The ICO exists to empower you through information.

Latest updates

19 May 2023 - we have broken the Guide to the UK GDPR down into smaller guides. All the content stays the same.

About this guidance

This guidance discusses the immigration exemption in detail. Read it if you have detailed questions not answered in the guide, or if you need a deeper understanding to help you apply this exemption in practice. It is aimed at DPOs and those with specific data protection responsibilities in larger organisations.

If you haven’t yet read the ‘in brief’ page on the immigration exemption in the Guide to Data Protection, you should read that first. It introduces this topic and sets out the key points you need to know, along with practical checklists to help you comply.

In detail

What is the immigration exemption?

The exemption outlines specific rights in the UK GDPR which can be restricted if those rights would be likely to prejudice immigration matters.

The exemption can only be applied by the Secretary of State (including the Home Office and its agencies) who processes data for the purposes of:

  • the maintenance of effective immigration control; or
  • the investigation or detection of activities that would undermine the maintenance of effective immigration control.

It is not available to other controllers, such as employers, universities and the police, who liaise with the Home Office on immigration matters.

It also requires that the Secretary of State has an immigration exemption policy document in place.

The exemption is set out in Schedule 2 Part 1 Paragraph 4 of the Data Protection Act 2018, and has been amended by The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022. The amendments came into force on 31 January 2022 in response to a court judgment. The amendments introduce further safeguards to the exemption including limiting its use to the Secretary of State, requiring an immigration exemption policy document, and a requirement to keep records and inform individuals that the exemption has been used.

In the UK, the right to appeal is an integral part of immigration control. Individuals have the right to have their immigration applications reviewed and to submit an appeal against an asylum decision or a deportation order.

You should ensure that you are not undermining this review and appeals system process by using this exemption. For example, by refusing an individual access to their personal data.

You should only restrict the exercising of a data subject’s rights if the exemption applies and there is a valid reason to apply it. 

Your application of the exemption must be proportionate to the circumstances and you must carefully consider and document each instance. You should not apply the immigration exemption as a blanket restriction on the data protection rights of individuals, such as migrants or people who have overstayed their permission to remain. You should only apply it, if required, when the exercise of those rights is likely to cause prejudice to effective immigration control. You must apply the exemption on a case by case basis. You must have regard to your immigration exemption policy document when deciding if the exemption applies.

Example

An individual seeking asylum in the UK has had their application refused. They make a request to the Home Office for all their personal data so that they can appeal against this decision.

The Home Office is not investigating the individual and can provide the personal data it holds without prejudice to its immigration control function. It does not hold any confidential intelligence (a factor listed for consideration in its immigration exemption policy document) which the individual is unaware of and it has no reason to withhold any of the requested personal data. It must not use the exemption to frustrate a lawful appeal.

In these circumstances the exemption does not apply and should not be used. The Home Office should therefore disclose the information it holds.

There are various immigration offences (eg overstaying leave to remain) and these are usually dealt with by the administrative removal of the offender rather than through the criminal justice process. Therefore the ‘crime and taxation’ exemption does not usually apply in circumstances where immigration control is concerned. However the two exemptions involve similar considerations. Instead of considering prejudice to the apprehension or prosecution of offenders, the immigration exemption requires you to consider prejudice to the administrative functions concerning effective immigration control.

There is no assumption of criminal proceedings with the immigration exemption, although the section below considers what happens if an immigration investigation does become a criminal investigation.

As noted above, this exemption is only available to the Secretary of State, which includes the Home Office and its agencies, who are engaged in immigration control.

When should this exemption be used?

The immigration exemption applies to specific rights in the UK GDPR which can be restricted to the extent that giving effect to those rights would be likely to prejudice:

  • the maintenance of effective immigration control; or
  • the investigation or detection of activities that would undermine the maintenance of effective immigration control.

The phrase ‘to the extent that’ means that you should not apply the immigration exemption as a blanket exemption to restrict all of those rights for all the data you hold. Instead, you need to consider the application of the exemption on a case by case basis, taking into account your immigration exemption policy document.

The scope of the exemption is limited to those rights which, if exercised for the data held, would prejudice the identified immigration purposes. The exemption therefore only applies when the exercise of the specific right results in the processing of personal data which would be likely to prejudice the identified function.

Therefore the default position of the controller should be to comply with the requirements of the UK GDPR and the DPA 2018 as far as possible. It highlights the importance of identifying the specific reason for applying the exemption in each case.

Many of the rights set out in the UK GDPR contain built-in restrictions or exceptions. The expectation is that you should rely on these more generic built-in restrictions in preference to the immigration exemption, if they can achieve the same outcome. This is because the immigration exemption (along with the other exemptions set out in Schedules 2-4 of the DPA 2018) is an exemption for a specific purpose, and can only be used if applying the usual provisions of the UK GDPR would cause a specific problem.

You should therefore first consider the restrictions to an individual’s rights as laid out in other relevant UK GDPR articles. For example, you should consider whether an objection to processing is valid under Article 21, or whether you should allow or refuse an individual exercising their right under Article 17.

You should only use the immigration exemption in circumstances where there are no viable alternatives.

For further information on the individual’s data protection rights see our UK GDPR guidance Individual rights.

Example

An individual with Leave to Remain in the UK applies to the Home Office to have their personal data erased. The individual is under investigation for an immigration offence.

The personal data held is still necessary for the purpose it was originally collected for, and the Home Office can rely on Article 17(3)(b) to refuse the request. This is because the right to erasure does not apply if personal data needs to be retained for:

  • compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject; or
  • the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

In this case, the restriction of the individual’s rights is accomplished without relying on the immigration exemption.

What is an immigration exemption policy document?

In order to be able to apply the exemption, the Secretary of State must have an immigration exemption policy document in place.

The immigration exemption policy document must explain the policies and processes the Secretary of State (including the Home Office and its agencies) will use to decide how compliance with a provision under the UK GDPR would be likely to prejudice the carrying out of effective immigration control. For example, it should describe the factors the organisation will consider when making the decision in each case.

The document must also explain the policies in place to make sure that the use of the immigration exemption does not allow personal data to be abused, accessed, or transferred in a manner that does not comply with the UK GDPR.

When considering whether the immigration exemption applies, the Secretary of State must have regard to the immigration exemption policy document.

The Secretary of State must also:

  • review the immigration exemption policy document and (if necessary) update it from time to time; and
  • publish it.

What is the prejudice test?

The DPA 2018 does not explain what is meant by ‘would be likely to prejudice’. However, the ICO’s view is there must be a real and substantial chance of prejudice, rather than just a hypothetical or remote possibility that complying with the provision would noticeably damage the discharge of the function concerned.

There should be a causal link between compliance and the prejudice claimed, and you must be able to show how the exercising of a specific right would be likely to lead to the prejudice. In reaching a decision on this, you should take into account the immigration exemption policy document. You must make this reasoning available to the ICO if required.

The prejudice test has a high threshold and you should not apply the exemption in a blanket fashion. It must be both necessary and proportionate to apply the exemption and you must only apply it to specific rights where the likelihood of prejudice is present, rather than applying this across the board to all the rights.

You must consider whether the application of the exemption is a proportionate response. You may consider that there is a pressing social need to apply the immigration exemption, but you must also take into account whether this outweighs your obligation to individuals under the UK GDPR. They have rights over their personal data which you must consider in all circumstances, in particular, the right of access.

It is therefore important in every case that you consider whether the data protection rights of the individual override the identified risk of prejudice. Your application of the exemption must be proportionate to the circumstances and you must carefully consider and document each instance.

It is also important to note that prejudice changes over time. While personal data may be withheld during an ongoing investigation, disclosure of this information is unlikely to present the same risk afterwards.

Therefore, you should keep the immigration exemption under review. You should always consider an individual’s current circumstances. For example, you should not assume that if you have once refused to provide a data subject with all their personal data under this exemption, then your response will always remain the same. Should they submit a new subject access request to you, you should assess whether circumstances have changed and whether providing the data would now prejudice the maintenance of effective immigration control. If not, you may be able to respond more fully to this new request.

Example

An individual is suspected of overstaying their student visa in the UK. While an investigation is carried out, they make a request for all personal data held about them.

The Home Office may withhold information which, if disclosed, will prejudice the investigation. This might include information which identifies any proposed actions against the individual.

However the Home Office should not apply a blanket exemption. It could disclose any personal data relating to the individual’s previous visa application and any other information it holds, unless it can show that the disclosure will be likely to impact on the ongoing investigation or any expected actions arising from it.

The individual successfully extends their visa due to extenuating circumstances and is allowed to remain in the UK for another two years. They make another request for their personal data.

The Home Office will have to carefully consider this, taking into account the guidance set out in the immigration exemption policy document. As there are no active proceedings against the individual, the exemption will only continue to be available if there is any remaining prejudice to immigration controls, and the Home Office should not use it simply because it applied previously.

Although the immigration exemption may no longer apply in this context, other exemptions under Schedule 2 of the DPA 2018 may be relevant.

More information is available in our detailed freedom of information guidance The prejudice test.

What rights does the immigration exemption apply to?

The exemption applies to the following rights:

  • right to be informed;
  • right of access;
  • right to erasure;
  • right to restrict processing; and
  • right to object.

The exemption does not restrict other data subject rights. More information is available in our UK GDPR guidance on Individual rights.

Example

An individual being investigated for an immigration offence contacts the Home Office to request that their date of birth is rectified, as this is inaccurately reflected in their records.

The right to rectification is not a right which is restricted under this exemption. The Home Office must therefore update their records and respond to the individual within the time frame permitted.

How does the exemption affect the individual’s right to be informed?

The right to be informed means that the data subject has the right to be given certain privacy information about the processing of their data. This includes for example, the purposes of the processing and the identity and contact details of the controller. This applies whether you obtain personal data from the individual or from someone else.

The provision of this privacy information also meets the transparency requirement of Article 5(a).

However, if you are investigating an individual, you may not wish to tell them that you are processing their personal data for the purposes of immigration control. This would alert them to your investigation, and would be likely to prejudice the purpose of the processing.

In these circumstances, you may apply the immigration exemption and restrict the individual’s right to be informed. You do not have to provide privacy information if this is likely to prejudice the identified immigration purposes.

As discussed above, the immigration exemption also provides an exemption from the data protection principles so far as their provisions correspond to the listed data subject rights. Therefore in these circumstances, it provides an exemption from the transparency requirement of Article 5(a) to the extent that this corresponds with the right to be informed.

However, although you may therefore be exempt from providing privacy information to the individual you are investigating, you still have to comply with the other requirements of Article 5(a) and identify a lawful basis for processing. This lawfulness part of Article 5(a) does not affect (or correspond to) any of the rights listed above and so you are not exempt from this particular obligation.

More information is available in our UK GDPR guidance Right to be informed.

How does the exemption affect the individual’s right of access?

An individual may make a subject access request to you, in order to obtain a copy of the data you hold about them. You must consider the circumstances of each case and may apply the exemption only if you consider that to comply with the right of access would be likely to prejudice effective immigration control.

You may not wish to provide a copy of all the personal data you hold, if this would prejudice a current investigation into that individual’s immigration status, or would otherwise prejudice the maintenance of effective immigration controls. However, you may be able to provide some personal data in response to the request, if this does not prejudice your investigation.

More information is available in our UK GDPR guidance Right of access.

Example

An individual who has been refused entry to the UK at an airport e-Passport gate makes a Subject Access Request to the Home Office, asking for information about why their entry was refused.

Providing the individual with this information would involve disclosing details about the technical operation of the e-Passport gates, which if made public, could have a detrimental effect on border control, potentially enabling attempts to undermine the system.

In this case, the Home Office may legitimately rely on the immigration exemption as a reason to refuse to disclose the requested information.

Do we need to inform individuals that the immigration exemption has been applied?

You should keep a record of the decision to apply the immigration exemption, and your reasoning, each time it is applied. Individuals should be informed that the immigration exemption has been applied unless it would be prejudicial to effective immigration control to do so. See ‘What is the prejudice test?’ for guidance on how to assess whether an individual being informed that the immigration exemption has been used would be prejudicial to carrying out immigration control.

Example

An individual seeking asylum in the UK has had their application refused. They make a request to the Home Office for all their personal data so that they can appeal against this decision.

The Home Office is investigating them for the use of identification which does not belong to them and it would prejudice the investigation to provide them with the personal data relating to this investigation.

The Home Office therefore may apply this exemption in order to restrict the individual’s right of access. However it should provide as much data as it can and inform the individual where the immigration exemption has been applied, if this does not prejudice the investigation.

What happens if an immigration investigation becomes a criminal investigation?

If the investigation of an immigration offence develops into a criminal investigation, and if you are a competent authority processing personal data for the purposes of law enforcement, you should undertake processing under Part 3 of the DPA 2018, rather than under the UK GDPR regime. Personal data has to be handled according to the requirements laid out in Part 3, which has its own restrictions about the rights of individuals. More information is available in our guide to law enforcement processing.

Example

The Home Office is investigating an individual for an immigration offence. Investigations show that they were involved in the trafficking of individuals into forced labour in the UK. The Home Office now has to investigate under Part 3 of the DPA 2018 as a criminal offence.

Should the individual choose to exercise any of their data protection rights, the Home Office will have to consider these under the requirements of Part 3 of the DPA 2018 and apply restrictions accordingly.