-work checks are done via eVisas. We say that eVisas have an unacceptably high number of errors.

First of all, if I wanted to be flippant, I would say that 10 million eVisa accounts does not necessarily mean 10 million people. We have it in writing from the Home Office that there are people with duplicate UKVI accounts. Resolving that problem could also create problems. We know that the scandal of merged identities, which you may have read about a couple of years ago—when multiple people with merged accounts were identified in Home Office databases—most likely resulted from the Home Office attempt to clean it up. It had a programme of cleaning up identity islands. There were multiple identities on UKVI for the same person. The Home Office merged those, but it also accidentally merged accounts that should not have been merged. As Monique says, if digital ID sits on top of that without the data that underpins it being cleaned up, it will just be the same story over again.

You could be asking for a tokenised form of ID. What we have now is transactional ID, so you need to prove your right to work every time, and the system computes you from the data traced in all those databases every time, and then says to the employer, “This is good enough for now.” Next time you have to do the check, that computation happens again. A tokenised form of status could be built around a stable identifier—a number—that would then resemble a covid pass. It could take years, but, going forward, it would clean this up. Most forms of digital ID are tokenised, so there is something stable that does not change over the course of the years—not like a passport number, which will be different every 10 years. It is stable, it is assigned to you and it never changes. If immigration status was tokenised, it would potentially resolve that. Funnily enough, that is what the people who built parts of the Home Office infrastructure are recommending. There has been an article recently by a person who works for Entrust, the company that developed the US’s application app—the one used to apply for status. He says that “what the UK is not yet doing is issuing a token of status to applicants, digital or otherwise. Instead, the UK approach is that data subjects are entitled to establish an online account to monitor their status, and then certain authorised parties are entitled to check that status online. This approach is secure, but is it sufficiently flexible for citizens carrying digital wallets?” That is the problem: you do not have something that would reside on your device and stably link your identity to your credentials.

You can attach a new status to the token, just like how my covid pass expired. I have a stable NHS number and one NHS app, but multiple covid passes could be generated and then terminated, depending on whether I still had the entitlement or not. So you can still revoke an entitlement attached to a token, but the token is stable.

If you get a new vaccination, it goes into the system, but the token is still there and is his.

Likewise, if you did a new test and put the records in, and it then said that you were entitled to a covid pass to travel. You are basically saying that you have your number—your stable identifier—and then you attach to that your right-to-work status.

Precisely.

Some form of ID would help, yes.

We have had this alternative proposal on the table for a long time, and the Home Office did engage with it publicly for a few months before they rejected it. The entire proposal can be summarised in one of our pages, which is that the current system is lots of multiple screens, and the proposed system is to give individuals something that sits with them, can be scanned and does not change under your feet. We spoke to one person who was a refugee. It took her years before she got her status, and she was so pleased to finally have an eVisa. One day, she looked and her photograph had got corrupted; instead of her photo, it had three little pictures of someone else. She phoned the resolution centre and they said, “No, it looks fine to us. We can’t see a problem.” She struggled for months to get it fixed, and we eventually got it fixed through an escalation route, and she was very pleased that it was fixed. Several months later, the photo disappeared altogether, so she again could not create right-to-work share codes. She has testified now that, basically every single Sunday, it is part of her routine to check her share code, because it can work today and not be working tomorrow. We are seeing that in the travel arena so much, and people are really terrified about this thing just disappearing.

The context is that migrants are stuck with having to prove themselves regardless, so at least give them a decent system rather than a rubbish one.

What I am hearing is what I already think, which is that migrants should be issued with a fixed digital ID that allows them to access all services, including proof of right to work. It is the way that this comes and goes for people arriving in this country that is so problematic. We will have a big difficulty in selling mandatory digital ID to all the citizens of this country—I have no doubt about that—but I think that making a rule that obliges people migrating to this country to acquire a digital ID would be a much easier political sell.

We are not making our conclusions at this stage, though.

No, but do you agree with that?

In the sense that that aligns with what we have been calling for. Migrants have to prove their right to work under the current system, which we still call the hostile environment, so if there could be a better system—but I would caution that any new, shiny way of doing that is still going to be based on that same flawed database. All our comments about how that existing data needs to be cleaned up with vastly increased resources for fixing the problem still stand, because just putting a new wrapper around it is not going to fix the problem.

On a quick point of clarification, are you saying that if the Home Office were to move to an eVisa system similar to the model of the covid pass, with a stable ID token, potentially making that mandatory for immigrant workers, as Peter mentioned, that would remove the issues you have described in terms of unstable eVisas and photographs disappearing?

If it was designed well and the underlying data problems were also addressed.

There are a lot of “ifs”.

Putting a new technology on top of it cannot be a magic bullet, because it is still going to sit on top of that.

Similarly to the covid app, you could see all the records attached to your record. Currently, you only see what the website shows you, and the next time you log into the website, it can show you something different. If you had an app that showed all the immigration applications you had made, and among them was an application by your sister or somebody completely different that was attached to your account in error, you could flag it up to the Home Office, resolve it, and that would stay resolved. In the current system, it is like whack-a-mole; it gets resolved, and then the computation happens again for the next check, and you have this problem again. That would help. If you had a QR code that could be scanned, for example, you could bring right-to-work checks into the scope of DBS checks.

It is about having a stable token, then.

A stable identifier is the key. Whether you call it a digital ID or whatever, it is a stable identifier, not just your passport number, which changes every time you renew it.

Precisely.

I can leave the Committee with some of this.

You have both painted a very good picture of what is wrong and the impact on people trying to navigate their way around the system and use it. What do you think the impact is on employers? You spoke about a woman in a high-powered role at a bank being let go. What other impacts are there on employers?

It goes back to what the previous panel was saying—there is a big difference between big employers with HR departments and legal departments that can help. If you employ someone on a high salary, and you have selected that person and really want them but their eVisa is not working, you will work with that person to get to the bottom of it. If you believe that they have the right to work, there is a thing called the employer checking service, which the Home Office provides, that you can then use to get an alternative assurance that that person has the right to work, whereas if you are a gig employer and there is anything wrong, it is like, “Next, please”. I would say the biggest impact really is on the employees rather than the employers, and certainly that is where our focus is, of course.

You have painted a picture, which I find personally quite worrying, of holding meetings and forums. I am not knocking what you are doing—I think it is really good that you are holding the forums and trying to sort these problems out—but the scale of it feels huge, and I find it quite worrying that the Home Office does not seem to be coming back and engaging with the pitfalls and what is going wrong. What do you think is the answer to that?

I recognise some of what you say because it does feel a little bit, as Kuba said, like we are trying to fix this with whack-a-mole and sticking-plasters, but there are some very fundamental issues as well that I have not even mentioned. I will be a little bit technical here, but at the bottom of your passport, there is a machine-readable zone. It is two lines, and your entire eVisa is based on that. There are international standards for what goes in the MRZ, and if your name is too long, there are standards about how you truncate it. I am from the Netherlands. Although I am known as Hawkins everywhere—HMRC, DWP, everywhere—my Dutch passport at the bottom does not say Hawkins; it says my birth name. With all these systems, not just at the Home Office but also at HMRC, if I try to use these identity apps to get in, I cannot. They will scan it and say, “That name is not equal to Hawkins.” When people try to attach a new passport to their eVisa and their middle name is slightly truncated, it does not work. There are so many issues. We wrote a letter last August to DSIT, the Department of Health and Social Care and the DVLA—I cannot quite remember all the different Departments, all of which are impacted by this—to point out that there is a huge cohort, quite often women because of the married name issue but also other reasons, that is being excluded from DWP and HMRC online services. We have not had a response to that letter. It is a very, very detailed letter.

When did you send the letter?

In August last year. I can provide a copy to the Committee. That is just one aspect of the many digital technical problems. In my view, the biggest problem is that it was all rushed out at breakneck speed. We have often quoted Australia, which has digital records, but it took a decade to do it. There was a decade of having physical and digital in parallel, then there was a further period when people could still get a physical back-up if they paid for it and then they finally phased out the physical option. Here, it was just a big bang for our cohort of 3 million to 4 million people before they then rolled it out to everyone by the end of December. That was such an enormous rush. The level of error reports we received—not our cohort, but the other 4 million people who had to convert to eVisas—is phenomenal.

In my research, I spoke to a couple of former Home Office officials who were in proximity to the design of the scheme, and I have got quotes from them in one of my research papers. One of them said: “in practice…people hadn’t given it enough thought…There was a scramble, and not just to deliver the scheme. A scramble to get the policy agreed on what the scheme would look like in the first place.” Another person said: “There was a huge pressure to make sure we had something that would be up and running, and would reassure people, and would do that by a set date, and would not fail.” Then, that civil servant started talking about the 80:20 principle, saying that if they designed something that was good enough for those 80 people, that would do, because Brexit had to be done. I think that kind of explains it. Maybe there is a lesson to be taken forward on how these things should be rolled out and on the need to have some kind of back-up solution working in the background while the website, or the app or whatever else it is, still says “beta” on it.

And more transparency about its design, considerations of privacy and proper debate. This digital status was brought out without any parliamentary debate whatsoever.

My final question is on the importance of safeguards when they start rolling this out. I was quite alarmed by what you said earlier about the Home Office not really answering. If they are not responding to what is already going wrong, do you think we can be confident that, when they roll this out, they will put the necessary safeguards in and respond if it does not work?

Do you mean when they roll out an ID for British and Irish citizens as well?

Yes.

Yes, but to be honest, I still have no understanding of, or clarity on, what this new thing would look like. I do not know whether British and Irish citizens would be brought down to the level of a share code system, or whether we would be brought up to the level of something more like the covid pass. There is no clarity. People talk about a “digital ID”, but without any detail. “Digital ID” can mean any one of a thousand things, so I just don’t know.

The devil is in the detail here. It may seem a little obscure and technical when we say, “This is the transactional way of doing ID and it needs to be tokenised,” but that is really what it hinges upon. That is not to say that there would not be errors in the other system, but at least you could resolve those and keep them resolved.

I am quite confused, having sat here all morning listening, about what we need to do. It seems from what I have heard that we do need to have a digital ID of some sort, and that will improve matters. Politically, the issue we have is the gig economy, and that when people see people working in delivery businesses on the back of bicycles, in car washes and in nail bars, who are, in many cases, being paid in cash, the strong suspicion is that their employers, if they have employers, are not doing any sorts of checks. How do you see a digital ID system resolving some of these issues, which worry so many people?

This is not my area of expertise, but I do not see how it does resolve it at all. If companies are not doing checks, I do not see how just changing the technology of the checks will make any difference to whether they do them. All we are really talking about is a different technical flavour of checks. If you were not doing the checks now, why would you do them tomorrow, just because the technology has changed?

As Monique said, this goes outside of what we do around right-to-work checks specifically. As you alluded to, the problem of the gig economy is not a problem for ID verification; it is a problem of precarious work and people being desperate enough to take that work. With some probably rare exceptions, nobody works cash in hand because they like it. It is a much wider issue. A standardised form of right-to-work checks would definitely enable more employers to do it easily, but would it address it all? I am not sure.

Is there a country that does this much better than us that we could model our activities on?

For digital ID?

Yes.

Poland’s mCitizen is a pretty good application. It was rolled out within the last few years and enables quite efficient processing. Poland does not have right-to-work checks in the same sense, but if you think of the moment when millions of Ukrainian refugees arrived in Poland very quickly, one of the reasons they could be put through the national welfare and employment systems so quickly was because there was the PESEL system—the personal identification number system. The healthcare, employment and tax records are aligned with that. The app built on top of that enables all sort of things, such as accessing healthcare. The Polish case is one example worth looking at, but there are plenty of others.

Last November, the Home Office moved on to Atlas, the single casework system. Have you seen any changes or improvements?

As far as I understand it, those are the casework systems for dealing with immigration applications, but the eVisa—the proving of the status you have—comes from a platform called the PCDP, or person-centric data platform. That takes feeds from Atlas and other things, so you still have that problem of things coming from different sources.

There is a report by the independent chief inspector of borders and immigration that picks up on Atlas and raises some concerns about how it works. That is quite technical. Without going into detail, it’s—

That’s fine; I just wanted to see if there had been any change. I think we have learnt that there is a lot to learn from the roll-out of eVisas, and an awful lot that can be improved on eVisas. I thank the second panel for their time and for their answers to our questions. We will obviously now work on the next stages on this issue, but we have learnt an awful lot this morning, so thank you very much.