The EU’s General Data Protection Regulation (‘GDPR’) presents a challenge for employers in many data processing scenarios, including in relation to immigration.

It is illegal to employ someone who does not have the appropriate right to work in the UK. Breach is punishable by a civil penalty of up to £20,000 per worker. However, employers have a statutory excuse under the Immigration, Asylum and Nationality Act 2006 if they can show that they carried out a right to work check which meets Home Office requirements.

The Home Office expects employers to retain copies of right to work checks securely for the duration of the individual’s employment and for a further two years after employment has ended. They may be retained electronically in a format that cannot be changed or in hard copy. You need to be able to produce these quickly if requested by the Home Office, to demonstrate that you have performed a right to work check.

From a GDPR perspective retention of these documents is justified on the basis it is in the employer’s legitimate interest. Although it is not a legal requirement to perform a right to work check, employers that do not retain evidence of checks will not have a statutory excuse if found to be employing someone who does not have a right to work in the UK.

The GDPR is an ever bigger issue for employers who are Tier 2 sponsors and who have to carry out a Resident Labour Market Test (‘RLMT’) before sponsoring a migrant worker for a Tier 2 General visa. This is because Home Office sponsor guidance requires the employer to retain personal data not only about the employee, but also a considerable amount of personal data about unsuccessful applicants for the job.

Sponsors must retain:

  • all applications short-listed for final interview, in the medium they were received, for example, emails, CV’s, application form - this should include the applicant’s details such as name, address, date of birth
  • the names and total number of applicants short-listed for final interview
  • for each settled worker who was rejected, interview notes which show the reasons why they have not been employed.

All documents must be kept for one year from the date you end your sponsorship of the migrant (or if the migrant is no longer sponsored by you, the point at which a compliance officer has examined and approved the documents if that is shorter). In order to comply with the GDPR, sponsors should make sure this is reflected in their privacy notices and any other information given to candidates, who may not otherwise expect their data to be retained in this way.