GDPR. Four letters currently dominating the thoughts of every company in Europe. The General Data Protection Regulation comes into force tomorrow, Friday 25 May 2018.
Its core principles are lawfulness, fairness, transparency, limitation, minimisation, accuracy, integrity and confidentiality. The increased protection for data subjects has presented some headaches for employers.
One such challenge comes from immigration law. The hiring of migrant workers necessarily involves processing a huge amount of personal data (and often sensitive personal data), by employers and other parties (such as lawyers). Many commonly occurring scenarios may see immigration requirements conflict with (or at least present a challenge to) data protection requirements. Here are some examples:
Resident Labour Market Test (“RLMT”)
- Employers wishing to hire a worker on a Tier 2 General visa must usually first satisfy the RLMT, to check whether a settled worker can do the job instead. If a suitably qualified settled candidate applies, the job must be offered to them. Home Office guidance states that employers must retain some documents from the recruitment process:
- applications shortlisted for final interview (e.g. emails, CVs, application forms), which should include the applicant’s details such as name, address and date of birth;
- the names and number of applicants shortlisted for final interview; and
- interview notes that show why settled workers were rejected.
- Your data protection alarm bells will ring when you read that documents must be kept for one year from the end of sponsorship of the migrant. A Tier 2 visa can potentially be extended up to a maximum of six years. That means potentially keeping these documents on file for seven years. Not many unsuccessful applicants would expect their personal data to be stored for seven years and potentially shared with the Home Office. But Home Office guidance does require it. As this comes from guidance, not the Immigration Rules, it’s not strictly a legal obligation, so this processing of data should be categorised as a legitimate business interest rather than a legal requirement.
Right to work checks
- Employers should be in the habit of conducting checks to ensure new recruits have the right to work in the UK. Failure to do so could expose the employer to civil and criminal penalties. Interestingly, as confirmed by some recent case law, it’s not actually a legal obligation. It’s done so that the employer has an excuse against the imposition of a fine in the event that the employee was actually not entitled to work in the UK. That processing and retention of data relating to immigration status can therefore be justified as a legitimate business interest.
- Employers will naturally need to send employees’ personal data to immigration advisers, such as an immigration lawyer who is preparing an application. Those advisers must also have GDPR-compliant processes, since employees will send their personal data to the adviser. Employers should also be alive to the challenges posed by sending data outside the EEA, for example where an employee is being seconded abroad, since the employee’s data must be protected in the recipient country.
In the above examples, employers (and advisers) should minimise and limit the amount of data being processed, retained and shared. This could include redacting irrelevant information, anonymising where possible, using passwords to protect files and avoiding storing data for longer than is strictly necessary. Remember that employers should also be addressing the processing of data in a privacy notice. That notice should state that personal data may be processed, retained and shared to comply with immigration requirements. It should also specify for how long data may be retained. An archive and deletion policy can also dovetail nicely with the privacy notice.