Data handlers operate under a range of legal responsibilities designed to ensure that personal information is not misused or abused. However, as a High Court ruling in a guideline case made clear, a balance has to be struck between such duties and the public interest in public authorities not being hampered in their pursuit of important objectives.
The case concerned the so-called ‘immigration exemption’ from the data handling safeguards enshrined in the Data Protection Act 2018. The exemption permits immigration officials to perform data profiling and other activities outside the protections that would otherwise be afforded to individuals by the Act.
Two campaign groups mounted a judicial review challenge to the exemption on the basis that it was incompatible with rights to privacy and protection of personal data guaranteed by the Charter of Fundamental Rights of the European Union. It was also said to conflict with the General Data Protection Regulation 2016/679 (the GDPR).
It was argued that the exemption is too open-ended and vague and cannot be viewed as a strictly necessary derogation from individual rights. There were no safeguards against its abuse or unlawful application and it prevented data subjects from checking that data being processed about them is accurate.
In rejecting the challenge, however, the Court found that the exemption was plainly enacted in pursuit of a legitimate aim – to promote the important public interest in effective immigration control. It fell within the margin of appreciation granted to EU member states by the GDPR and was sufficiently clear and comprehensible to be in accordance with the law.
The Court underlined that close consideration to individual cases must be given before the exemption is applied. Officials can only rely on it to the extent that strict adherence to the GDPR would be likely to prejudice effective immigration control. The Home Office had presented statistical evidence indicating that the exemption was used sparingly and only when considered necessary.