Immigration Exemptions: Government Position – Open Rights Group Response
This briefing is a breakdown of the Government’s response in Committee to the debate on Schedule 2 Paragraph 4 which would create an exemption from GDPR provisions to personal data processed for the purposes of “the maintenance of effective immigration control”, or “the investigation or detection of activities that would undermine the maintenance of effective immigration control”.
Government’s positions is in bold. Open Rights Group’s response is in red.
Government’s Position: Extension of subjects rights requires the exemption in Schedule 2 Paragraph 4.
Given the extension of data subjects’ rights under the GDPR, it is necessary that we include in the Bill an express targeted exemption in the immigration context.
Baroness Williams of Trafford, Day 3 of Committee
Open Rights Group Response: Subject access rights have expanded minimally, and proportionally. Schedule 2 Paragraph 4 is a disproportionate response.
The extension of data subject rights the Government are minimal, proportionate, and necessary. Schedule 2 Paragraph 4’s exemption is wide ranging and undermines the purpose of the Bill: Giving the public more control of their personal data.
The Data Protection Act 1998 requires data controllers to provide a description to data subjects:
– The personal data of which that individual is the data subject;
– The purposes for which they are being or are to be processed; and
– The recipients or classes of recipients to whom they are or may be disclosed
These same pieces of information are mirrored in the Data Protection Bill. Additional information in the Bill includes:
recipients to whom the personal data has been disclosed – which is vital for fairness in immigration processes; and
the period for which it is envisaged that the personal data will be stored, or the criteria used to determine that period.
Neither of these categories of information extend subject rights to the degree that removing fundamental rights to data protection could be considered a proportionate response.
Government’s Position: Schedule 2 Paragraph 4 does not remove data protection principles.
It emphatically does not set aside the whole of the GDPR for all processing of personal data for all immigration purposes. The opening words of paragraph 4 make it clear that only “the listed GDPR provisions” may be set aside. The listed GDPR provisions are those set out in paragraph 1 of Schedule 2.
Baroness Williams of Trafford, Day 3 of Committee
Open Rights Group Response: Yes. Schedule 2 Paragraph 4 emphatically does.
The listed GDPR provisions under paragraph 1 of schedule 2 are:
- Article 13 – Personal data collected from data subject: information to be provided
- Article 14 – Personal data collected other than from data subject: information to be provided
- Article 15 – Confirmation of processing, access to data and safeguards for third country transfers
- Article 16 – Right to rectification
- Article 17 – Right to erasure
- Article 18 – Restriction of processing
- Article 20 – Right to data portability
- Article 21 – Objections to processing
- Article 5 General principles insofar as they apply to the above. ( These could include ‘lawfulness, fairness, and transparency’; ‘ purpose limitation’ ; ‘data minimisation’; ‘accuracy’; ‘storage limitation’; ‘integrity and confidentiality’ ; ‘accountability’)
The only provision that survives this carve out is the right related to automated decision making. While this right is important, if you can’t access the information (access to data) then your ability to object to that processing is practically and essentially curtailed.
Government’s Position: There are specific examples where this exemption is needed.
suspected overstayer, if we had to disclose in response to a subject access request what we are doing to track their whereabouts with a view to effecting administrative removal, it is clearly possible that they might then be able to evade enforcement action.
Baroness Williams of Trafford, Day 3 of Committee
Open Rights Group Response: This example is a criminal offence. There is an exemption in the Bill for that already.
This is not an example of this exemption being required, this is an example of a criminal offence which can already be exempted.
Suspected overstaying of a visa is a criminal offence. Data protection rights have always been exempt for the prevention or detection of crime.
Government’s Position: No really, there are loads of examples why this exemption is required.
…second example relates to circumstances where we seek to establish the legitimacy of a particular claim, such as an extension of leave to remain in the UK, and suspect that the claimant has provided false information to support that claim. In such a case, we may contact third parties to evidence the claim. If we are then obliged to inform the claimant that we are accessing records held by third parties, they may abscond and evade detection. Such procedures may then become common knowledge and further undermine our ability to maintain effective controls.
Baroness Williams of Trafford, Day 3 of Committee
Open Rights Group Response: You’ve described another criminal offence. See above
It is a criminal offence to provide false information on a document. If the Government suspects this they should rely on the exemption for the prevention or detection of crime. This exemption will have a direct effect on the transparency of administrative procedures, which should not be exempt from transparency and accountability. People making immigration claims are not criminals, nor are they attempting anything unlawful – they are merely trying to claim their right to remain in the UK. Three million EU citizens may need to assert these rights, and should not be treated as if they are criminals.
For further information please contact Jim Killock, Executive Director, Open Rights Group, jim@openrightsgroup.org