I thank noble Lords for the points that they have made on these amendments. Perhaps I may address Amendments 43 and 72 together, as they both concern data protection.
I appreciate the concerns to protect data subjects’ rights and to ensure that data sharing for immigration control or enforcement purposes does not prevent people living in this country accessing public services to which they are perfectly entitled. However, I cannot agree to these new clauses, because they would not be proportionate or constructive amendments to the Bill, or indeed address the concerns behind the amendments, and I shall say why.
They would restrict immigration authorities in performing their lawful duties in respect of immigration control, including being able to confirm a person’s immigration status, and they would be unable to prevent potential prejudice to the immigration system. Essentially, the new clauses would expressly prohibit the Home Office from using a necessary and lawful exemption in the Data Protection Act 2018, should it have cause to do so. The immigration exemption has been debated previously in this House and concerns raised have been addressed on those occasions.
The exemption applies to restrict specified data subjects’ rights where the maintenance of effective immigration control, or the investigation or detection of activities that would undermine the maintenance of effective immigration control, are likely to be prejudiced. Rightly, it should apply to anyone who is subject to immigration control, including EEA and Swiss citizens. The new clause proposed in Amendment 43 would therefore constitute a difference in treatment on the grounds of nationality. We do not believe that that can be justified, as one purpose of the Bill is to ensure that there will be no difference in treatment between EEA citizens and those from the rest of the world when it comes to immigration policy.
Amendment 72 would have a similar effect in creating a difference in treatment based on nationality. The effect of the amendment in the clause would be to maintain the current position, so that one particular aspect of the compliant environment—data sharing—would not apply to those who now benefit from free movement. The amendment would have no effect as far as non-EEA citizens are concerned, and data collected in relation to them could still be used for immigration control or enforcement purposes, thereby treating them unequally under the law.
With regard to the immigration exemption dealt with in Amendment 43, it might help if I expand on the safeguards built into the Data Protection Act. The exemption can be applied only on a case-by-case basis and only where it is necessary and proportionate to do so. It cannot be, and is not, used to target any group of people, be they EEA citizens or otherwise. Nor does the application of the exemption set aside all data subjects’ rights; it sets aside only those listed in paragraph 4 of Schedule 2. A further limitation is that the exemption can be applied only where compliance with the relevant rights will be likely to prejudice the maintenance of effective immigration control. This “prejudice” test must be applied first, and, as a result, the situations in which the exemption can be used are significantly limited. The noble Lord, Lord Oates, asked me to give numbers. I cannot do so at this point, but I will see whether I can access them.
Furthermore, the exemption may be applied only so long as the prejudice can be seen to be evidenced and must be removed thereafter. It is not used to restrict access to personal data that would allow a person to further a claim; it is used only where we need to restrict access to sensitive data—for example, details of ongoing enforcement operations.
The exemption has been found to be lawful by the courts, and the ICO has issued robust guidance on how and when it may be used—guidance that the Home Office adheres to. Furthermore, the Home Office has robust safeguards and controls in place to ensure that data is handled securely, lawfully, ethically and in accordance with all relevant data protection regulations. I say again that the Home Office must at all times comply with the GDPR and the Data Protection Act 2018 when data is shared.
Similar to Amendment 72, Amendment 74 seeks to limit the use of data. To reiterate the points that I made to noble Lords during the recess, I reassure them that the services that we provide to third parties for checking immigration status information about EU settlement status can be accessed and used only to check an individual’s immigration status and the rights associated with that status.
I will explain how users can view and prove their immigration status under the EU settlement scheme. Individuals can authenticate securely on the “view and prove your settled or pre-settled status” online service, where they can view their immigration status information and choose to share it with third parties for a variety of reasons. To take the example of right-to-work checks, the individual selects the option to share their right-to-work information and is given a time-limited code, which can be emailed or given to the employer. The employer uses the share code, along with the individual’s date of birth, to access just the information needed to confirm the individual’s eligibility to work, via the “view a job applicant’s right to work details” service on GOV.UK. The information provided to the employer can be previewed by the individual and contains only information relating to their right-to-work entitlements, along with the individual’s name and facial image for verification purposes and the expiry date of the leave, where appropriate. I hope that the noble Baroness, Lady Ludford, who asked me to reiterate this point, is satisfied with my explanation.
For other services such as health, benefits and banking, users can share basic information about their status under the settlement scheme and the process works in exactly the same way. Checking organisations can access the information on a time-limited basis, via the “check someone’s settled or pre-settled status” service. The information provided in this service represents the minimum amount of data required for those checking organisations to perform their duties, and again includes the individual’s name, facial image, the leave they have been granted and the expiry date where applicable.
Third parties do not have access to the immigration database. An individual must choose to share their immigration status through the “view and prove” service before it can be viewed by third parties such as employers. Picking up on the point made by the noble Lord, Lord Dholakia, the police do not have access to the EU settlement scheme or the immigration database, but we are working with other parts of government to develop system checks to share immigration status for specific purposes such as health and benefits. For example, we will provide information to the National Health Service to support it in establishing whether an individual is entitled to access free healthcare.
I hope that noble Lords are now assured that we are committed to delivering immigration status services for the purposes of checking immigration status information only. These services have been designed to protect the personal information of those with EU settled status and have been built around GDPR principles, including that of data minimisation, ensuring that the information available to third parties is only what is absolutely necessary. I hope that, with those words, the noble Baroness is happy to withdraw her amendment.