The GDPR presents a challenge for employers in many data
processing scenarios, including in relation to immigration.
It is illegal to employ someone who does not have the
appropriate right to work in the UK. Breach is punishable by a civil penalty of
up to £20,000 per worker. However, employers have a statutory excuse under the
Immigration, Asylum and Nationality Act 2006 if they can show that they carried
out a right to work check which meets Home Office requirements.
The Home Office expects employers to retain copies of right
to work checks securely for the duration of the individual’s employment and for
a further two years after employment has ended. They may be retained
electronically in a format that cannot be changed or in hard copy. You need to
be able to produce these quickly if requested by the Home Office, to
demonstrate that you have performed a right to work check.
From a GDPR perspective, retention of these documents is
justified on the basis it is in the employer’s legitimate interest. Although it
is not a legal requirement to perform a right to work check, employers that do
not retain evidence of checks will not have a statutory excuse if found to be
employing someone who does not have a right to work in the UK.
The GDPR is an ever bigger issue for employers who are Tier
2 sponsors and who have to carry out a Resident Labour Market Test (‘RLMT’)
before sponsoring a migrant worker for a Tier 2 General visa. This is because
Home Office sponsor guidance requires the employer to retain personal data not
only about the employee, but also a considerable amount of personal data about
unsuccessful applicants for the job.
Sponsors must retain:
- all applications short-listed for final interview, in the
medium they were received, for example, emails, CVs, application forms – this
should include the applicant’s details such as name, address, date of birth - the names and total number of applicants short-listed for
final interview - for each settled worker who was rejected, interview notes
which show the reasons why they have not been employed.
All documents must be kept for one year from the date you
end your sponsorship of the migrant (or if the migrant is no longer sponsored
by you, the point at which a compliance officer has examined and approved the
documents if that is shorter). In order to comply with the GDPR, sponsors
should make sure this is reflected in their privacy notices and any other information
given to candidates, who may not otherwise expect their data to be retained in
this way.
Clare Hedges is a Senior Associate at Birketts LLP, based in Cambridge. She provides immigration advice and regularly delivers interactive training.