Employers need to collect, process and retain data about their employees for a variety of different purposes including to produce evidence in the event of a Home Office audit. With General Data Protection Regulation (GDPR) coming into force later this month, employers need to understand the impact of this legislation.
GDPR promises to strengthen the privacy rights of data subjects in a variety of ways, for example the right to rectification; right to data portability; right to be forgotten and right not to be subject to a decision based solely on automated processing.
These rights, in particular the right to be forgotten, require employers, as ‘data controllers’, to destroy data relating to their employees when it is no longer needed.
There are two main immigration data processes affecting employers: the Resident Labour Market Test (RLMT) and right to work checks. How will these be affected by GDPR?
Resident Labour Market Test
Subject to limited exceptions, the RLMT has to be conducted where an employer wishes to recruit a non-UK/EEA national. RLMT ensures that a migrant worker is recruited only if there are no suitably qualified settled workers to fill the job. If the Home Office finds that the RLMT has not been completed the employer will not be able to sponsor the specific individual and may put its sponsor licence at risk.
To demonstrate compliance with the RLMT duties, employers must first advertise the role in accordance with the Immigration Rules to give settled workers the opportunity to apply. Secondly, they must assess the candidates to ensure there are no suitable settled workers to fill the role.
So far as candidate assessment is concerned, employers must retain documentation such as CVs and interview notes, for the shorter period of one year from the date the migrant’s sponsorship ends or the point at which a UKVI compliance officer has examined and approved the documents. However, under GDPR this may be considered as retention of data for longer than is necessary.
Right to Work Checks
A right to work check must be completed for all employees before they start work to ensure they have the right to work in the UK. The penalties for employing can be substantial and include a civil penalty of up to £20,000 per illegal worker and potential criminal liability with up to five years’ imprisonment. Getting the checks right and retaining evidence will enable employers to establish a statutory excuse (a defence) and avoid those penalties unless it was obvious that the documents supplied were fraudulent or insufficient to prove the right to work. Evidence of an employee’s right to work needs to be retained for a minimum of two years after the employment ends. Again, the same difficulty with regards to data retention under GDPR arises.
How to pass a Home Office audit and remain GDPR compliant
There are six available lawful bases for processing personal data under GDPR: consent, contract, legal obligation, vital interests, public task and legitimate interests.
In the case of right to work checks, the overall purpose of processing data is to comply with the employer’s legal obligation to prevent illegal working. Retaining right to work evidence would fall with the ‘legal obligation’ lawful basis. The same argument will apply to the retention of data collected as part of the RLMT process. It could also be argued that the employer has a legitimate interest in retaining that data because the Home Office will expect to see evidence of a compliant RLMT if an audit is undertaken.
We advise employers to ensure their privacy notice makes it clear that personal data may be retained for the purposes of immigration requirements. It may also be helpful to redact and anonymise personal data where possible. This ensures that your business is compliant with GDPR and Home Office requirements and that the sponsor licence is protected.