When a worker uploads a Working at Heights certificate to WorkSitePass, it goes into a verification queue. A real person reviews it. Here's what that review actually involves.
This isn't a process we talk about often — not because it's complicated, but because it's unglamorous. It's manual work. It's slower than an algorithm. And it's the only way to do this properly.
Step one: Is this the right document type?
The first check is format. Does this document match what a legitimate Working at Heights certificate from an approved Ontario provider actually looks like?
Approved providers under O. Reg. 297/13 each issue certificates with consistent formatting — specific logos, layouts, and information fields. A certificate from IHSA looks like an IHSA certificate. A certificate from a different approved provider looks like theirs. We know what both are supposed to look like.
A document that doesn't match any known provider format gets flagged immediately. This catches uploads that are fabricated, altered, or from the wrong category entirely.
Step two: Is the issuing body currently approved?
This is the check that most visual reviews miss entirely.
We cross-reference the issuing body against the current approved provider list for that certificate type. For Working at Heights in Ontario, that means the Ministry of Labour's active training provider registry. For First Aid and CPR, it means the recognized certifying organizations. For CSTS 2020 in Alberta, it means ACSA.
If a provider has had their approval withdrawn — even recently — certificates issued by that provider are no longer valid, regardless of the expiry date printed on the card. This step catches that.
The expiry date is the last thing we check. The issuer is the first.
Step three: Do the details add up?
Name, date of issue, course completion date, reference or certificate number. Do they align internally? Does the issue date predate the expiry by the correct interval for this certificate type? Is the reference number in a format consistent with how this provider issues them?
Small inconsistencies can indicate an altered document. A certificate that passed the format check and the issuer check can still fail here if the details don't hold together under scrutiny.
What gets rejected — and why it matters
Across the certificates we've reviewed, the most common rejection reasons are: unrecognized or non-approved training providers, documents where the format has clearly been edited, expiry dates that don't match the standard validity period for the certificate type, and poor-quality uploads where key details can't be confirmed.
Workers whose certificates are rejected receive a clear reason. They can upload a replacement or contact us if they believe a rejection was made in error.
Self-declared compliance and verified compliance are not the same thing. One is a statement. The other is a result.
Why we do this manually
Automated verification can catch some things — OCR can read a date, pattern matching can flag obvious format issues. But the approved provider question requires human judgement and regularly updated reference data. The "does this add up" question requires someone who has reviewed hundreds of these and knows what an altered document looks like.
It's slower than a checkbox. It's also the only way to produce a status that actually means something when an inspector asks to see it.
When a certificate shows "Verified" in WorkSitePass, it means a person reviewed it against the issuing authority's current standards — not that a worker clicked upload and the platform took their word for it. That distinction is the whole point.