The ICO exists to empower you through information.

Latest updates

8 March 2024 - We have updated this guidance to reflect a legislative amendment that came into force on 8 March 2024.

19 May 2023 - we have broken the Guide to the UK GDPR down into smaller guides. All the content stays the same.

About this guidance

This guidance discusses the immigration exemption in detail. Read it if you have detailed questions not answered in the guide, or if you need a deeper understanding to help you apply this exemption in practice. It is aimed at data protection officers (DPOs) and those with specific data protection responsibilities in larger organisations.

If you haven’t yet read the ‘in brief’ page on the immigration exemption in the Guide to data protection, you should read that first. It introduces this topic and sets out the key points you need to know, along with practical checklists to help you comply.

How should we use this guidance?

To help you to understand the law and good practice as clearly as possible, this guidance says what organisations mustshould, and could do to comply.

Legislative requirements

  • Must refers to legislative requirements.

Good practice

  • Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.
  • Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.​​​​​​​

This approach only applies where indicated in our guidance. We will update other guidance in due course.

In detail

What is the immigration exemption?

The immigration exemption can provide an exemption from some of people’s data protection rights, if those rights would be likely to prejudice:

  • the maintenance of effective immigration control; or
  • the investigation or detection of activities which would undermine the maintenance of effective immigration control.

The exemption can only be applied by the Secretary of State (including the Home Office and its agencies) to personal information handled for those immigration control purposes. 

It is not available to other controllers who liaise with the Home Office on immigration matters, such as employers, universities and the police.

The exemption was amended on 8 March 2024 in response to a Court of Appeal decision. The amendments introduce the following safeguards to the exemption. You must:

  • apply the exemption on a case-by-case basis;
  • make a separate decision about each right you restrict for someone;
  • make a new decision on each occasion that you consider restricting a person’s rights; 
  • take into account all the circumstances of the case including any potential vulnerability of the person, and the impact it will have on their rights and freedoms;
  • carry out the balancing test – you must ensure that the risk to immigration control is substantial and outweighs the risk to the person’s interests;
  • ensure your use of the exemption is necessary and proportionate;
  • record your decision to use the exemption and your reasons for using it; and
  • inform the person of the decision, unless doing so would prejudice immigration matters.

Example

A person seeking asylum in the UK has had their application refused. They make a request to the Home Office for all their personal information so that they can appeal against this decision. 

The Home Office is not investigating the person and can provide the information it holds without prejudice to its immigration control function. It does not hold any confidential intelligence which the person is unaware of and it has no reason to withhold any of the requested personal information. It must not use the exemption to frustrate a lawful appeal.

In these circumstances the exemption does not apply. The Home Office should therefore disclose the information it holds.

There are various immigration offences (eg overstaying leave to remain) and these are usually dealt with by the administrative removal of the offender rather than through the criminal justice process. Therefore the ‘crime and taxation’ exemption does not usually apply in circumstances where immigration control is involved. However the two exemptions cover similar considerations. The immigration exemption requires you to consider prejudice to the administrative functions concerning effective immigration control, rather than to the apprehension or prosecution of offenders. 

There is no assumption of criminal proceedings with the immigration exemption, although the section below considers what happens if an immigration investigation does become a criminal investigation.

Relevant provisions (the exemption)

Data Protection Act 2018 schedule 2, paragraph 4 

Data Protection Act 2018 (amendment of schedule 2 exemptions) Regulations 2022 

Data Protection Act 2018 (amendment of schedule 2 Exemptions) Regulations 2024

When can we use this exemption?

The immigration exemption applies to specific rights in the UK GDPR which can be restricted to the extent that giving effect to those rights would be likely to prejudice:

  • the maintenance of effective immigration control; or
  • the investigation or detection of activities that would undermine the maintenance of effective immigration control.

The phrase “to the extent that” means that you must not apply the immigration exemption as a blanket exemption to restrict all of those rights for all the information you hold. Instead, the law is clear that you must decide whether the exemption applies in each instance:

  • on a case-by-case basis;
  • separately for each right claimed; and
  • afresh at the time of each decision.

The scope of the exemption is limited to those rights which, if exercised, would prejudice the identified immigration purposes. 

Your default position is to comply with the requirements of the UK GDPR and the DPA 2018 as far as possible. You must identify the specific reason for applying the exemption in each case. 

You must make a decision separately for each of the rights affected by the exemption. For example, just because you have determined that you can rely on the exemption to restrict someone’s right to be informed, that doesn’t mean you can assume that you can rely on the exemption to restrict their right of access. You must make these decisions separately, on a case-by-case basis, each time.

When making a decision about whether to apply the exemption, you must take into account all circumstances of the case, including:

  • any potential vulnerability of the person affected;
  • all the person’s rights and freedoms, including (but not limited to) their rights under the Human Rights Act 1998; and
  • any relevant duties or obligations of the UK, the Secretary of State or any other person, including—
      • the UK’s obligations under the Refugee Convention and the Trafficking Convention; 
      • any duty under section 55 of the Borders, Citizenship and Immigration Act 2009(b) (duty regarding the welfare of children); and 
      • the need to ensure compliance with the UK GDPR.

Many of the rights set out in the UK GDPR contain built-in restrictions or exceptions. You should rely on these more generic built-in restrictions rather than the immigration exemption, if they can achieve the same outcome. This is because the immigration exemption (along with the other exemptions set out in schedules 2-4 of the DPA 2018) is an exemption for a specific purpose. You can only use it if applying the usual provisions of the UK GDPR would cause a specific problem. 

You should therefore first consider the restrictions to a person’s rights as laid out in other relevant UK GDPR articles. For example, you should consider whether an objection to processing is valid under Article 21, or whether you should allow or refuse a request for information to be erased under Article 17. 

You should only use the immigration exemption if there are no viable alternatives.

Example

A person with leave to remain in the UK applies to the Home Office to have their personal information erased. 

The person is under investigation for an immigration offence, and the information in question is still necessary for the purpose it was originally collected for. This means that the Home Office can rely on article 17(3)(b) to refuse the request. This is because the right to erasure does not apply if information needs to be retained for:

  • compliance with a legal obligation which requires processing by domestic law to which the controller is subject; or 
  • the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 

In this case, the Home Office can refuse to comply with the request to erase the information without relying on the immigration exemption.

Relevant provisions in the UK GDPR

See UK GDPR articles 17(3)(b)

Further reading

Individual rights

What is the prejudice test?

To rely on the immigration exemption, you must show that giving full effect to the right in question “would be likely to prejudice” immigration matters. You must show that:

  • giving full effect to the right would give rise to a substantial risk of prejudice to immigration matters;
  • this risk outweighs the risk of prejudice to the person’s interests that comes from applying the exemption; and
  • applying the exemption is necessary and proportionate to the risks in the particular case.

You must:

  • ensure there is a real and substantial chance of prejudice, rather than just a hypothetical or remote possibility that complying with the provision would noticeably damage the discharge of the function concerned;
  • ensure there is a causal link between compliance and the prejudice claimed and be able to show how exercising the specific right would be likely to lead to the prejudice; 
  • keep a record of your reasoning, and make this available to the ICO, if required;
  • not apply the exemption in a blanket fashion (the prejudice test has a high threshold). You must ensure it is both necessary and proportionate to apply the exemption and you must only apply it to specific rights where the likelihood of prejudice is present, rather than applying this across the board to all the rights; 
  • consider whether applying the exemption is a proportionate response. You may consider that there is a pressing social need to apply the immigration exemption, but you must also take into account whether this outweighs your obligation to people under the UK GDPR. They have rights over their information that you must consider in all circumstances, in particular, the right of access; and 
  • consider whether people’s rights over their information override the identified risk of prejudice. You must be proportionate in your application of the exemption circumstances and carefully consider and document each instance.

It is also important to note that prejudice changes over time. While you may withhold personal information during an ongoing investigation, disclosing this information is unlikely to present the same risk once you have completed the investigation.

Therefore, you should keep the immigration exemption under review. You must always consider the person’s current circumstances, and make a fresh decision each time you are considering applying the exemption. For example, you must not assume that if you have once refused to provide someone with all their personal information under this exemption, then your response will always remain the same. If they submit a new subject access request to you, you must assess whether circumstances have changed and whether providing the information would now prejudice the maintenance of effective immigration control. If not, you may be able to respond more fully to this new request.

Example

A person is suspected of overstaying their student visa in the UK. While an investigation is carried out, they make a request for all personal information held about them. 

The Home Office may withhold information which, if disclosed, will prejudice the investigation. This might include information which identifies any proposed actions against the person. 

However, the Home Office must not apply a blanket exemption. It could disclose any personal information relating to the person’s previous visa application and any other information it holds, unless it can show that the disclosure will be likely to impact the ongoing investigation or any expected actions arising from it. 

The person successfully extends their visa due to extenuating circumstances and is allowed to remain in the UK for another two years. They make another request for their personal information. 

The Home Office will have to carefully consider this. As there are no active proceedings against the person, the exemption will only continue to apply if there is any remaining prejudice to immigration controls. The Home Office must not use it simply because it applied previously. 

Although the immigration exemption may no longer apply in this context, other exemptions under schedule 2 of the DPA 2018 may be relevant.

Further reading

The prejudice test.

What rights does the immigration exemption apply to?

The exemption applies to the following rights:  

  • right to be informed;
  • right of access;
  • right to erasure;
  • right to restrict processing; and
  • right to object.

The exemption does not restrict other rights.

Example

A person being investigated for an immigration offence contacts the Home Office to request that their date of birth is rectified, as this is inaccurately reflected in their records. 

The right to rectification is not a right which is restricted under this exemption. The Home Office must therefore update their records and respond within the timeframe permitted.

Relevant provisions in the UK GDPR (the exempt provisions)

See UK GDPR articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 17(1)-(2), 18(1) and 21(1)

Further reading

Individual rights

How does the exemption affect people's right to be informed?

The right to be informed means that people have the right to be given certain privacy information about how you use their information. For example, your identity and contact details as controller, and your purposes for processing. This applies whether you obtain personal information from the person directly or from someone else. 

The provision of this privacy information also meets the transparency requirement of article 5(a). 

However, if you are investigating someone, you may not wish to tell them that you are processing their information for the purposes of immigration control. This would alert them to your investigation, and would be likely to prejudice the purpose of the processing. 

In these circumstances, you may apply the immigration exemption and restrict the person’s right to be informed. You do not have to provide privacy information if this is likely to prejudice the identified immigration purposes. 

As discussed above, the immigration exemption also provides an exemption from the data protection principles so far as their provisions correspond to the listed rights that people have. Therefore in these circumstances, it provides an exemption from the transparency requirement of article 5(a) to the extent that this corresponds with the right to be informed. 

However, although you may therefore be exempt from providing privacy information to the person you are investigating, you must still comply with the other requirements of article 5(a) and identify a lawful basis for processing. This lawfulness part of article 5(a) does not affect (or correspond to) any of the rights listed above and so you are not exempt from this particular obligation.

Relevant provisions in the UK GDPR

See UK GDPR articles 5, 13 and 14 and recitals 39, 60 and 61

Further reading

Right to be informed

How does the exemption affect people's right of access?

A person may make a subject access request to you in order to obtain a copy of the information you hold about them. You must consider the circumstances of each case. You must only apply the exemption if you decide that providing them with all their information would be likely to prejudice effective immigration control. 

You may not wish to provide a copy of all the information you hold, if: 

  • this would prejudice a current investigation into that person’s immigration status; or 
  • would otherwise prejudice the maintenance of effective immigration controls; and 
  • this is a significant risk to the person’s rights and interests. 

However, you may be able to provide some information in response to the request, if this does not prejudice your investigation.

Example

A person who has been refused entry to the UK at an airport e-Passport gate makes a subject access request to the Home Office, asking for information about why their entry was refused.

Providing them with this information would involve disclosing details about the technical operation of the e-Passport gates. If this was made public, this could have a detrimental effect on border control, potentially enabling attempts to undermine the system.

In this case, the Home Office may legitimately rely on the immigration exemption as a reason to refuse to disclose the requested information.

Relevant provisions in the UK GDPR

See UK GDPR article 15 and recitals 63 and 64

Further reading

Right of access

Do we need to inform people that we have applied the immigration exemption?

You must keep a record of the decision to apply the immigration exemption, and your reasoning, each time you apply it. You must inform people that you have applied the immigration exemption, unless revealing this would itself be prejudicial to effective immigration control. See ‘What is the prejudice test?’ for guidance on how to assess whether informing someone that you have used the immigration exemption would be prejudicial to immigration control.

What happens if an immigration investigation becomes a criminal investigation?

You must comply with part 3 of the DPA 2018, rather than the UK GDPR regime, if:

  • the investigation of an immigration offence develops into a criminal investigation; and 
  • you are a competent authority processing personal information for the purposes of law enforcement. 

Part 3 has its own requirements about when you can restrict people’s rights.

Example

he Home Office is investigating a person for an immigration offence. Investigations show that they were involved in trafficking people into forced labour in the UK. The Home Office now has to investigate under part 3 of the DPA 2018 as a criminal offence.

Should they choose to exercise any of their information rights, the Home Office must consider these under the requirements of part 3 of the DPA 2018 and apply restrictions accordingly. 

Relevant provisions in the DPA 2018 

See DPA 2018, part 3, sections 45, 47 and 48