Objectives of the data protection policy in the activities of the Directorate of Immigration
The processing of personal data constitutes a necessary part of the activities of the Directorate of Immigration. Much emphasis is placed on the protection of personal data and of all handling and safeguarding of personal identifiable data meeting the current laws and provisions on the handling of personal data.
The purpose of the data protection policy of the Directorate is to ensure lawful, fair and transparent handling of any personal data, as well as illustrating the procedure for handling and safeguarding such data.
Extent and responsibility
Personal data accumulated and worked with by UTL
Information about the personnel and employment applicants
Legal basis of the processing of personal data by UTL
Rights of the registered party
Confidentiality and safekeeping period
Personal data representative
Personal identifiable information in the public debate
Issuance and review
The policy’s extent involves all activities of the Directorate of Immigration. The Directorate is responsible for the processing of personal data taking place under its auspices. The Directorate is one of the sub-institutions of the Ministry of Justice and is operated on grounds of the Foreign Nationals Act, the Icelandic Nationality Act and the regulations on grounds of the Foreign Nationals Act. The most extensive part of the activities of the Directorate is the issuance of residence permits. The Directorate processes all applications for such permits, including on grounds of employment, family reunification, study, or au-pair recruitment, applications for visas and applications for international protection. Additionally, the Directorate of Immigration engages in various projects pertaining to foreigners and thereby has extensive and good cooperation with various institutions.
The management and personnel of the Directorate should work on grounds of this policy in their handling and safeguarding of personal data, both in terms of the clientele and the Directorate´s employees.
The Directorate of Immigration collaborates with various service and outsourcing parties. Special processing contracts are made about the processing of personal data in instances where the collaborating party is categorized as a processing party. The Directorate makes stringent requirements upon its processing parties about the honoring of the Data Protection Act.
The Directorate usually works with personal data that stem directly from individuals after they have initiated contact, for example processing applications, inquiries, recommendations and other items. Information may be submitted in person, by email, correspondence or by telephone.
The Directorate also receives and obtains personal data from a third party (domestic and foreign) about individuals, including in connection with the processing of applications.
The Directorate provides the registered parties with information about the registration, processing and submission of personal data about them in the data protection policy, on application forms, the website or as requested.
The Directorate prepares statistical overviews based on its data as used, for example, in the Directorate’s annual report. Utmost security is maintained and the data is safeguarded in a format preventing the recognition of registered individuals.
The Directorate of Immigration works with personal data upon receipt of applications for employment at the Directorate, stating the necessary required information, for example, assessment of education, CV, recommendations and so forth. In the instance of recruitment, the Directorate will keep the personal data about the relevant employee in order to be able to pay him/her the wages on grounds of an employment agreement. The Directorate also maintains other work-related matters in its human resources system, for example, regarding courses and re-training, and illness, vacation and job performance.
In most instances the processing of personal identifiable information at the Directorate of Immigration, is necessary in order to meet the statutory requirements of the Directorate, including the Foreign Nationals Act, the Icelandic Nationality Act and the regulations derived from them. See further information about the laws and regulations which the Directorate must honor.
Individuals have the right to file a complaint with the Data Protection Authority which holds a supervisory role in the field of data protection.
The employees of the Directorate of Immigration have access to the data they need for carrying out their work, however, depending on the field of work of individual employees and also which personal identifiable data an employee has access to in the Directorate’s system. All employees of the Directorate are bound by a stringent rule of confidentiality as provided for by law. Such obligation remains in effect even though the employee ceases working at the Directorate.
The Directorate is subject to a duty of surrendering data as stipulated by the Public Archives Act; hence the Directorate is not authorized to destroy records or data that it receives or prepares, except subject to a special authorization by the National Archives of Iceland.
The personal data representative of the Directorate is unbiased and independent in his/her work and supervises the implementation of this policy and the relevant laws and regulations about data protection in the activities of the Directorate. The Directorate ensures the timely involvement of the personal data representative in all matters relating to personal data protection.
Very strict limitations apply to the Directorate’s public debate authorizations, for example, on grounds of the laws on personal data protection and the confidentiality provisions of the Administrative Procedures Act. The Directorate assesses in every instance whether it is authorized to express itself on matters that have been addressed by the news media and whether this is necessary. Utmost caution is exercised and personal identifiable information is not submitted in excess of the authorization of the Directorate as provided for by law.
The policy shall be reviewed and peer read annually. The conclusion as to whether amendments should be made or not shall be registered.