GDPR AND IMMIGRATION PROCESSES

Most employers will be aware of the upcoming introduction of the General Data Protection Regulation, or GDPR. But how can they be sure the way they collect and store information for immigration purposes will be compliant? Amelore look at the key risk areas.

GDPR

The introduction of the General Data Protection Regulation (GDPR) presents a huge challenge for employers in many data processing scenarios.

Not surprisingly, immigration processes necessitate the collection and processing of considerable personal data by an employer and, in many situations, one or more third parties such as legal advisers.

And with the deadline (25 May 2018) fast approaching, there is a chance that certain types of personal data processing will not be captured in your thinking, and will therefore create a risk of a breach.

For many employers, immigration is a niche activity that changes constantly and is therefore difficult to fully understand and account for with internal policies and processes.

However, given the sensitive nature of data collected and processed, and the multiple parties often involved in this, now is the time to look at key immigration activities and ensure that they are GDPR compliant.

Here are a few scenarios that illustrate the wide range of immigration data points to be accounted for in preparing for GDPR.

Right to work checks

Employers must conduct right to work checks on any new employee, ideally before they start working for you so you only employ people with the ‘right to work in the UK’.  Employers should take copies of any original documentation they see and copy, sign and date the document copy which should then be securely stored.

While it is easy to assume that this is covered by a “legal obligation” that is not actually the case.

A right to work check is done to establish a statutory excuse against a civil penalty – that is, to avoid a fine should an employee be found to be working illegally. It is not strictly speaking a legal requirement to perform a right to work check and there are no penalties for failing to perform a right to work check where the employee is working legally. However, employers that do not carry out right to work checks will not have a statutory excuse.

Therefore, the retention and processing of data relating to immigration status would be categorised under “legitimate interests” and this processing should be covered in a privacy notice.

Resident labour market test

The resident labour market test (RLMT) is conducted as part of a Tier 2 General (new hire work permit) application to justify the recruitment of a non-UK/EU individual, ahead of a UK/EU individual.

The employer generally needs to place two adverts on two websites for 28 days each, and then assess applications against the skills, education and experience described in the advert.

If there are no suitably qualified candidates from the UK/EU, then a non-UK/EU individual can be offered the role and be sponsored under Tier 2 General.

Documentation, including job applications, CVs and interview notes need to be retained for up to seven years in the event that the Home Office conducts a compliance audit.

Now imagine you were one of the candidates who applied for that role. You were interviewed for the job but ultimately were unsuccessful. It would be reasonable to expect that your details would be retained for a reasonable period, for example six months, to allow the employer to defend any challenges arising from the appointment.

However, most candidates would be surprised to learn that their personal information would be stored for up to seven years and shared with legal advisers and the Home Office as part of the immigration process for the successful candidate.

While employers may be able to argue that retaining the information is a legal obligation, the Home Office document that describes document retention is not technically part of the immigration rules. Rather, it is a policy document and therefore it may be open to interpretation whether it is a legal obligation or not.

As such, employers may instead have to rely upon “legitimate interests” as the appropriate legal basis to retain such information. This of course requires a proper assessment to ensure those interests are not outweighed by risk of prejudice to individuals.

What steps do employers need to take to ensure that their RLMT processes are GDPR-compliant?

  1. Ensure your privacy notice for recruitment purposes makes clear the possibility of personal data being processed and retained for the purpose of immigration requirements, specifically the RLMT for Tier 2 General, including the sharing of that data with legal advisers and the Home Office, and the length of time data may be stored.
  2. Minimise personal data where possible. The personal data that must be retained on file, as per the relevant Home Office policy document, relates only to applications shortlisted for final interview – rather than all candidates who responded to the advert. Likewise, do not ask for personal data that is not strictly required at this stage of the process, for example, copies of passports, immigration documents and evidence of qualifications and experience.
  3. Redact and anonymise personal data. A further way to minimise the personal data you hold is to redact information that is not relevant to the information you need to retain, such as contact details, interests and hobbies.

Immigration enquiries and opinions

Throughout the course of employment an employee can expect that their employer may need to consult with legal advisers and other professional advisors on a range of matters, including immigration, and in doing so may need to share personal data.

This should of course be covered in the section within the privacy notice dealing with disclosures to third parties.

However, what if as part of these enquiries it is necessary to transfer data outside the European Economic Area (EEA)? For example, where the organisation is looking to transfer an employee to the US and would like a US-based immigration lawyer to assess eligibility.

Transfers of personal data outside the EEA need to be addressed within privacy notices. Also, any such transfers of personal data should only take place where steps are taken to ensure adequate protection for that personal data in the recipient country (this is also the existing position under the Data Protection Act 1998).

With just over a month to go until GDPR goes live, now is the time to understand the data points in your immigration processes and ensure they are GDPR compliant.

Employment law changes anticipated for 2017

A round up of the employment law changes anticipated for 2017, amid the ongoing uncertainty resulting from the Brexit referendum. 

Large compliance projects for data protection and gender pay gap reporting will dominate the HR agenda in 2017.

Employers are likely to see costs increase as the apprenticeship levy and additional fees for sponsoring foreign workers are introduced, and tax savings for employee benefits are significantly reduced.

Now more than ever it is important to ensure you are have good up-to-date HR practices and are employing the right people on the right terms and conditions.

  1. Data Protection Regulation compliance efforts underway

Although the EU General Data Protection Regulation (GDPR) does not come into force until May 2018, the scope of the changes under the new Regulation means that preparing for the GDPR will be high priority for employers in 2017.

Employers will need to carry out audits of employee personal data that they collect and process to ensure that it meets GDPR for employee consent. New governance and record-keeping requirements mean that employers will also have to create or amend policies and processes on privacy notices, data breach responses and subject access requests.

As the GDPR will come into effect before the UK exits the EU, organisations that are not compliant by May 2018 will risk fines of up to 20 million euros or 4% of annual worldwide turnover, whichever is higher.

  1. Gender pay gap reporting begins

Private-sector, voluntary sector and public-sector organisations with 250 employees or more will be required to publish gender pay gap information for the first time.

Employers will be obliged to release information relating to employee pay and bonus pay, as well as information on the number of men and women in each quartile of the organisation’s pay distribution.

Gender pay gap regulations for private and voluntary sector employers are still in draft form but the deadline for the first report is expected to be 4 April 2018, based on pay and bonus data from 2016/17.

Reporting requirements for public-sector employees are expected to mirror private-sector timelines and requirements.

  1. Apprenticeship levy on large employers introduced

Employers with an annual payroll of more than £3 million will be required to pay a 0.5% levy on their total pay bill starting on 6 April 2017.

Large employers will be able to access levied amounts, plus a government top-up of 10%, to fund apprenticeships from accredited training providers.

Smaller organisations that are not required to pay the levy will also be able to receive funding for accredited apprenticeships by contributing 10% towards the cost of an apprenticeship, with the Government paying the remaining cost.

This is potentially great news for employers and young people entering the workforce.

  1. Salary-sacrifice schemes significantly restricted

Employers may need to reconsider their benefit offerings as tax savings through many salary-sacrifice schemes will be abolished from 6 April 2017.

Schemes related to pension savings (including pensions advice), childcare, cycle-to-work and ultra-low emission cars will not be affected.

Schemes in place prior to April 2017 will be protected until April 2018, while arrangements related to cars, accommodation and school fees will be protected until April 2021.

  1. Changes to rules for employing foreign workers 

Employers sponsoring foreign workers with a tier 2 visa will be required to pay an immigration skills charge of £1,000 per worker (£364 for small employers and charities) beginning in April 2017.

The immigration skills charge will be in addition to current fees for visa applications.

In April 2017,the minimum salary threshold for “experienced workers” applying for a tier 2 visa will also increase to £30,000.

New entrants to the job market, and some health and education staff will be exempted from the salary threshold until 2019.

  1. Restraints on public-sector exit payments are still expected

Restrictions on public-sector exit payments, which had been expected to come into force in 2016, are still anticipated, although their implementation dates have not yet been confirmed.

Exit payments will be capped at £95,000 when public-sector employees leave their roles, including as a result of redundancy or voluntary exit.

Employees earning over £80,000 will also be required to repay exit pay if they return to any public-sector role within 12 months.

This will be a key area for the National Audit Office to look at closely and ensure that further loopholes aren’t being created.  Poor practices that included raising salaries exceptionally to benefit from Defined Benefit pension schemes, offering VR to expensive senior staff who merely wished to retire as well as agreeing terms to re-hire have been costly to the public purse.

  1. National minimum wage changes 

Cycles for national minimum wage increases – including the national living wage – will be aligned, with the next round of changes taking effect on 1 April 2017.

The next increase will see the living wage for staff aged 25 or over rising to £7.50.

Use this link to check you are paying the correct rate. Also look at current and future statutory rates for maternity pay, paternity pay, adoption pay, shared parental pay and sick pay.

https://www.gov.uk/national-minimum-wage-rates

  1. Trade union balloting changes to be implemented 

Employers await the implementation date for new balloting requirements under the Trade Union Act 2016.

Under the rules, a successful vote for strike action will require a 50% minimum turnout and a majority vote in favour of industrial action.

Industrial action in important public services will require a strike vote of 40% of all eligible voters.