In May 2021 the Court of Appeal held, in R v Secretary of State for the Home Department [2021] EWCA Civ 800, that the Immigration Exemption under paragraph 4 of Schedule 2 to the Data Protection Act 2018, which disapplies some data protection rights where their application would be likely to prejudice immigration control, did not fully comply with Article 23(2) of the UK GDPR. The Court of Appeal suspended its order until 31 January 2022 in order to provide reasonable time for the 2018 Act to be amended to remedy the incompatibility.

The Government has now published legislation amending the Immigration Exemption to include all the relevant safeguards set out in article 23(2) UK GDPR.

Article 23(2)(d) of the UK GDPR states that where relevant, there shall be provisions for safeguards to prevent abuse or unlawful access or transfer of personal data. The new Regulations will introduce additional safeguards mandating that the Secretary of State must have an Immigration Exemption Policy Document (IEPD) in place before the exemption is relied upon and that the Secretary of State must have regard to the IEPD when applying the exemption. The new Regulations also include a requirement to keep a record of the Immigration Exemption being applied and a requirement that the data subject be informed of its application. The IEPD will be published and any subsequent updates to it in a manner that the Secretary of State considers appropriate. The Government notes that, in other parts of the 2018 Act and the UK GDPR, there are requirements for policy documents to be in place. The new Regulations will provide similar requirements for the Immigration Exemption.

Article 23(2)(e) of the UK GDPR states that where relevant there shall be provisions as to the specification of the controller or categories of controllers. The current drafting of the Immigration Exemption does not expressly specify the controller or categories of controllers who can use it but provides that it may only be used for the purposes set out in paragraph 4(1) of Schedule 2. Therefore, the Government says that it is unlikely that anyone outside the workings of the immigration system, such as a private landlord, would meet the legislative requirements to rely on the Immigration Exemption. To provide greater clarity on this point, the new Regulations will specify that only the Secretary of State can rely on the Immigration Exemption and remove paragraphs 4(3) and 4(4) of the 2018 Act, which currently envisage more than one potential controller.

Article 23(2)(h) of the UK GDPR states that where relevant, there shall be provisions for the right of data subjects to be informed about the restriction, unless that is prejudicial to the purpose of the restriction. The new Regulations will amend the Immigration Exemption to insert new paragraph 4B, which provides that the controller will have to inform the data subject that the exemption has been relied upon unless to do so would be prejudicial to the purpose of the restriction in compliance with Article 23(2)(h).

To access the draft legislation, which to comply with the Court of Appeal’s order must come into force before 31 January 2022, click here.