Data protection: suppressing official wrongdoing

Data protection: suppressing official wrongdoing


Written by: Frances Webber

The government intends to make future ‘Windrush’ scandals impossible to uncover with the sweeping immigration exemption from new data protection obligations. Can campaigners and lawyers prevent the cover-ups?

We are all data subjects now. The new data protection legislation which entered into force on 25 May gives us all rights – to see what data organisations hold on us and know what is done with it, to correct it, to restrict its processing, and in some circumstances, to have it deleted. This accords with justice and common sense.

But not for migrants. The Data Protection Act specifically excludes from the scope of most data protection rights – including subject access – all data acquired, held and passed to third parties ‘for the maintenance of effective immigration control’ or ‘for the investigation or detection of activities that would undermine the maintenance of effective immigration control’.  (The right to rectification of data remains, but it is hard to see how it can be used without the right to know what information is held by the Home Office or one of its private partners, or to have access to it.)

Amid all the kerfuffle surrounding the new data protection obligations of businesses, charities and civil society groups, the warnings of migrants’ rights groups and of civil liberties campaigners such as Open Rights and Liberty, about the dangerous breadth of the ‘immigration exemption’ went largely unheard. But as the Joint Parliamentary Committee on Human Rights’ deputy counsel observed,[i] measures interfering with privacy must include legal protection against arbitrary interference by public authorities, and there is widespread concern that the immigration exemption is disproportionate and discriminatory.

The UK’s Data Protection Act 2018 is designed to complement the EU-wide General Data Protection Regulation (GDPR). This contains no ‘immigration control’ exemption, although it does allow data subjects’ rights to be restricted in pursuance of prescribed aims, including national security, crime prevention, detection, prosecution and punishment and ‘other important objectives of general public interest’. This makes sense: authorities should not have to provide all the data held on them to those planning major crime. But as the GDPR says, restrictions must respect the essence of fundamental rights – which must include the right not to be detained for deportation, or sacked, or denied work or livelihood or housing on the basis of information which is unavailable to the subject of it.

Hostile environment context

The government’s hostile environment policies have involved a lot of data sharing between the Home Office and other agencies, as more and more sectors of society have been conscripted into immigration policing, and enforcement – getting numbers down and people out – has become the absolute priority. The NHS, schools and landlords have joined the ranks of employers, universities, colleges, local authorities, marriage registrars, banks etc, in being required to pass on information to the Home Office or to check someone’s status with them before providing services. The information passed back to them has frequently been inaccurate – the Independent Inspector of Borders and Immigration recently found that denial of a bank account after a Home Office immigration status check had a ten per cent error rate, and that hundreds of driving licences had been revoked on the basis of wrong information from the Home Office. And numerous cases have been reported of lawful residents being told, sometimes by text, that they have no right to be in the UK and must leave.

Home Office errors such as these are the inevitable by-product of a culture of disbelief entrenched and solidified into a shift in the burden of proof: anyone who looks or sounds like a migrant is suspect and must prove their legal right to be here. It was this shift which produced the Windrush scandal, revelations that Commonwealth pensioners who had lived and worked in the UK for half a century or more, many of whom held British nationality, had been sacked from their jobs, rendered homeless and destitute and in some cases threatened with removal or even deported, because they were unable to prove their lawful status in the UK.

The recent scandals have surprised no one with experience of the Home Office, with its combination of institutional cruelty, indifference and incompetence – but many of the cases would never have come to light if lawyers had not been able to get access to clients’ Home Office files. Until now, the right of migrants, as ‘data subjects’, to see the Home Office files on them has enabled them or their lawyers to see where mistakes have been made and try to get the record corrected. Often it is obvious from the file itself, which will contain information that demonstrates legal status but has not been read or understood by the Home Office official.

Subject access requests don’t just uncover errors; seeing the Home Office file is a routine and vital way of understanding how someone’s case has progressed and been handled, what stage it is at, whether all the relevant arguments have been made and evidence marshalled and presented, and what more can be done to protect migrants’ and refugees’ rights. As the Open Rights group noted in its arguments to the Public Bill Committee, often, people seeking legal advice are ignorant of their actual status in the country; legislation and immigration rules are impossibly complicated and so badly drafted as to be unintelligible (often even to lawyers), Home Office letters are formulaic, Tribunal decisions and notifications legalistic, procedures opaque. Without the ability to make a subject access request to find out what’s been going on, what stage has been reached in any procedure and what can now be done, the task of advising someone on their status and what steps need to be taken becomes impossible. Far greater numbers of people will be vulnerable to enforcement action and unable to challenge it.

What safeguards?

In parliamentary debate, the minister said the safeguards in the Data Protection Act would prevent abuse, as data subjects’ rights can be restricted only to the extent that exercising them would prejudice the maintenance of control or the investigation of activities undermining it. The problem with this is that Home Office officials themselves will, at least in the first instance, be judges of the ‘prejudice’ which would ensue from the disclosure of data. This does not inspire confidence, especially as the success rate of internal administrative review (which has replaced appeal against wrong decisions refusing entry or leave to remain as appeal rights have been whittled down almost to vanishing point) is around one per cent, compared with forty per cent of appeals. The statistic reveals both the worrying level of bad decisions and judgments made by the Home Office, and officials’ reluctance to overturn them. Now, with the wide exemption in place, if an official refuses a subject access request citing the ‘prejudice to immigration control’ formula, how will anyone know what information the Home Office has acquired, or has passed on to a private partner?

Challenges to the immigration exemption

The question then is how the immigration exemption, or refusal of a subject access request under it, can be challenged. Already, the3million, a group campaigning for EU citizens’ rights post-Brexit, is joining up with the Open Rights Group to mount a legal challenge to the breadth of the exemption, which they say breaches the GDPR, and is disproportionate and discriminatory as well as unnecessary, since the DPA already contains restrictions and exemptions related to crime and to national security.

In addition to the broad challenge to the exemption, lawyers will be carefully scrutinising every subject access refusal from the Home Office citing ‘prejudice to the maintenance of an effective immigration control’, and in many cases will be challenging the Home Office to explain the alleged prejudice. Legal challenges are very likely. Then, it will be up to the judges to curb the government’s instinct for secrecy, knowing as they do how often secrecy has been used to cover up official wrongdoing or embarrassing errors. 

Moving from the legal to the political arena, campaigning in the wake of Windrush has already achieved the suspension of some hostile environment policies, such as health authorities’ sharing of patient data with the Home Office for enforcement purposes, and the abolition of the nationality and country of birth questions from the schools census. It will be important for campaigners to highlight cases where a subject access request has provided decisive information in support of an application to stay, or proof of a claimed right to reside, which was previously denied by the Home Office.

As Liberty reminded parliament in its Briefing on the Bill, this is not the first time the government has tried to limit data protection rights for ‘immigration control’ purposes – it was tried in 1983, and decisively rejected by MPs. Since then, the fear of appearing ‘soft’ on immigration has dominated parliament – but the Windrush scandal revealed a public distaste for rank injustice which can be mobilised again.

[i] Note from Deputy Counsel on the human rights implications of the Data Protection Bill, 6 December 2017 (available as pdf from

The Institute of Race Relations is precluded from expressing a corporate view: any opinions expressed are therefore those of the authors.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.