Data protection and employee information

FORTHCOMING CHANGE: On 19 June 2025, the Data (Use and Access) Bill received Royal Assent, becoming the Data (Use and Access) Act 2025 (DUAA 2025) and coming partly into force on that date. Part 5 and 6 serve to amend aspects of data protection and ePrivacy law in the UK, including the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003), SI 2003/2426. Certain provisions of DUAA 2025, concerning matters such as responding to data subject access requests and the conferring of power to make further regulations, came into force immediately on 19 June 2025. Other provisions, including those concerning notices from the Information Commissioner, come into effect on 19 August 2025. The majority of DUAA 2025 provisions, including changes to automated decision-making, international transfers of personal data and the introduction of a new lawful basis for processing personal data, require further secondary legislation to be made to bring them into force. For further information on DUAA 2025 generally, see

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Powered by Lexis+®
Latest Employment News

Right to work guidance updated on Digital Verification Service checks

The Home Office has issued an updated version of its ‘Employer’s guide to right to work checks’ document, with the changes primarily related to simplifying the information on digital checks for employers of British and Irish citizens who have a valid passport (or Irish passport card). The new version has removed various technical details which were previously intended for providers of these digital verification services, and revised the relevant terminology, so that ‘Digital Verification Service (DVS)’ now includes both the terms Identity Service Providers (IDSPs) and Identity Document Validation Technology (IDVT). This is stated to align the guidance with the terminology used in the UK digital identity and attributes framework and the Data (Use and Access) Act 2025. Guidance and requirements specifically for DVS are now set out in a separate, supplementary code for digital right to work checks. The relevant guidance for employers has been revised. Although it is not currently mandatory for employers to use a DVS certified against the ‘trust framework’ and the supplementary code, this position will change ‘in the near future’, and it will become mandatory to use a DVS listed on the register of certified DVS (maintained by the Office for Digital Identities and Attributes (OfDIA)). In other changes, the new version reiterates that an original expired BRP is not proof of a right to work, and instead an online check must be taken. It also confirms that short-term entry clearance vignettes are being phased out, and that increasingly persons recently issued entry clearance will only have their eVisa to rely on for these purposes, so will need to create a UKVI account as soon as possible and can do this from overseas. In relation to asylum seekers with a pending claim, the guidance now states that they can also volunteer whilst their claim is considered without being granted permission to work, but they can only carry out 'paid' work if they have been granted permission to work under the Immigration Rules, Part 11, paras 360 or 360C. Previously the reference in our quotation marks to ‘paid’ work stated ‘voluntary’ work

View Employment by content type :

Popular documents