The Immigration Exemption and the GDPR
The Court of Appeal hearing on the challenge to the controversial Immigration Exemption reportedly took place on 23 February. The Immigration Exemption disapplies certain data protection rights where the processing is for immigration purposes. Healthcare providers may rely on the exemption when they receive requests from the Home Office for information concerning patients that are the subject of immigration proceedings or investigation.
It has been suggested that individuals who are the subject of immigration proceedings may avoid seeking medical attention for fear of their details being passed to the Home Office. The issue is likely to have been exacerbated as a result of the COVID-19 pandemic. Conversely, the UK Government justifies the exemption on the basis that it prevents illegal immigrants from learning that they are to be deported and absconding. Healthcare providers that receive such requests from the Home Office are required to balance this with their duty of care to their patients, whether they are UK citizens or immigrants. The Court of Appeal's decision will have significant implications for healthcare providers that receive information requests about patients from the Home Office.
UK healthcare providers must handle personal data in accordance with the UK GDPR, a modified version of the EU General Data Protection Regulation ('GDPR'), which took effect on January 1, 2021. The UK GDPR is supplemented by the Data Protection Act 2018 ('DPA') as amended. The legislation is enforced by the Information Commissioner, acting through her office, the Information Commissioner's Office (ICO). The ICO issues guidance on the application of the law and investigates breaches. It has a range of enforcement powers, including the ability to levy fines of up to 4% of an organisation's worldwide annual turnover, or £17.5 million, whichever is greater.
Healthcare providers have frequently found themselves the subject of ICO enforcement action, as they handle large volumes of personal data relating to patients' health, which is one of the 'special categories of personal data'. The special categories of personal data require a higher standard of care. Organisations that fail to handle health data to an appropriate standard face a greater risk of enforcement action by the ICO, given the inherent sensitivity of the information.
The UK GDPR confers a number of rights on individuals (such as patients) including a right to be told how organisations (for instance, a GP's surgery) will process their personal data. This is known as the right to transparency. The UK GDPR also grants individuals a right of access to the personal data held about them by organisations, such as employers, public authorities and healthcare providers. In certain circumstances, the GDPR grants individuals a right to have their personal data erased (the 'right to be forgotten'). Data subjects also have rights to restrict the ways in which their personal data may be processed and a right to object to such processing. These data subjects' rights are fundamental to the GDPR and are intended to give individuals choice and control over how their personal data are processed.
The GDPR also sets out a number of principles with which organisations must abide when they handle personal data. These principles require that organisations must handle personal data in accordance with a number of standards. In particular, organisations may only handle personal data in a manner that is lawful, fair and transparent. In practice, this means that organisations must establish a lawful basis for processing, one of which is consent, but there are others. In lay terms, any activity that the affected individual is likely to find 'sneaky, creepy or dishonest' may be in breach of the principles.
The immigration exemption
The immigration exemption is found in Schedule 2 of the DPA. There are two parts to the exemption. The first part applies to organisations that process personal data for the purposes of maintaining effective immigration control, which includes investigation and detection ('the immigration purposes'). For instance, the Home Office, its agencies and contractors are organisations that process personal data for immigration purposes and frequently rely on the first part of the exemption.
The second part of the exemption applies to organisations that handle personal data for purposes unrelated to immigration, but which receive requests for personal data from another organisation. The second (requesting) organisation is responsible for processing personal data for the immigration purposes. This part of the exemption could potentially apply to a healthcare provider such as a GP's surgery that receives a request from the Home Office for information about a particular patient.
The immigration exemption relieves organisations from the obligation to comply with data subjects' requests to exercise their rights in relation to the way in which their personal data are processed. For instance, a healthcare provider that receives a request from the Home Office may be able to rely on the exemption to avoid having to give the patient access to their personal data.
However, the exemption only applies to the extent that complying with a request is likely to prejudice the immigration purposes and only for the duration that the purposes may be prejudiced. The ICO provides extensive guidance to the exemption and makes it clear that it may not be used on a blanket or indefinite basis. In practice, organisations such as healthcare providers may only be able to rely on the exemption in relation to specific, limited personal data and only for a limited period.
Why is this news?
In 2019, Digital campaigning organisation Open Rights Group and the3million, which represents EU citizens living in the UK challenged the immigration exemption in the High Court. The challenge asserted that the Immigration exemption was contrary to the GDPR and incompatible with the rights to privacy and to the protection of personal data. The rights to privacy and to the protection of personal data are granted under the Charter of Fundamental Rights of the European Union. However, the UK government claims that the immigration exemption is justified on the grounds that avoids data subjects being 'tipped off' about a potential immigration exemption or enforcement action and absconding. The High Court found in favour of the UK Government, ruling that the immigration exemption was not illegal, and observed that the ICO has published extensive guidance on the application of the exemption. The Open Rights Group and the3million appealed the High Court decision, with a judgment on this pending.
The application of the immigration exemption only applies to the extent that complying with a data subject's request would be likely to prejudice the immigration purposes. Otherwise, organisations must comply with the remainder of the request. In practice, this may be complex and a challenge for healthcare providers. If they fail to properly apply the exemption, not only do they risk intervention from the ICO, but they may be putting patients at risk by denying them their data protection rights.
However, healthcare providers should have this in hand at least to some extent. The UK GDPR requires that organisations must appoint a data protection officer or DPO if their core activities consist of large-scale processing of special categories of personal data. Since healthcare providers will inevitably handle a large volume of personal data relating to patients' health (one of the special categories), many will have already appointed a DPO. The DPO must be an expert in data protection law and practice, so they should understand the application of the Immigration Exemption, nonetheless, this is a complex area which may prove challenging. Healthcare providers that are concerned about managing this risk should speak to their DPO as a first point of call, and watch this space for the Court of Appeal decision.