As part of the Challenge the Checks campaign, the Migrants’ Rights Network, Migrants at Work and the Open Rights Group are investigating how the hostile environment is negatively impacting migrant workers. As part of this work, we are looking at the intersection of data and employment rights.
From the Windrush scandal, which resulted in the wrongful detention and deportation of hundreds of people, to the cruel and unjust Inhumane Migration Bill which is currently making its way through Parliament, the UK Government has continually pushed inhumane policies that endanger migrants. These hostile policies have increasingly overlapped with the digital space. While building a vast digital infrastructure of surveillance and data collection across law enforcement, housing, and benefits systems, the Home Office has said that it aims to be operating a “fully digital system” for all migrants by 2024. These systems present serious risks to migrants’ privacy, data security, and access to important services.
In addition, the Data Protection Act 2018 denies migrants their full data rights through the ‘immigration exemption’. This allows the Home Office and private companies to refuse requests by individuals for access to personal data held about them on the grounds that it might “prejudice the maintenance of effective immigration control”. The Open Rights Group (ORG) and the3million have taken the Government to court twice over this exemption. Recently, the High Court agreed that this exemption is incompatible with the General Data Protection Regulation. This is a significant victory in challenging the digital hostile environment that the Government is trying to create but there are further threats ahead as the UK Government attempts to weaken privacy and data protection through the Data Protection and Digital Information (DPDI) Bill. The legislation, if passed, will increase surveillance while weakening data rights.
This blog sets out a few ways the Data Protection and Digital Information Bill would negatively impact migrant workers:
- New exemptions for ‘national security’ and ‘crime prevention’ – the Bill has added new exemptions for re-sharing data without consent that include vague purposes like “sharing data for national security” and “crime prevention”. These exemptions are likely to result in significant re-sharing of data about vulnerable groups like migrants among Government bodies and will make it much harder to challenge the Government’s retention and repurposing of data.
- Changing the threshold for Subject Access Requests (SARs)– SARs allow individuals to request a copy of all of the data that a business or the Government hold about them. This can include a copy of the data, how they are using it, who they are sharing it with and where they got it from. The Bill would make it easier for the Government or businesses to deny SARs by migrant workers, which is extremely concerning as SARs are a key tool for helping people track their data and understand when it has been misused. The Government has moved toward using solely digital-based proof of immigration status. However, when the Home Office decides that a person no longer has the right to be in the UK, individuals are prevented from working and accessing key services. The changes to SARs in the DPDI Bill will make it more difficult for individuals to find out what data is held about them so that they can remedy mistakes.
- Changes to Data Protection Impact Assessments (DPIAs)– DPIAs are an essential process within the Government and businesses where they have to systematically analyse, identify and minimise the data protection risks of a project or plan before undertaking it. DPIAs are especially important in cases where the data being processed is likely to result in a high risk to the rights and freedoms of individuals. Despite this, the Bill makes changes to DPIAs, reducing the requirements to conduct one before processing people’s data and removing the requirement to consult with individuals who might be impacted by the use of their data. It is critical to hear from individuals themselves about how the use of their data could negatively impact them, so this change greatly limits the effectiveness of DPIAs. A loss of proper DPIAs also makes it harder for civil society organisations to scrutinise, inform and advise on proposed automated systems before, during and after their implementation.
The changes to DPIAs will particularly impact migrant workers due to the increased use of facial recognition systems and automated visa making algorithms. A host of research shows that AI technologies have serious vulnerabilities, are systemically biased, and are applied in ways that exacerbate racial inequality. Without proper safeguards, these technologies have a disproportionate impact on marginalised communities who already face increased risk of immigration stops and right to work checks.
The Data Protection and Digital Information Bill will weaken the UK’s data protection infrastructure and, crucially, leave civil society and migrant workers with fewer tools with which to demand accountability. Unfettered surveillance and data sharing among Government agencies and private companies presents a real risk of the data being used to profile, manipulate and discriminate against migrants. Additionally, an environment of increased impunity for companies and Government officials will further discourage migrant workers from accessing necessary healthcare or reporting workplace abuses. While imperfect, the current UK GDPR is one of the strongest data protection laws in the world and provides many important rights. These include the right to access data being held about you, protection against solely automated decision-making, structures for corporate accountability, and limitations on the repurposing of data. These rights are essential for empowering individuals in an data ecosystem where the government and companies hold immense power. We strongly urge the Government to drop the DPDI Bill and begin again with a legislative process that centers the rights of individuals and works to ensure the most equitable and positive outcomes for society.
by Abigail Burke, Policy Manager for Data Protection at the Open Rights Group