Perhaps I could reiterate that Recital 41 states that:
“Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament”.
We will beg to differ on that, but I am just quoting what Recital 41 says.
To address the court’s concerns, the regulations therefore amend the immigration exemption, primarily to include all the relevant matters in Article 23(2)(a) to (h) of the UK GDPR. It might be helpful if I provide some details on those matters that are not relevant and are already covered in the DPA 2018. For those particular matters, no amendments are needed to the legislation, as well as for those matters that are not relevant. I will provide some details on the measures that are relevant and for which amendments have been made.
Before I do that, I point out that the regulations introduced a statutory requirement for the department to have an immigration exemption policy document before the immigration exemption could actually be applied—that is in response to the noble Lord, Lord Paddick. Regulation 2(2)(b) specified what must be addressed in the policy, and the controller must have regard to it. In answer to the noble Baroness, Lady Hamwee, we are working to tighten the deadlines set by the court, and we did publish the IEPD draft on 10 December on GOV.UK.
Continuing now on what is and is not relevant, the following limbs of Article 23(2) are already sufficiently covered in the DPA 2018. Therefore, no amendments will be made to the legislation in relation to those limbs. They are, from Article 23(2):
“(a) the purposes of the processing or categories of processing; (b) the categories of personal data; (c) the scope of the restrictions introduced … (g) the risks to the rights and freedoms of data subjects”.
The requirement under Article 23(2)(f) to make provision in respect of
“the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing”
is not relevant, as the immigration exemption does not purport to extend data storage periods, and so no amendments are proposed in this regard.
On amendments made in relation to Article 23(2)(d), including the IEPD, the article states that where relevant there shall be provisions for safeguards to prevent abuse or unlawful access or transfer. This instrument will introduce additional measures to address Article 23(2)(d). It will mandate the Secretary of State to have an immigration exemption policy document in place prior to the exemption being relied on; that they must have regard to their IEPD when applying the exemption; that a record is kept of the application of the immigration exemption; and that the data subject be informed of its application, save in certain circumstances.
The IEPD and any subsequent updates to it will be published in a manner that the Secretary of State considers appropriate. Publication will allow for flexibility, where future concerns arise—I will take back the comments that the noble Baroness, Lady Hamwee, made this evening. There is no requirement to go through Parliament and any future concerns, if they arise, could be addressed in a shorter timeframe.
The regulations also specify what the IEPD must address. This additional measure will promote high standards of safeguards in applying the immigration exemption, consistent with those in relation to personal data relating to criminal convictions and offences. The IEPD explains how the immigration exemption must be operationally applied and the circumstances in which data rights might be exempted. These are set out in clear and precise terms. They will form part of Schedule 2 to the DPA 2018 once in force and, as such, will clearly constitute legislative measures.
Amendments are also made to Article 23(2)(e), on provisions as to the specification of the controller or categories of controllers, and to Article 23(2)(h), which states that where relevant there shall be provisions for the right of a data subject to be informed about the restriction, unless that is prejudicial to the purposes of the restriction—we went through that during the previous debate. The instrument will amend the immigration exemption so that the controller will have to inform the data subject that the exemption has been relied upon unless to do so would prejudice the purpose of the restriction, once again proving our commitment to be as open and transparent as we are able.
I am not sure whether it was the noble Baroness or the noble Lord who asked about the consultation process, but they almost played my words back to me. We consulted the parties to the litigation and the ICO and considered carefully their observations and comments, making amendments to the draft as appropriate, but clearly we did not take everyone’s comments on board, and therefore the court process came into being. We have tried, as far as possible, to address the issues through the IEPD.
I hope that noble Lords are now satisfied—I do not think they are, judging by their faces. I shall leave it there.