The Government has added a completely new immigration control exemption to the Data Protection Bill (“DPBill”). This exemption does not appear in the Data Protection Act 1984 nor in the Data Protection Act 1998 so the question immediately arises as to “why an immigration exemption is now suddenly needed?”.
The exemption is very broad; it is from all data subject’s rights (e.g. of access, information about the processing) if satisfying these rights would prejudice “the maintenance of effective immigration control” or “the investigation or detection of activities that would undermine the maintenance of effective immigration control.”
The effective immigration control exemption also allows the processing of personal data for an incompatible purpose (which I assume is to remove challenges to data sharing) and from the obligation to process personal data lawfully (!!!) – also subject to a “prejudice” test. The exemption can be found in Schedule 2, paragraph 4 of the DPBill.
The last time an immigration control exemption was mooted was 35 years ago in the Data Protection Bill 1983; this extended the policing exemption in that Bill “to the control of immigration”. However, this Bill fell when the 1984 General Election was called; however, when the Bill resurfaced to become the Data Protection Act 1984 the immigration control exemption was removed from the first reprint of the Bill.
The first point to understand is that an effective immigration control exemption does not explicitly appear in the GDPR or in the Law Enforcement Directive (LED). However, Article 15 of the LED allows an exemption, if “necessary and proportionate measure in a democratic society….in order to:
(a) avoid obstructing official or legal inquiries, investigations or procedures;
(b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; `
(c) protect public security
(d) protect national security;
(e) protect the rights and freedoms of others”.
Note that the effective immigration control exemption in the DPBill has nothing to do with crime as a relevant exemption already exists in Article 15(b) (and it exists under the DPA 1998 as Section.29). So, if the immigration authorities were investigating the crime of “illegal working” under the Immigration Act 2006, then they can use the exemption relating to crime if, for example, release of personal data to the data subject prejudiced their important detective work.
Similarly, using the same argument, it can be seen that the effective immigration control exemption is not needed if the reason for withholding the right of access concerns national security, public security and any other exemption listed in Article 15.
The effective immigration control exemption can be extended to protect the rights and freedoms of others (e.g. personal data that reveal other individuals who are sources of information for the immigration services can be protected from the right of access by the data subject; see paragraph 14 of Schedule 2).
Home Office statistics concerning Asylum cases, for instance, shows that for the years 2012 to 2014, on average 36% of decisions (to remain in the UK) were granted initially, but this proportion rose to 49% after appeal. So, it can be seen that about one-eighth of appeals (13% are successful (see references).
I don’t know how a Subject Access procedure is used by immigration lawyers in detail. But if a data subject has been refused a right to remain, then Subject Access can be used to access the personal data used in making that decision. If the personal data are inaccurate or incomplete, for example, then a challenge to Home Office decision can be mounted. Errors in one in eight appeals is a significant number.
The concern is that the application of the effective immigration control exemption will become an administrative device to disadvantage data subjects using the Immigration Appeals process?
Well since the exemption has nothing to do with crime, national security, public safety and the protection of sources then, without a rational explanation, such a prospect appears to be a distinct possibility.
The UK Immigration bodies have not had an effective immigration control exemption for 35 years. Consequently, they should be able to justify the inclusion of this exemption on the basis of hard evidence (i.e. the Home Office should be able to provide examples of actual subject access requests where personal data were released to the detriment to the public interest).
The UK is seeking an adequacy determination from the European Commission; this exemption could give EU nationals a lower level of data protection rights if they experience difficulty with the immigration processes in a post Brexit UK.
With that in mind, does this unexplained exemption when used in immigration cases involving EU nationals, help the UK obtain an adequacy determination?
Please send your answers to the Home Office.
- DATA PROTECTION BCS PRACTITIONER QUALIFICATION: The next intensive DP courses is in London (starts 13 November).
- NEW DATA PROTECTION BILL ALL DAY UPDATE: London (20 November)
- NEW DATA PROTECTION BILL/GDPR Workshop: London (13 December)
Home Office stats: https://www.gov.uk/government/publications/immigration-statistics-october-to-december-2016/asylum