GDPR deadline looms: Are your immigration data processes compliant?

Most employers will be aware of the upcoming introduction of the General Data Protection Regulation, or GDPR. But how can they be sure the way they collect and store information for immigration purposes will be compliant? Immigration lawyer Jessica Pattinson, from Dentons, explores the key risk areas.

Not surprisingly, immigration processes necessitate the collection and processing of considerable personal data by an employer and, in many situations, one or more third parties such as legal advisers.

The introduction of the General Data Protection Regulation (GDPR) presents a huge challenge for employers in many data processing scenarios.

And with the deadline (25 May 2018) fast approaching, there is a chance that certain types of personal data processing will not be captured in your thinking, and will therefore create a risk of a breach.

For many employers, immigration is a niche activity that changes constantly and is therefore difficult to fully understand and account for with internal policies and processes.

However, given the sensitive nature of data collected and processed, and the multiple parties often involved in this, now is the time to look at key immigration activities and ensure that they are GDPR compliant.

Here are three scenarios that illustrate the wide range of immigration data points to be accounted for in preparing for GDPR.

Resident labour market test

The resident labour market test (RLMT) is conducted as part of a Tier 2 General (new hire work permit) application to justify the recruitment of a non-UK/EU individual, ahead of a UK/EU individual.

The employer generally needs to place two adverts on two websites for 28 days each, and then assess applications against the skills, education and experience described in the advert.

If there are no suitably qualified candidates from the UK/EU, then a non-UK/EU individual can be offered the role and be sponsored under Tier 2 General.

Documentation, including job applications, CVs and interview notes need to be retained for up to seven years in the event that the Home Office conducts a compliance audit.

Now imagine you were one of the candidates who applied for that role. You were interviewed for the job but ultimately were unsuccessful. It would be reasonable to expect that your details would be retained for a reasonable period, for example six months, to allow the employer to defend any challenges arising from the appointment.

However, most candidates would be surprised to learn that their personal information would be stored for up to seven years and shared with legal advisers and the Home Office as part of the immigration process for the successful candidate.

While employers may be able to argue that retaining the information is a legal obligation, the Home Office document that describes document retention is not technically part of the immigration rules. Rather, it is a policy document and therefore it may be open to interpretation whether it is a legal obligation or not.

As such, employers may instead have to rely upon "legitimate interests" as the appropriate legal basis to retain such information. This of course requires a proper assessment to ensure those interests are not outweighed by risk of prejudice to individuals.

What steps do employers need to take to ensure that their RLMT processes are GDPR-compliant?

  1. Ensure your privacy notice for recruitment purposes makes clear the possibility of personal data being processed and retained for the purpose of immigration requirements, specifically the RLMT for Tier 2 General, including the sharing of that data with legal advisers and the Home Office, and the length of time data may be stored.
  2. Minimise personal data where possible. The personal data that must be retained on file, as per the relevant Home Office policy document, relates only to applications shortlisted for final interview - rather than all candidates who responded to the advert. Likewise, do not ask for personal data that is not strictly required at this stage of the process, for example, copies of passports, immigration documents and evidence of qualifications and experience.
  3. Redact and anonymise personal data. A further way to minimise the personal data you hold is to redact information that is not relevant to the information you need to retain, such as contact details, interests and hobbies.

There may also be a case for the Home Office to recommend that names should also be redacted to avoid personal data being retained for such a prolonged period.

Right to work checks

Employers must conduct right to work checks on any new employee. While it is easy to assume that this is covered by a "legal obligation" that is not actually the case.

A right to work check is done to establish a statutory excuse against a civil penalty - that is, to avoid a fine should the employee be found to be working illegally. It is not a legal requirement to perform a right to work check and there are no penalties for failing to perform a right to work check where the employee is working legally.

Therefore, the retention and processing of data relating to immigration status would be categorised under "legitimate interests" and this processing should be covered in a privacy notice.

Immigration enquiries and opinions

Throughout the course of employment an employee can expect that their employer may need to consult with legal advisers and other professionals on a range of matters, including immigration, and in doing so may need to share personal data.

This should of course be covered in the section within the privacy notice dealing with disclosures to third parties.

However, what if as part of these enquiries it is necessary to transfer data outside the European Economic Area (EEA)? For example, where the organisation is looking to transfer an employee to the US and would like a US-based immigration lawyer to assess eligibility.

Transfers of personal data outside the EEA need to be addressed within privacy notices. Also, any such transfers of personal data should only take place where steps are taken to ensure adequate protection for that personal data in the recipient country (this is also the existing position under the Data Protection Act 1998).

With less than three months to go until GDPR goes live, now is the time to understand the data points in your immigration processes and ensure they are GDPR compliant.