My Lords, the Minister will not be surprised that I have comments on the immigration exemption. We have discussed it a number of times. When I first came across it, in the Data Protection Bill, I was outraged and affronted. The Minister is nodding. I know that she is not agreeing with me; she is just nodding that that was my reaction. I felt affronted because it is basic to me that a solicitor should be able to ask, and get an answer to, what a department of state knows, or thinks it knows, about his client—not about the evidence against him. Immigration control is a very wide issue; it covers far more than national security. More than that, it is basic for everyone, because we are all data subjects, to ask that question and get an answer. If the Home Office, the UKVI, says no, we should know why. That is why the Liberal Democrats divided the House on the issue on Report on the Data Protection Bill.
In the first of the Court of Appeal’s judgments, referring to Home Office evidence, Lord Justice Warby said:
“it is clear that the Immigration Exemption plays a significant role in practice as a brake on access to personal data”.
As I said, this was taken from the Home Office evidence, which referred to the first year of operation of the DPA and gave numbers of subject access requests. The immigration exemption was relied on in 59% of responses. Lord Justice Warby went on to say:
“The Exemption is available in principle in a wide range of … situations.”
Article 23 of the UK GDPR of course allows for the restriction on subject access requests by way of legislative measure that is necessary, proportionate and subject to safeguards. Article 23.2 says that the legislative measure—the “legal basis”, as the court termed it —provides for restrictions, but, again, as the court says, the article is “remarkably specific”. The court also referred to transparency, the equality of decision-making and facilitating a review of proportionality. These of course are all important and characteristic of good law, which is why the measure should be clear and precise and its application foreseeable.
The immigration exemption policy document—at any rate, the current one which has been circulated with the statutory instrument—may or may not be clear and precise. I have to say that the same may be said of the statutory instrument itself, and it relies on—if I may use the acronym—the IEPD. Its own limitations preclude clarity and precision. The IEPD is not legislation. To say, as the Minister did, that it is on the face of legislation is stretching the description. It is not “part and parcel” of the legislation, which was the phrase used in the litigation, not even of secondary legislation, which in practice of course is unamendable. By definition, it is not foreseeable, because it can be varied. The IEPD or any successors introduced by the Secretary of State under the proposed amended provisions can be varied in part or in whole without any legislative process. The SI does not attempt to address this; there has been no attempt—at any rate, none that has seen the light of day—to produce anything such as a code of practice or codification of safeguards. It is simply a Home Office policy document, which, as I understand it, repeats existing safeguards and contains no new ones beyond what is already imposed by the general law or already in place in respect of Home Office data. I think that the Minister said that this builds on previous arrangements. Perhaps she could explain how.
Added to that, the policy document seems not even to be quite consistent within itself. Paragraph 7 uses the words
“for as long as is strictly necessary”,
while paragraph 9 uses the term “necessary and proportionate”. Those words are almost hyphenated in the way we use them now, but they are separate criteria, and “strictly necessary” is more than “necessary”.
The fourth bullet in the checklist in paragraph 9 of the document tells the caseworker and the Home Secretary that
“there should be a rebuttable assumption to inform the data subject of the use of the exemption and only not do so where it would be prejudicial to the immigration purposes”.
Thinking about this, I got quite caught up in a loop, because if it is prejudicial, the exemption kicks in, but one cannot find out how or whether it is prejudicial, and I am not really sure how it works in terms of informing the data subject.
If the Home Office think that it would be prejudicial to disclose, should the Home Office simply refuse to respond? Does it intend any change of practice in responding to a data subject request—a data access request—or will everything continue as previously? If the Minister can explain what happens in a case where the Home Office thinks it will be prejudicial to good, effective immigration control, I should be interested to know.
I have a rather similar query about the SI and new paragraph 4B(2) of Schedule 2, which will go into the Act. Under that, the Secretary of State is not required to inform the data subject of the determination, if doing so may be prejudicial to effective immigration control. In any event, paragraph 4B requires a record of reasons for determination, but not that they are given to the data subject even if he is told of the determination himself. How extensive is the information given in response to the access request? The reasons for refusal of a visa could be much less even than that you have a step-grandson living in a dodgy part of the world, but what you do not know, you cannot challenge, which is really my objection to so much of this.
I remain concerned that maintenance of effective immigration control is everything that the UKVI and parts of the Home Office dealing with immigration do day in, day out. The term itself is not clear and precise. So why are there no safeguards in a legislative measure—the SI—which would qualify to meet that term? Why is everything in draft Home Office policy and what is the difference in the draft policy from what the Home Office already do? And why do we not have the formality of a code of practice approved by Parliament?