Draft Regulations laid before Parliament under section 16(3) of the Data Protection Act 2018, for approval by resolution of each House of Parliament.

Draft Statutory Instruments

2022 No.

Data Protection

The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022

Made

Coming into force in accordance with regulation 1(2)

The Secretary of State makes the following Regulations in exercise of the powers conferred by sections 16 and 182(5) of the Data Protection Act 2018(1).

In accordance with section 182(2) of that Act, the Secretary of State has consulted the Commissioner(2) and such other persons as the Secretary of State considers appropriate.

In accordance with section 16(3) of that Act(3), a draft of this instrument has been laid before, and approved by a resolution of, both Houses of Parliament.

Citation, commencement and extent

1.—(1) These Regulations may be cited as the Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022.

(2) These Regulations come into force on—

(a)31st January 2022, or

(b)if later, the day after the day on which they are made.

(3) These Regulations extend to England and Wales, Scotland and Northern Ireland.

Amendment of Part 1 of Schedule 2 to the Data Protection Act 2018

2.—(1) Part 1 of Schedule 2 (exemptions etc. from the UK GDPR) to the Data Protection Act 2018(4) is amended as follows.

(2) In paragraph 4 (immigration exemption)—

(a)in sub-paragraph (1), in the words before paragraph (a), after “processed” insert “by the Secretary of State”;

(b)after sub-paragraph (1), insert—

(1A) But sub-paragraph (1) does not apply unless the Secretary of State has an immigration exemption policy document in place.

(1B) For the purposes of sub-paragraph (1A), the Secretary of State has an immigration exemption policy document in place if the Secretary of State has produced a document which explains the Secretary of State’s policies and processes for—

(a)determining the extent to which the application of any of the UK GDPR provisions listed in sub-paragraph (2) would be likely to prejudice any of the matters mentioned in sub-paragraph (1)(a) and (b), and

(b)where it is determined that any of those provisions do not apply in relation to personal data processed for any of the purposes mentioned in sub-paragraph (1)(a) and (b), preventing—

(i)the abuse of that personal data, and

(ii)any access to, or transfer of, it otherwise than in accordance with the UK GDPR.

(1C) Paragraphs 4A and 4B make provision about additional safeguards in connection with the exemption in this paragraph.;

(c)in sub-paragraph (2), for “sub-paragraph (1)” substitute “sub-paragraphs (1) and (1B)”;

(d)omit sub-paragraphs (3) and (4).

(3) After paragraph 4 insert—

Immigration: additional safeguard: decisions for the purposes of paragraph 4(1) and requirement to have regard to immigration exemption policy document

4A.(1) The Secretary of State must—

(a)determine the extent to which the application of the relevant UK GDPR provisions would be likely to prejudice any of the matters mentioned in paragraph 4(1)(a) and (b) on a case by case basis, and

(b)have regard, when making such a determination, to the immigration exemption policy document.

(2) The Secretary of State must also—

(a)review the immigration exemption policy document and (if appropriate) update it from time to time;

(b)publish it, and any update to it, in such manner as the Secretary of State considers appropriate.

(3) In this paragraph and paragraph 4B “the relevant UK GDPR provisions” means the provisions of the UK GDPR listed in paragraph 4(2).

Immigration: additional safeguard: record etc of decision that exemption applies

4B.(1) Where the Secretary of State determines in any particular case that the application of any of the relevant UK GDPR provisions would be likely to prejudice any of the matters mentioned in paragraph 4(1)(a) and (b), the Secretary of State must—

(a)keep a record of that determination and the reasons for it, and

(b)inform the data subject of that determination.

(2) But the Secretary of State is not required to comply with sub-paragraph (1)(b) if doing so may be prejudicial to any of the matters mentioned in paragraph 4(1)(a) and (b)..

Name

Parliamentary Under Secretary of State

Home Office

Date

EXPLANATORY NOTE

(This note is not part of the Regulations)

These Regulations amend the immigration exemption in paragraph 4 of Part 1 of Schedule 2 to the Data Protection Act 2018 (c. 12) (“the 2018 Act”). These amendments are made in consequence of the judgment of the Court of Appeal in the case of R (on the application of Open Rights Group and another) v Secretary of State for the Home Department and another (Liberty and another intervening) ([2021] EWCA Civ 800).

The immigration exemption allows certain specific rights and obligations in the UK GDPR to be restricted to the extent that giving effect to those rights and obligations would be likely to prejudice:

(a)the maintenance of effective immigration control, or

(b)the investigation or detection of activities which would undermine the maintenance of effective immigration control.

It is only the provisions of the UK GDPR listed in paragraph 4(2) of Schedule 2 to the 2018 Act which are affected by the immigration exemption.

The immigration exemption is amended to make clear that it may be relied on only by the Secretary of State and only if the Secretary of State has in place an immigration exemption policy document. An “immigration exemption policy document” is a document which explains the Secretary of State’s polices and processes for determining whether, and the extent to which, the immigration exemption applies in any particular case, and for ensuring that any personal data covered by the exemption is not abused or accessed or transferred in a manner contrary to the UK GDPR.

Additional safeguards are also added to the exemption to require the Secretary of State:

(a)to decide whether the immigration exemption applies on a case by case basis, and to have regard to the immigration exemption policy document when making such decisions;

(b)to keep a record of any decision that the immigration exemption applies and the reasons for that decision;

(c)to inform a data subject of any such decision, unless doing so may be prejudicial to any of the matters mentioned in paragraph 4(1)(a) and (b) of Schedule 2 to the 2018 Act.

A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private, voluntary or public sector is foreseen.

(1)

2018 c. 12. Section 16 was amended by S.I. 2019/419. There are amendments to section 182 not relevant to these Regulations.

(2)

“The Commissioner” is defined in section 3 of the Data Protection Act 2018 (“the 2018 Act”).

(3)

For the meaning of “the affirmative procedure” see section 182(7) of the 2018 Act.

(4)

Part 1 of Schedule 2 was amended by S.I. 2019/419.