On 1st March 2024, the Information Commissioner’s Office (ICO) announced that it has issued an Enforcement Notice and warning to the Home Office for failing to sufficiently assess the privacy risks posed by the electronic monitoring of people arriving in the UK via unauthorised means. (Strangely the actual text of the notice and warning were only recently published; three weeks after the ICO press release.)
The decision comes as a result of Privacy International’s complaint (filed in August 2022) against the Home Office policy. The civil liberties pressure group alleged widespread and significant breaches of privacy and data protection law.
The ICO had been in discussion with the Home Office since August 2022 on its pilot to place ankle tags on, and track the GPS location of, up to 600 migrants who arrived in the UK and were on immigration bail. The purpose of the pilot was to test whether electronic monitoring is an effective way to maintain regular contact with asylum claimants, while reducing the risk of absconding, and to establish whether it is an effective alternative to detention.
The ICO found the Home Office failed to conduct a Data Protection Impact Assessment (DPIA), in relation to the pilot, which satisfies the requirements of Article 35 of the UK GDPR. Amongst things, the Home office had failed to sufficiently assess the privacy intrusion of the continuous collection of people’s location information.
It was also found to have breached the Accountability Principle (Article 5(2)) by failing to demonstrate its compliance with Article 5(1), in particular:
- Article 5(1)(a) Lawfulness: the Home Office identified the lawful basis for the processing as Article 6(1)(e), and for Special Category Data as Article 9(2)(g) and schedule 1 paragraph 6 DPA 2018. However, it did not demonstrate that the processing was necessary and proportionate for these purposes (neither in its DPIA or staff guidance) including why less privacy-intrusive methods could not meet its objectives.
- Article 5(1)(a) Fairness and Transparency: the Home Office’s privacy notice(s) did not demonstrate compliance with minimum transparency requirements, as set out at Articles 12 and 13. It failed to provide clear and easily accessible information to the people being tagged about what personal information is being collected, how it will be used, how long it will be kept for, and who it will be shared with. The privacy information was not set out clearly in one place, was inconsistent and there were information gaps.
- Article 5(1)(c) Data Minimisation: the Home Office’s draft DPIA and guidance for staff did not demonstrate that data minimisation will be considered and actioned when requesting access to the personal data produced by the electronic tags.
Jon Edwards, the Information Commissioner, said:
“It’s crucial that the UK has appropriate checks and balances in place to ensure people’s information rights are respected and safeguarded. This is even more important for those who might not even be aware that they have those rights.
“This action is a warning to any organisation planning to monitor people electronically – you must be able to prove the necessity and proportionality of tracking people’s movements, taking into consideration people’s vulnerabilities and how such processing could put them at risk of further harm. This must be done from the outset, not as an afterthought.”
The Enforcement Notice orders the Home Office to update its internal policies, access guidance and privacy information in relation to the data retained from the pilot scheme. The ICO has also issued a formal warning stating that any future processing by the Home Office on the same basis will be in breach of data protection law and will attract enforcement action.
Surveillance is a hot topic for the ICO at present. Last month, the ICO issued Enforcement Notices to public service provider Serco Leisure, Serco Jersey and seven associated community leisure trusts under the UK GDPR. The notices required the organisations to stop using facial recognition technology (FRT) and fingerprint scanning to monitor employee attendance.
The Enforcement Notice and warning are important reading for anyone who wishes to understand how to complete a compliant and meaningful DPIA. The Data Protection and Digital Information Bill is currently in the Committee stage of the House of Lords. Amongst other things, the DPIA provisions in the UK GDPR, will be replaced by leaner and less prescriptive “Assessments of High-Risk Processing”.
This and other GDPR developments will be discussed by Robert Bateman in our forthcoming GDPR Update workshop. We have also just launched our new workshop, Understanding GDPR Accountability and Conducting Data Protection Audits.