Wednesday, April 17, 2024
Home > ICO > ICO finds the Home Office’s pilot of GPS electronic monitoring of migrants breached UK data protection law

ICO finds the Home Office’s pilot of GPS electronic monitoring of migrants breached UK data protection law

  • Home Office pilot scheme failed to assess privacy intrusion of GPS monitoring
  • Government did not provide migrants on the pilot scheme clear information on what data it was collecting and why
  • Information Commissioner says it’s crucial the UK has ‘appropriate checks and balances in place to ensure people’s information rights are respected’

The Information Commissioner’s Office (ICO) has issued an enforcement notice and a warning to the Home Office for failing to sufficiently assess the privacy risks posed by the electronic monitoring of people arriving in the UK via unauthorised means.

The ICO has been in discussion with the Home Office since August 2022 on its pilot to place ankle tags on, and track the GPS location of, up to 600 migrants who arrived in the UK and were on immigration bail, after concerns about the scheme were raised by Privacy International.

The purpose of the pilot was to test whether electronic monitoring is an effective way to maintain regular contact with asylum claimants, while reducing the risk of absconding, and to establish whether it is an effective alternative to detention.

The ICO found the Home Office failed to sufficiently assess the privacy intrusion of the continuous collection of people’s location information. Tracking people is highly intrusive and organisations planning to do this must be able to provide a strong justification for doing so.

Additionally, the Home Office failed to assess the potential impact on people who may already be in a vulnerable position due to their immigration status, including the conditions of their journeys to the UK or English not being their first language. That meant the Home Office did not sufficiently consider what measures should be put in place to mitigate against those risks, such as providing clear information about why people’s location data was being collected and how it would be used.

John Edwards, UK Information Commissioner, said:

“Having access to a person’s 24/7 movements is highly intrusive, as it is likely to reveal a lot of information about them, including the potential to infer sensitive information such as their religion, sexuality, or health status. Lack of clarity on how this information will be used can also inadvertently inhibit people’s movements and freedom to take part in day-to-day activities.

“If such information were to be mishandled or misinterpreted, it could potentially have harmful consequences to people and their future. The Home Office did not assess those risks sufficiently, which means the pilot scheme was not legally compliant.

“We recognise the Home Office’s crucial work to keep the UK safe, and it’s for them to decide on what measures are necessary to do so. But I’m sending a clear warning to the Home Office that they cannot take the same approach in the future. It is our duty to uphold people’s information rights, regardless of their circumstances.”

Throughout the ICO’s enquiries, the Home Office was unable to explain sufficiently why it was necessary or proportionate to collect, access and use people’s information via electronic monitoring for the pilot’s purpose, including failing to evidence that it had considered less intrusive methods.

Such intrusive processing should be accompanied by robust guidance and procedures to ensure it is applied consistently and in a privacy preserving way. The Home Office guidance failed to provide sufficient direction to staff on when it would be necessary and proportionate to electronically monitor people as an immigration bail condition.

The Home Office also failed to provide clear and easily accessible information to the people being tagged about what personal information is being collected, how it will be used, how long it will be kept for, and who it will be shared with. The privacy information was not set out clearly in one place, was inconsistent and there were information gaps.

Mr Edwards added:

“It’s crucial that the UK has appropriate checks and balances in place to ensure people’s information rights are respected and safeguarded. This is even more important for those who might not even be aware that they have those rights.

“This action is a warning to any organisation planning to monitor people electronically – you must be able to prove the necessity and proportionality of tracking people’s movements, taking into consideration people’s vulnerabilities and how such processing could put them at risk of further harm. This must be done from the outset, not as an afterthought.

“I welcome the Home Office’s commitment to improve the privacy information for those whose personal information is still being held and to make improvements on their approach to data protection impact assessments.”

Although the pilot scheme ended in December 2023, the Home Office will continue to be able to access the personal information gathered throughout the pilot until all the data has been deleted or anonymised. This means there is still potential for the information collected to be accessed and used, not just by the Home Office but other third-party organisations.

The Enforcement Notice issued by the ICO orders the Home Office to update its internal policies, access guidance and privacy information in relation to the data retained from the pilot scheme.

The ICO has also issued a formal warning stating that any future processing by the Home Office on the same basis will be in breach of data protection law and will attract enforcement action.


Notes to editors

  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations. 
  3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  4. The ICO’s strategic priorities are set out in ICO25, which includes safeguarding and empowering people, particularly vulnerable groups who are exposed to the greatest risk of harm.
  5. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.

 


 

Original Source