With the sensitivity for which they are rightly renowned, the Home Office chose to celebrate Christmas by tweeting a cheery video full of beaming millennials, promoting the new ‘settled status’ registration scheme for EU nationals who want to stay in the UK after Brexit. People who have made their home in the UK have to register and pay for the privilege. Setting aside the crass, thoughtless way in which the scheme was promoted, concerns have been expressed on social media about the Data Protection implications, especially as regards how data is used and whether it complies with GDPR and the DPA 2018. There is an interesting sentence in the documentation: “we may also share your information with other public and private organisations in the UK and overseas“. The people behind the @the3million twitter account made an FOI request about this, and the Home Office have refused to confirm the identity of the organisations in question. They relied on S31 of the FOI Act, which allows information to be withheld if (among other things) disclosure would or would be likely to prejudice “the operation of the immigration controls“.
S31 requires the Home Office to demonstrate a causal link between disclosure and prejudice, and has a public interest test that allows for disclosure if the public interest in doing so outweighs the public interest in withholding. So while the Home Office picked the right exemption, their decision to refuse could be challenged. The ICO doesn’t have a strong record of overturning these kinds of decisions, so the fate of any complaint is hard to predict.
But what’s that? Surely individuals subject to this process have GDPR rights, and can find this out for themselves via a subject access request? Two elements of GDPR would appear to assist – Article 13 requires the Home Office to specify “the recipients or categories of recipients” to which personal data will be disclosed in order to be transparent, while Article 15 gives the subject a right to the same information on request as part of a subject access request.
Except they don’t. I’m certain that the wording I have seen doesn’t comply with Article 13 because even the ‘categories’ bit would only work if it was clear what types of recipients are involved, and it’s plainly not. However, the GDPR allows for exemptions, and there is an exemption that the Home Office managed to get through Parliament in the DPA 2018 which allows them to keep the identity of the recipients secret. Schedule 2, Pt 1, (4) says that both transparency and subject access rights can be set aside if applying them would or would be likely to “undermine the maintenance of effective immigration controls“. If the Home Office don’t want to tell people going through the process who their data will be shared with, this exemption allows to do so. They have to believe that transparency will undermine effective immigration control, but this is the Home Office – they probably do believe that.
So what recourse do EU citizens have? They could, of course, challenge the Home Office approach by either taking them to court or complaining to the Information Commissioner. The Commissioner could decide that the application of the exemption was incorrect (as they could with S31 of FOI), and they have powers to enforce that decision. Aside from Elizabeth Denham’s obsession with data analytics in politics (especially when allegedly deployed by the Leave side), the ICO does not have a strong track record of taking on big organisations. Admittedly, the ICO recently took on the Metropolitan Police over their Gangs Matrix database, but the problem with that is the Gangs Matrix was a mess and the Met more or less acknowledged that.
The problem here is that if the Home Office maintain their position, the ICO would have to substitute their judgment for their’s. This wouldn’t be a mistake or a cock-up; if the Home Office use the DPA exemptions in the same way as they have the FOI ones, the only way that people can get better transparency is for the ICO to tell them that they’re wrong. This is often when Wilmslow bottles it. It’s straightforward to enforce on an organisation that has just lost thousands of people’s data (I’m sure it takes a lot of graft, but the decision to do it isn’t as hard). It’s much more difficult when the data controller hasn’t made a mistake, but is using the exemptions as described. Even if the ICO believes that the exemptions have been wrongly applied (and they might not), the Home Office is likely to ignore any recommendations and appeal any enforcement action.
The alternative is the courts, which is just as much of a roll of the dice as a complaint to the ICO, with the added complexity and cost of actually going to court. I have confidence that a court would test the Home Office’s arguments more robustly that the ICO would, but the Home Office wouldn’t be acting irrationally or unreasonably, and a judge might agree with them. These exemptions made it through Parliament and are on the statute book; the Home Office can plainly use them, and it’s not a breach of the GDPR unless the ICO or a court says that they have been applied unfairly.
Personally, I doubt that knowing who is receiving your data will undermine this process sufficiently justify the secrecy that the Home Office has already imposed using FOI, and which I expect they will use under DP, but it doesn’t matter what I think. This is where the hype around the GDPR runs into the brick wall of reality. The Home Office doesn’t need consent to gather, use and disclose personal data in this process, as long as it has another lawful basis to do so (legal obligation or official authority will certainly kick in here). The DPA gives them exemptions to keep the nature of that processing opaque, and if they choose to use them, challenging that decision is difficult and the outcome is uncertain. This leaves an odd situation but a lawful one – if they wish to live in a country they have already made their home, it seems that EU citizens have to submit to a closed, secretive process and they cannot find out what happens to their data during that process, who gets to see it, and for what purpose.