UK Home Office Breached Data Protection Law with Migrant Tracking
The UK Home Office has breached data protection law by using electronic tags to monitor migrants, according to the Information Commissioner’s Office (ICO).
The regulator said the government department failed to sufficiently assess the privacy intrusion of the continuous collection of individuals’ location information. It noted that 24/7 access to people’s movement is likely to reveal sensitive information, such as their religion, sexuality or health status.
The Home Office’s pilot placed ankle tags and tracked the GPS location of up to 600 migrants on immigration bail. The scheme was designed to test whether electronic monitoring is an effective alternative to detention in maintaining regular contact with migrants and reducing the risk of absconding.
However, the Home Office did not explain sufficiently why it was necessary or proportionate to collect, access and use this data, and had not provided evidence that it had considered less intrusive monitoring methods, the ICO found.
Additionally, the people tagged in the scheme were not provided with clear and easily accessible information about what personal data was being collected, how long it will be stored, and how it will be used.
The Home Office also failed to assess the potential impact of continuous monitoring on people who may already be in a vulnerable position due to their immigration status, including the conditions of their journeys to the UK or English not being their first language, the ICO said.
The data protection regulator added that the scheme was not accompanied by robust guidance and procedures to ensure the measures are applied consistently and in a privacy-preserving way. For example, the Home Office failed to provide staff with sufficient direction on when it would be necessary and proportionate to electronically monitor people as an immigration bail condition.
UK Information Commissioner John Edwards commented: “If such information were to be mishandled or misinterpreted, it could potentially have harmful consequences to people and their future. The Home Office did not assess those risks sufficiently, which means the pilot scheme was not legally compliant.
“We recognize the Home Office’s crucial work to keep the UK safe, and it’s for them to decide on what measures are necessary to do so. But I’m sending a clear warning to the Home Office that they cannot take the same approach in the future. It is our duty to uphold people’s information rights, regardless of their circumstances.”
ICO Issues Warning to Home Office
The ICO revealed that it has been in discussion with the Home Office since August 2022 about the data protection implications of the scheme, after concerns were raised by Privacy International.
The pilot ended in December 2023. However, the ICO noted that there will still be potential for the information already collected to be used by the Home Office and other third-party organizations.
Therefore, the Enforcement Notice orders the Home Office to update its internal policies, access guidance and privacy information in relation to the data retained from the pilot scheme.
The ICO also issued a formal notice warning that any future data processing by the Home Office on the same basis will breach data protection law and lead to enforcement action.
Edwards said the action sends a message to any organization planning to monitor people electronically that they must be able to prove the necessity and proportionality of tracking people’s movements from the outset.
“I welcome the Home Office’s commitment to improve the privacy information for those whose personal information is still being held and to make improvements on their approach to data protection impact assessments,” he added.
Jon Baines, Senior Data Protection Specialist at law firm Mishcon de Reya said it was encouraging to see the ICO’s focus on respecting and enforcing the rights of vulnerable people.
“The ICO is making clear with this action that monitoring someone’s movements 24/7 is incredibly intrusive, and in the context of affected asylum claimants, disproportionate and unlawful,” he noted.
Baines added that the Enforcement Notice compels the Home Office to stop such monitoring activities, with failure to comply potentially treated as a contempt of court.
“It will be interesting, therefore, to see if the Home Office decides to appeal this notice,” he said.
During a talk at the International Association of Privacy Professionals (IAPP) Data Protection Intensive event on 28 February, Edwards vowed that safeguarding consumer rights in the era of artificial intelligence (AI) is a top priority for the ICO.
He also said the regulator is working to provide clarity on when biometrics can be applied in compliance with the UK GDPR law. This came days after the ICO ordered Serco Leisure stop using facial recognition technology (FRT) and fingerprint scanning to monitor employee attendance.
Image credit: Sean Aiden Calderbank / Shutterstock.com