If an employer wants to employ a foreign worker – one from outside the EEA – they need a work permit.  And the ever-helpful Home Office is on hand to ease their way through the process.  In most cases it is the employer, not the prospective employee who has to make the application – which seems to be designed to test (a) whether there is a real employer (b) whether there is a real job and (c) whether there is a real reason why the job can’t be given to someone who already has the right to work here.

There is a ‘Working in the UK’ website which takes us to a generous 24 page PDF of guidance for filling in the form.  “If you have not applied for a work permit in the past five years”, they tell us, “you should send as much recent information as possible to establish that you are a UK-based employer, and that you are capable of offering a genuine vacancy.”

  • evidence of registration with HM Revenue & Customs to pay PAYE and National Insurance
  • a copy of your Certificate of Employers Liability Insurance
  • VAT returns
  • most recent company accounts, audited if possible
  • a copy of the landlord’s signed lease of premises, or rental or purchase agreement
  • company incorporation, fire, or food hygiene certificates or other registration or licensing documents
  • utility bills
  • business plans
  • balance sheets
  • contracts detailing your business
  • for IT and hotel and catering establishments, floor plans.

And those are just the general requirements.  Some of the more specific ones shift from the merely intrusive into the downright bizarre: if you are recruiting  hotel workers, the Home Office requires you to send in a copy of your wine list as an aid to their decision making process.

There are two more interesting features of this list, though.  The first is just how many things on it come from other bits of government.  The second is how much of it doesn’t exist any more.

The first is pretty obvious – and extends not just to VAT returns and company incorporation but also covers company accounts (deposited at Companies House).  It would be the work of moments to check the relevant databases, and should be far more secure and reliable than any dog-eared photocopies I might send in.  But of course the obvious is not obvious at all.  I don’t suppose for a moment that there are mechanisms for allowing Home Office people to check Companies House data, still less HMRC’s.  The default mechanism for joining up government is still to expect service users to do all the joining up which may be required, with no help whatsoever from the bit of government making the demands.

The second is more encouraging in some ways, but makes it even more urgent to overcome the first.  To meet the first requirement on the list, “employers need to provide either their P35 or a copy of their HM Revenue and Customs internet account book”.  Fair enough.  Except that I don’t have a paper P35 any more, I have been doing that online for years.  I have no idea what an “internet account book” might be, though I suspect it might have been some variant of “payment account book” before a spell checker got hold of it – and I haven’t had one of those for even longer.  I don’t have any paper VAT returns either.

In fact, come to think of it, a triumph of online service delivery which I had not spotted until writing that last paragraph is that none of the routine paper forms which used to go to various bits of government have to go on paper any more, except the annual accounts, which are a slightly different animal.

Of course I can print off various web pages which are the equivalents of all those paper forms – but that makes the process even more insane.  The flow becomes:  government database ->  web browser -> printer -> post -> clerical handling -> government database.  Government database -> government database might be just a bit more efficient.

The penny has dropped at VOSA that the MOT certificate is no longer a certificate in any meaningful sense, it’s a receipt:  the real value, and the thing which needs to be secured is the database entry.  That news clearly hasn’t reached into the Border and Immigration Agency.  I have a web page with my P35 on it – and could change it to say anything I wanted it to before printing it, with absolutely no way of telling from the printed version that I had done so – except, of course, by checking the PAYE database from which it was generated, which is where we came in.

As with most areas of sloppy security, Bruce Schneier is ahead of us, gently deriding security by letterhead:

Security-by-letterhead was fairly robust when printing was hard, and faking a letterhead was real work. Today it’s easy, but people — especially people who grew up under the older paradigm — don’t act as if it is. They would if they thought about it, but most of the time our security runs on intuition and not on explicit thought.

This kind of thing bites us all the time. Mother’s maiden name is no longer a good password. An impressive-looking storefront on the Internet is not the same as an impressive-looking storefront in the real world. The headers on an e-mail are not a good authenticator of its origin. It’s an effect of technology moving faster than our ability to develop a good intuition about that technology.