The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

About this guidance

This guidance discusses the immigration exemption in detail. Read it if you have detailed questions not answered in the guide, or if you need a deeper understanding to help you apply this exemption in practice. It is aimed at DPOs and those with specific data protection responsibilities in larger organisations.

If you haven’t yet read the ‘in brief’ page on the immigration exemption in the Guide to Data Protection, you should read that first. It introduces this topic and sets out the key points you need to know, along with practical checklists to help you comply.

In detail

What is the immigration exemption?

The immigration exemption is divided into two parts.

The first part of the exemption applies to controllers who process data for the purposes of:

  • the maintenance of effective immigration control; or
  • the investigation or detection of activities that would undermine the maintenance of effective immigration control.

It outlines specific rights in the GDPR which can be restricted if those rights would be likely to prejudice these immigration matters.

The second part of the exemption applies when you have not collected personal data specifically for immigration, but wish to pass information to another controller who is responsible for such processing (eg the Home Office). Under this part of the exemption, you may also restrict certain GDPR rights if they would be likely to prejudice the above immigration purposes.

The exemption is in Schedule 2 Part 1 Paragraph 4 of the Data Protection Act 2018.

In the UK, the right to appeal is an integral part of immigration control. Individuals have the right to have their immigration applications reviewed and to submit an appeal against an asylum decision or a deportation order.

You should ensure that you are not undermining this review and appeals system process by using this exemption. For example, by refusing an individual access to their personal data.

You should only restrict the exercising of a data subject’s rights if the exemption applies and there is a valid reason to apply it. You should use this exemption with considerable care and discretion, and should not use it to undermine the immigration control process.

Your application of the exemption must be proportionate to the circumstances and you must carefully consider and document each instance. You should not apply the immigration exemption as a blanket restriction on the data protection rights of individuals, such as migrants or people who have overstayed their permission to remain. You should only apply it, if required, when the exercise of those rights is likely to cause prejudice to effective immigration control. You must apply the exemption on a case by case basis.

Example

An individual seeking asylum in the UK has had their application refused. They make a request to the Home Office for all their personal data so that they can appeal against this decision.

The Home Office is not investigating the individual and can provide the personal data it holds without prejudice to its immigration control function. It does not hold any confidential intelligence which the individual is unaware of and it has no reason to withhold any of the requested personal data. It must not use the exemption to frustrate a lawful appeal.

In these circumstances the exemption does not apply and should not be used. The Home Office should therefore disclose the information it holds.

There are various immigration offences (eg overstaying leave to remain) and these are usually dealt with by the administrative removal of the offender rather than through the criminal justice process. Therefore the ‘crime and taxation’ exemption does not usually apply in circumstances where immigration control is concerned. However the two exemptions involve similar considerations. Instead of considering prejudice to the apprehension or prosecution of offenders, the immigration exemption requires you to consider prejudice to the administrative functions concerning effective immigration control.

There is no assumption of criminal proceedings with the immigration exemption, although the section below considers what happens if an immigration investigation does become a criminal investigation.

In the majority of cases the Home Office, or one of its agencies and contractors, will be the controller applying this exemption. However, it is important to note that the application of this exemption is not just limited to the Home Office. It may also be relevant to other controllers such as employers, universities and the police, who liaise with the Home Office on immigration matters.

When should this exemption be used?

The immigration exemption applies to specific rights in the GDPR which can be restricted to the extent that giving effect to those rights would be likely to prejudice:

  • the maintenance of effective immigration control; or
  • the investigation or detection of activities that would undermine the maintenance of effective immigration control.

The phrase ‘to the extent that’ means that if an individual wishes to exercise one of their personal data rights, you should not apply the immigration exemption as a blanket exemption to restrict those rights for all the data you hold.

The scope of the exemption is limited to those rights which, if exercised for the data held, would prejudice the identified immigration purposes. The exemption therefore only applies when the exercise of the specific right results in the processing of personal data which would be likely to prejudice the identified function.

Therefore the default position of the controller should be to comply with the requirements of the GDPR and the DPA as far as possible. It highlights the importance of identifying the specific reason for applying the exemption in each case.

Other GDPR articles contain restrictions to the data protection rights listed under the immigration provision. The expectation is that you should rely on these more generic restrictions in preference to the immigration exemption, if they can achieve the same outcome. This is because the immigration exemption is an exemption for a specific purpose.

You should therefore first consider the restrictions to an individual’s rights as laid out in other relevant GDPR articles. For example, you should consider whether an objection to processing is valid under Article 21, or whether you should allow or refuse an individual exercising their right under Article 17.

You should only use the immigration exemption in circumstances where there are no viable alternatives.

For further information on the individual’s data protection rights see our GDPR guidance Individual rights.

Example

An individual with Leave to Remain in the UK applies to the Home Office to have their personal data erased. The individual is under investigation for an immigration offence.

The personal data held is still necessary for the purpose it was originally collected for, and the Home Office can rely on Article 17(3)(b) to refuse the request. This is because the right to erasure does not apply if personal data needs to be retained for:

  • compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject; or
  • the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

In this case, the restriction of the individual’s rights is accomplished without relying on the immigration exemption.

What is the prejudice test?

The DPA does not explain what is meant by ‘would be likely to prejudice’. However, the ICO’s view is there needs to be a substantial chance (rather than a mere risk) that complying with the request would noticeably damage the discharge of the function concerned.

There should be a causal link between the exercise of the data subject’s right and the prejudice claimed, and you must be able to show how the exercising of a specific right would be likely to lead to the prejudice. You must make this reasoning available to the ICO if required. ‘Would be likely’ means that there must be a real and substantial chance of prejudice, rather than just a hypothetical or remote possibility.

The prejudice test has a high threshold and you should not apply the exemption in a blanket fashion. It must be both necessary and proportionate, and you must only apply it to specific rights where the likelihood of prejudice is present, rather than applying this across the board to all the rights.

You must consider whether the application of the exemption is a proportionate response to the individual’s data protection request. You may consider that there is a pressing social need to apply the immigration exemption, but you must also take into account whether this outweighs your obligation to individuals under the GDPR. They have rights over their personal data which you must consider in all circumstances, in particular, the right of access.

It is therefore important in every case that you consider whether the data protection rights of the individual override the identified risk of prejudice. Your application of the exemption must be proportionate to the circumstances and you must carefully consider and document each instance.

It is also important to note that prejudice changes over time. While personal data may be withheld during an ongoing investigation, disclosure of this information is unlikely to present the same risk afterwards.

Therefore, you should keep the immigration exemption under review and not apply it on a permanent basis. You should always consider an individual’s current circumstances. For example, you should not assume that if you have once refused to provide them with all their personal data under this exemption, then your response will always remain the same. Should they submit a new subject access request to you, you should assess whether circumstances have changed and whether providing the data would now prejudice the maintenance of effective immigration control. If not, you may be able to respond more fully to this new request.

Example

An individual is suspected of overstaying their student visa in the UK. While an investigation is carried out, they make a request for all personal data held about them.

The Home Office may withhold information which, if disclosed, will prejudice the investigation. This might include information which identifies any proposed actions against the individual.

However the Home Office should not apply a blanket exemption. It could disclose any personal data relating to the individual’s previous visa application and any other information it holds, unless it can show that the disclosure will be likely to impact on the ongoing investigation or any expected actions arising from it.

The individual successfully extends their visa due to extenuating circumstances and is allowed to remain in the UK for another two years. They make another request for their personal data.

The Home Office will have to carefully consider this. As there are no active proceedings against the individual, the exemption will only continue to be available if there is any remaining prejudice to immigration controls, and the Home Office should not use it simply because it applied previously.

Although the immigration exemption may no longer apply in this context, other exemptions under Schedule 2 of the DPA may be relevant.

More information is available in our detailed freedom of information guidance The prejudice test.

What rights does the immigration exemption apply to?

The exemption applies to the following rights:

  • right to be informed;
  • right of access;
  • right to erasure;
  • right to restrict processing; and
  • right to object.

The exemption does not restrict other data subject rights. More information is available in our GDPR guidance on Individual rights.

Example

An individual being investigated for an immigration offence contacts the Home Office to request that their date of birth is rectified, as this is inaccurately reflected in their records.

The right to rectification is not a right which is restricted under this exemption. The Home Office must therefore update their records and respond to the individual within the time frame permitted.

How does the exemption affect the individual’s right to be informed?

The right to be informed means that the data subject has the right to be given certain privacy information about the processing of their data. This includes for example, the purposes of the processing and the identity and contact details of the controller. This applies whether you obtain personal data from the individual or from someone else.

The provision of this privacy information also meets the transparency requirement of Article 5(a).

However, if you are investigating an individual, you may not wish to tell them that you are processing their personal data for the purposes of immigration control. This would alert them to your investigation, and would be likely to prejudice the purpose of the processing.

In these circumstances, you may apply the immigration exemption and restrict the individual’s right to be informed. You do not have to provide privacy information if this is likely to prejudice the identified immigration purposes.

As discussed above, the immigration exemption also provides an exemption from the data protection principles so far as their provisions correspond to the listed data subject rights. Therefore in these circumstances, it provides an exemption from the transparency requirement of Article 5(a) to the extent that this corresponds with the right to be informed.

However, although you may therefore be exempt from providing privacy information to the individual you are investigating, you still have to comply with the other requirements of Article 5(a) and identify a lawful basis for processing. This lawfulness part of Article 5(a) does not affect (or correspond to) any of the rights listed above and so you are not exempt from this particular obligation.

More information is available in our GDPR guidance Right to be informed.

How does the exemption affect the individual’s right of access?

An individual may make a subject access request to you, in order to obtain a copy of the data you hold about them. You must consider the circumstances of each case and may apply the exemption only if you consider that to comply with the right of access would be likely to prejudice effective immigration control.

You may not wish to provide a copy of all the personal data you hold, if this would prejudice a current investigation into that individual’s immigration status, or would otherwise prejudice the maintenance of effective immigration controls. However, you may be able to provide some personal data in response to the request, if this does not prejudice your investigation.

More information is available in our GDPR guidance Right of access.

Example

An individual who has been refused entry to the UK at an airport e-Passport gate makes a Subject Access Request to the Home Office, asking for information about why their entry was refused.

Providing the individual with this information would involve disclosing details about the technical operation of the e-Passport gates, which if made public, could have a detrimental effect on border control, potentially enabling attempts to undermine the system.

In this case, the Home Office may legitimately rely on the immigration exemption as a reason to refuse to disclose the requested information.

 

Example

An individual seeking asylum in the UK has had their application refused. They make a request to the Home Office for all their personal data so that they can appeal against this decision.

The Home Office is investigating them for the use of identification which does not belong to them and it would prejudice the investigation to provide them with the personal data relating to this investigation.

The Home Office therefore may apply this exemption in order to restrict the individual’s right of access. However it should provide as much data as it can, if this does not prejudice the investigation.

What happens if an immigration investigation becomes a criminal investigation?

If the investigation of an immigration offence develops into a criminal investigation, and if you are a competent authority processing personal data for the purposes of law enforcement, you should undertake processing under Part 3 of the DPA, rather than under the GDPR regime. Personal data has to be handled according to the requirements laid out in Part 3, which has its own restrictions about the rights of individuals. More information is available in our guide to law enforcement processing.

Example

The Home Office is investigating an individual for an immigration offence. Investigations show that they were involved in the trafficking of individuals into forced labour in the UK. The Home Office now has to investigate under Part 3 of the DPA as a criminal offence.

Should the individual choose to exercise any of their data protection rights, the Home Office will have to consider these under the requirements of Part 3 of the DPA and apply restrictions accordingly.

How does the exemption work if a controller did not collect personal data specifically for the purposes of immigration control but has passed it on to another controller?

If a controller (controller 1) has not collected personal data specifically for the purposes of immigration control, it still may wish to pass information to another controller (controller 2) for the purposes of:

  • the maintenance of effective immigration control; or
  • the investigation or detection of activities that would undermine the maintenance of effective immigration control.

The immigration exemption allows both controllers to restrict certain GDPR rights if they are likely to prejudice the above immigration purposes.

Controller 1 and controller 2 are exempt from the obligations in the following provisions of the GDPR, when the processing is for the purposes of the immigration exemption:

  • right to be informed; and
  • right of access.

The exemption also applies to the data protection principles of Article 5 so far as those provisions correspond to the data subject rights mentioned above.

The right of access

In these circumstances, both controllers are exempt from their obligations to respond to an individual exercising their right of access to the same extent – that is, if it would be likely to prejudice controller 2’s purposes for processing, for effective immigration control.

Therefore, should an individual make a subject access request to either controller for a copy of their personal data, both must comply with this request as far as possible, but neither has to provide personal data which would prejudice or undermine controller 2’s effective immigration control purposes.

More information is available in our GDPR guidance Right of access.

The right to be informed

In these circumstances, neither controller is obliged to inform the individual that their personal data has been passed from one to another, to the extent that to do so would prejudice or undermine the purposes identified by the exemption.

Both controllers are exempt from the transparency part of Article 5(a), in so far as this part of the principle corresponds to the right to be informed.

More information is available in our GDPR guidance Right to be informed.

Example

A private organisation (controller 1) alerts the Home Office (controller 2) to an employee who is believed to have submitted false documents to evidence their identity and qualifications to obtain a job. The employer provides the Home Office with the relevant information.

The right of the individual to be informed that their personal data has been passed to the Home Office is restricted in so far as giving effect to it would be likely to prejudice the investigation.

The employer is therefore under no obligation to inform the individual that their information has been passed to the Home Office, and in turn the Home Office is under no obligation to provide the individual with a privacy notice informing them that it is now processing their personal data. The exemption applies to both controllers to the same extent.

However, the employee requests a copy of their personal data from the Home Office which is now investigating them.

The Home Office may rely on the exemption to withhold part of their data if the disclosure would be likely to prejudice the investigation.

Should the employee make a similar request to their employer, they would also be able to apply the exemption to the same extent.