My Lords, paragraph 4 of Schedule 2, which this amendment would delete, deals with the provisions of the GDPR—that is, protections—which do not apply to immigration control. Government Amendment 44 alters that by removing some of the protections from the list; in other words, the protections would continue to apply in relation to the rights to rectification and data portability.
So what protections will the data subject forgo? I suggest that they are almost all basic safeguards, including: that the processing of someone’s personal information must be lawful, fair and transparent; that data must be processed accurately and kept up to date; that it be held securely; that the person to whom the data relates is informed of the data being held, for how long it may be held and for what purpose it may be used; and that the person to whom the data relates may inspect it and request its erasure. I am not clear what use the right to rectification, which will be retained, would be without one being able to access the data being held so that one could identify the factual inaccuracies. The Information Commissioner’s Office says that this will mean that,
“the system lacks transparency and is fundamentally unfair”.
The list may appear innocuous because not every paragraph in the articles listed is in play, but what is left are things such as that this right,
“shall not adversely affect the rights and freedoms of others”;
the best part of each of the articles listed will no longer apply. This is not a limited or modest modification of the basic safeguards but a wholesale removal.
What is the purpose of this? The purpose is for,
“the maintenance of effective immigration control, or … the investigation or detection of activities that would undermine the maintenance of effective immigration control, to the extent that the … provisions would be likely to prejudice”,
these matters. In other words, this is very far-reaching indeed.
5.45 pm
Nothing that I say should be taken as suggesting that immigration control is not an important issue. By definition the provisions extend beyond criminal offences, which are dealt with separately. There are many offences within our immigration law. I do not resile from my observation that the second limb in paragraph 4(1)—
“the investigation or detection of activities that would undermine the maintenance of … immigration control”—
gives scope for quite considerable fishing expeditions.
The phrase “likely to prejudice” means that judgment must be applied. It will be applied by the data controller, which in most cases will actually be the Home Office. In other words, the Home Office will apply or disregard safeguards by reference to whether the safeguards may prejudice its own purposes. The very fact that data is held will not be told to the data subject. To cite the Information Commissioner again, the “likely to prejudice” test is not,
“a … focussed provision with reference to specific statutory immigration functions”.
It is very wide indeed.
Immigration control has expanded in nature over the last few years. It stretches beyond the Home Office to the activities and functions of public bodies and private individuals in providing housing, healthcare, employment, education, social assistance, banking facilities, driving licences and marriage registration, as well as the private sector in carrying out functions for the state such as immigration removal centres. For instance, if an individual is refused a tenancy or a job, not only could he not take steps to protect himself but he may not even know that the Home Office is the source of the problem. Home Office Ministers must cringe when they hear examples—I will not demean them by describing them as anecdotes—of things that go wrong. I am sure we would all acknowledge that, as systems become more complex and more players are involved, the scope for error increases.
I will add one example, which has a worrying coda. My noble friend Lord Greaves was helping a lad in Lancashire—they call them lads in Lancashire, of course—who was born and raised there and had applied for a driving licence. He got a letter from the Home Office, not the DVLA or the Department for Transport, telling him that he could not have a driving licence and that, in a phrase with which we will be familiar, he must take steps to leave the country immediately. My noble friend asked a Question for Written Answer about with whom the Home Office has,
“data sharing arrangements in connection with the identification of individuals’ rights to receive public services or to reside in the UK, and other matters”.
The Answer stated that the Home Office has,
“agreements with government and non-government partners”,
and that the data-sharing is in line with the Data Protection Act and so on, which is understood. It went on:
“The Home Office keeps such data sharing agreements under review but does not currently maintain a central register of all … agreements”,
so there is no way of knowing with one Question what all the agreements are. I find that deeply worrying.
Our objections to paragraph 4 are not merely theoretical. I have referred to a British citizen being told that he is not only subject to immigration control but not entitled to be in the country. There are many such reports of similar experiences; the Independent Chief Inspector of Borders and Immigration found a high rate of error in a sample of refusals to open bank accounts. There are also many reports of documents in applications for bail from immigration detention being inaccurate, and not in a trivial way. The Information Commissioner tells us that the majority of data protection complaints to her office about the Home Office relate to requests for access to personal data to UK Visas and Immigration, mostly by solicitors acting for asylum seekers. As noble Lords will appreciate, the wider context is the reduction and removal of appeal rights and legal aid.
One group of people—3 million of them—who are very aware of the importance of accurate information and access to it are EU citizens living in the UK and concerned for their future. Subject access requests, as they are known, are an integral part of most immigration cases. If nothing else—I hope this relatively short canter round the subject indicates that there is a lot else—the scope to deny access is inconsistent with the spirit of last week’s understanding between the UK and the EU.
A similar proposal was seen off in 1983 when there was concern about race discrimination and race relations. The concerns now are even wider. The EHRC submits that the exception could,
“permit the authorities to access and process highly personalised data, for example, phone or social media relating to sexual lives of immigrants claiming residency rights on the basis of their relationship with a British citizen”.
We are used to being told that opposition amendments are unnecessary; I suggest that paragraph 4 is not only objectionable but unnecessary. In Committee, the Minister asserted its necessity and gave two examples: a suspected overstayer and the provision of false information. Both are criminal offences and can be dealt with under the other provisions of the schedule. People making immigration claims are, for the most part, merely seeking to assert their rights, not to offend in a criminal manner, or any manner.
This paragraph falls foul of article 23(1) of the GDPR that an exemption must respect,
“the essence of the fundamental rights and freedoms”,
and must be,
“a necessary and proportionate measure in a democratic society”.
Administrative procedures should not be exempt from transparency and accountability. I beg to move.