As you’re probably aware, the General Data Protection Regulations came into force last week. But, while businesses are busy looking at what data they hold and how long for – they could be overlooking data that relates to their employees’ right to work in the UK.
Right to work checks
If you employ someone who doesn’t have the right to work in the UK, you can be fined up to £20,000 – per worker – and face potential criminal sanctions, including imprisonment.
But, if you’ve carried out a right to work check that meets the Home Office’s requirements, you have a statutory defence. These checks involve processing special categories of personal data, like racial or ethnic origin.
You should keep these right to work check documents for as long as your employee works for you, and for two years after they leave. In line with GDPR, you can do this on the basis that you’ve got a legitimate interest in them – and to defend any legal claim.
Tier 2 sponsors
Another, less obvious implication of GDPR affects you if you’re registered as a Tier 2 sponsor. If you want to recruit someone from outside the UK, you’ll probably have to do a Resident Labour Market Test (RLMT).
You need to keep this information for one year from the date your employee leaves (or you stop sponsoring them) – unless, after you’ve stopped sponsoring them, a Home Office compliance officer examines and approves the documents (whichever is shorter).
You’ll need to keep specific documents to show that you've carried out the RLMT. These are set out in the Tier 2 guidance:
- all applications short-listed for final interview, in the medium you received them, including names and addresses
- names and numbers of applicants short-listed for final interview
- interview notes for each settled worker you rejected, explaining why.
Under GDPR, you can keep these documents because of your legitimate interest in them: to show you’re compliant with your sponsor obligations.
What do I need to do?
If you’re a Tier 2 sponsor, you need to make sure that this information is reflected in your data retention policy and recruitment privacy notice. Remember that it probably won’t be included in standard form documents.
For advice on your obligations as a licensed sponsor, or information about GDPR, please get in touch.