ICO (UK) - Enforcement Notice and Warning Letter - Home Office
From GDPRhub
| ICO - Enforcement Notice and Warning Letter - Home Office | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 5(2) GDPR Article 35 GDPR |
| Type: | Advisory Opinion |
| Outcome: | n/a |
| Started: | 01.08.2022 |
| Decided: | 21.03.2024 |
| Published: | 21.03.2024 |
| Fine: | n/a |
| Parties: | Home Office |
| National Case Number/Name: | Enforcement Notice and Warning Letter - Home Office |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English English |
| Original Source: | ICO (in EN) ICO (in EN) |
| Initial Contributor: | Mgrd |
The DPA issued an enforcement notice to the Home Office, ordering it to bring its processing of personal data via GPS monitoring of migrants arriving in the UK into compliance with the UK GDPR after it failed to conduct an adequate data protection impact assessment.
English Summary
Facts
The Home Office (controller) is a United Kingdom government department that is responsible for immigration, security and law. As such, it oversees matters related to visas, immigration, asylum and citizenship in the UK.
The ICO initiated an investigation in August 2022, citing concerns about the controller's Satellite Tracking Services GPS Expansion Pilot project, which involved continuous electronic monitoring as a condition of immigration bail for individuals entering the UK via risky routes.
The pilot initiative involved fitting up to 600 individuals with electronic GPS tags to monitor their movements as part of the immigration bail conditions. These participants were compared to a control group of another 600 individuals who were not subjected to electronic monitoring. The purpose of the electronic tags was to collect data on the tagged individuals’ locations over time, which the controller could use for various purposes, including ensuring compliance with immigration bail conditions and potentially aiding in the efficient processing of asylum claims.
The ICO provisionally found that the controller failed to comply with Articles 35 and 5(2) of the UK GDPR. On 19 December 2023, it sent the controller a Preliminary Enforcement Notice and Notice of Intent to Issue a Warning.
Holding
On March 2024, ICO issued an Enforcement Notice and Warning Letter. It identified breaches by the Home Office of Articles 35 and 5(2) UK GDPR, finding that the controller did not conduct an adequate data protection impact assessment (DPIA) for its satellite tracking services GPS expansion pilot and failed to demonstrate compliance with principles of lawfulness, transparency and data minimisation under Article 5(1) UK GDPR.
The ICO found that the controller's processing required a DPIA because it was systematic, extensive, and was likely to result in a high risk to the rights and freedoms of natural persons. The processing was systematic and extensive because it involved automated processing carried out according to the pilot's strategy and captured a large volume of personal data. In particular, the ICO noted that the GPS processing collected trail data from data subjects, permitted a wide range to be inferred from it and would be used to make decisions having legal effects. The ICO also considered that trail data likely includes a special category of data because, when processed alongside information about the subject's geolocation, it can reveal special categories of data (such as religion).
It concluded that the controller's DPIA failed to meet several requirements specified in Article 35(7) UK GDPR, namely:
- It did not include a systematic description of processing operations with details about the scope, categories, context and purpose of processing;
- It lacked an assessment of the necessity and proportionality of the processing, particularly failing to consider reasonable alternatives, the proportionality of intrusiveness and the appropriateness of a 6-year retention period;
- It did not properly evaluate risks to individual rights and freedoms;
- It inaccurately concluded that the processing of trail data was not processing of a special category of data ; and
- It inaccurately concluded that processing would not involve mostly vulnerable data subjects, contrary to ICO Guidance, and should have conducted a detailed assessment of vulnerabilities.
In addition, the ICO noted that the DPA failed to implement mitigation measures to address the risks. Though the controller took a number of mitigating actions, its failure to make a sufficiently detailed assessment of potential risks resulted in inadequate measures to address processing risks.
The ICO also held that the controller violated the principle of accountability pursuant to Article 5(2) UK GDPR because it failed to demonstrate compliance with Article 5(1)(a) and (c) UK GDPR principles of lawfulness, fairness and transparency as well as data minimisation. With regard to the lawfulness principle, the ICO considered that the controller could not demonstrate that processing had a legal basis pursuant to Article 9(2)(g), which did not convincingly demonstrate that the processing was necessary and proportionate. Moreover, privacy notices were found lacking in clarity and coherence, failing to meet transparency requirements. The controller also lacked documentation and guidance on accessing and using "trail data" (data produced by electronic monitoring devices), indicating that the processing of this data might not have been limited to what was necessary for the purposes for which they were processed. The failure to demonstrate compliance with Articles 6 and 9, the inadequacies in privacy notices, and the lack of guidance on data minimisation collectively led to the conclusion that the Home Office did not fulfill its obligations under Article 5(2) of the UK GDPR, emphasizing the principle of accountability.
The ICO issued an Enforcement Notice to the Home Office, requiring it to take specific steps to remedy failures identified in relation to the UK GDPR. In its warning letter, the ICO highlighted its concern with the continued use of the same or similar documents to those used in the Pilot, which did not comply with the necessary GDPR requirements. It emphasized the importance of the Home Office addressing these issues to prevent potential infringements in any future processing similar to the pilot.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Enforcement Notice issued by the Information
Commissioner concerning contraventions
of Article 5(2) and Article 35 UK GDPR
by the Home Office
ENFORCEMENT NOTICE
H OME OFFICE
28 February 2024 Enforcement Notice
DATA PROTECTION ACT 2018
ENFORCEMENT POWERS OF THE INFORMATION COMMISSIONER
ENFORCEMENT NOTICE
To: The Secretary of State for the Home Department.
Of: The Home Office, Peel Building, 2 Marsham Street, London, SW1P 4DF.
PART I: INTRODUCTION AND SUMMARY
1. The Home Office is a “controller” as variously defined in sections
3(6), 5 and 6 of the Data Protection Act 2018 (“DPA”) and Article
4(7) of the UK General Data Protection Regulation (“UK GDPR”).
2. Unless otherwise stated, references to “Articles” are to articles of
UK GDPR, and “Sections” to sections of the DPA.
3. The Home Office processes personal data for the purposes of its
management of immigration, including individuals entering or
leaving the UK, securing the border, leave, settlement, citizenship
or other immigration services, claiming asylum or other forms of
protection. The Home Office also processes personal data as part
of its functions to enforce immigration laws, law enforcement for
criminal matters and other lawful matters including those related
to public health. The Home Office is the controller for this
information, including when the information is collected or
processed by third parties on its behalf.
2 Enforcement Notice
4. The Information Commissioner (the “Commissioner”) hereby
issues the Home Office with an Enforcement Notice (“EN”) under
section 149 DPA, in the terms set out in this EN. This EN relates
to contraventions by the Home Office of Articles 35 and 5(2) UK
GDPR in relation to its processing of personal data for its satellite
tracking services GPS expansion pilot (the “pilot”).
5. This pilot extended the Home Office’s use of electronic tagging as
an immigration bail condition to a new cohort: data subjects who
arrive in the UK via unnecessary and dangerous routes who have
claims suitable for consideration under the detained asylum
casework (DAC) process.
The infringements
6. The Commissioner has found that the Home Office has infringed
Articles 35 and 5(2) UK GDPR (the “infringements”) as follows:
Article 35: The Home Office failed to carry out a DPIA in
relation to the pilot which satisfies the requirements of
Article 35.
In summary, the DPIA (Draft DPIA V2.3) did not set out
either at all, or in sufficient detail:
• A systematic description of the envisaged processing
operations and the purposes of the processing. The
DPIA did not set out each processing operation, and
the stated purposes are inconsistent and unclear.
• An assessment of the necessity and proportionality of
the processing operations in relation to those
purposes.
3Enforcement Notice
• Continuous monitoring using GPS tracking by an
electronic tag is intrusive. The Home Office did not
demonstrate that less privacy intrusive methods could
not meet its objectives.
• An objective assessment of the risks to the rights and
freedoms of data subjects, and the measures
envisaged to address those risks. Whilst some risks to
the rights and freedoms of data subjects were
identified, Draft DPIA V2.3 (including the section 7.2
risk table) failed to sufficiently assess all of the risks,
and as a result did not sufficiently propose measures
to address those risks.
Article 5(2): The Home Office, in breach of the accountability
principle, has failed to demonstrate its compliance with
Article 5(1), in particular:
• Article 5(1)(a) principle of lawfulness: the Home Office
identified the lawful basis for the processing as Article
6(1)(e), and for special category data as Article
9(2)(g) and schedule 1 paragraph 6 DPA. However, the
Home Office did not demonstrate that the processing
was necessary and proportionate for these purposes.
This was not demonstrated in its DPIA or its guidance
for Home Office staff. The Home Office failed to
demonstrate why less privacy-intrusive methods could
not meet its objectives.
• Article 5(1)(a) principle of fairness and transparency:
the Home Office’s privacy notice(s) do not demonstrate
compliance with minimum transparency requirements,
as set out at Articles 12 and 13.
4 Enforcement Notice
• Article 5(1)(c) principle of data minimisation: the
Home Office’s Draft DPIA V2.3 and guidance for Home
Office staff does not demonstrate that data
minimisation will be considered and actioned when
requesting access to the personal data produced by
the electronic tags (the “trail data”).
7. Annex 1 of this EN sets out the actions that the Commissioner
requires the Home Office to take to correct the infringements.
8. The findings set out in this EN and the requirements set out in
Annex 1 relate to the assessments and documentation the Home
Office has shared with the Commissioner which underpin the
pilot. The Commissioner expresses no view in this EN as to
whether processing of personal data by the Home Office in
relation to the pilot is otherwise compliant with data protection
legislation more generally.
PART II: LEGAL FRAMEWORK
9. Section 149(1) DPA provides that, if the Commissioner is satisfied
that a person has failed, or is failing, as described in section
149(2) DPA, the Commissioner may, by written notice (an
“enforcement notice”), require that person to take steps or refrain
from taking steps specified in the enforcement notice.
10. The types of failure described in section 149(2) DPA include
“where a controller or processor has failed, or is failing, to comply
with …”:
• at section 149(2)(a) “a provision of Chapter II of the
UK GDPR … (principles of processing)”; and
5Enforcement Notice
• at section 149(2)(c) “a provision of articles 25 to 39 of
the UK GDPR … (obligations of controllers and
processors)”.
11. Section 150 DPA provides that:
“(1) An enforcement notice must -
(a) “state what the person has failed or is failing to do”, and
(b) “give the Commissioner’s reasons for reaching that opinion.
12. Chapter II of the UK GDPR sets out the principles which
controllers must comply with, and requirements which apply when
controllers are processing special categories of data and criminal
records data.
13. Article 5(2) UK GDPR sets out the principle of accountability and
requires that controllers must “be able to demonstrate compliance
with” Article 5(1) UK GDPR.
14. Article 5(1) sets out the other principles relating to processing of
personal data which are: lawfulness, fairness and transparency;
purpose limitation; data minimisation; accuracy; storage
limitation; and integrity and confidentiality.
15. Articles 24 to 39 UK GDPR set out general obligations which
controllers and processors must comply with when processing
personal data.
16. Article 35(1) UK GDPR requires controllers, prior to the
processing, to carry out an assessment of the impact of the
envisaged processing operations on the protection of personal
data where those processing operations are likely to result in a
high risk to the rights and freedoms of natural persons.
6 Enforcement Notice
17. Other relevant provisions of the UK GDPR and DPA are set out
below in the specific paragraphs dealing with the infringements by
the Home Office (Part IV: The Commissioner’s findings of
infringement).
18. The legal framework for issuing an enforcement notice is set out
in Part V: Decision to issue this EN.
Home Office powers
19. The Home Office’s powers to grant immigration bail are governed
by schedule 10 of the Immigration Act 2016. The Home Office has
published guidance on immigration bail . Immigration bail may be
granted by the Home Office where a person is detained or is liable
to be detained under specified statutory provisions .2
20. Schedule 10 paragraph 2(1) Immigration Act 2016 requires that if
immigration bail is granted to a person, it must be granted
subject to one or more of the following conditions –
• a condition requiring the person to appear before the
Secretary of State or, the First Tier Tribunal at a
specified time and place;
• a condition restricting the person’s work, occupation or
studies in the United Kingdom;
• a condition about the person’s residence;
1
2Immigration Bail Version 16.0 dated 8August 2023
Namely: (a) paragraph 16(1), (1A) or (2) of Schedule 2 to the ImmigrationAct 1971
(detention of persons liable to examination or removal); (b) paragraph 2(1), (2) or (3) of Schedule 3 to thatAct
(detention pending deportation); (c) section 62 of the Nationality, Immigration andAsylumAct 2002
(detention of persons liable to examination or removal); and (d) section 36(1) of the UK BordersAct 2007
(detention pending deportation).
7 Enforcement Notice
• a condition requiring the person to report to the
Secretary of State or such other person that may be
specified;
• an electronic monitoring condition; or
• such other conditions as the person granting
immigration bail sees fit.
21. Schedule 10 paragraph 4(1) Immigration Act 2016 confirms that
electronic monitoring condition “means a condition requiring the
person on whom it is imposed (“P”) to co-operate with such
arrangements as the Secretary of State may specify for detecting
and recording by electronic means one or more of the following—
(a) P’s location at specified times, during specified periods of
time or while the arrangements are in place;
(b) P’s presence in a location at specified times, during specified
periods of time or while the arrangements are in place;
(c) P’s absence from a location at specified times, during
specified periods of time or while the arrangements are in place”
PART III: THE BACKGROUND
22. This section sets out the relevant facts of the infringements that
are the subject of this EN.
The pilot and its scope
23. On 15 June 2022 the Home Office commenced the pilot to run
initially for 12 months, and later extended this period by a further
six months. The pilot extended the Home Office’s use of electronic
monitoring as an immigration bail condition to a new cohort:
8 Enforcement Notice
individuals who arrive in the UK via unnecessary and dangerous
routes who have claims suitable for consideration under the
detained asylum casework (DAC) process. The pilot size was set
at up to 600 individuals to be subject to electronic monitoring and
600 further individuals to form the control group.
24. The high-level purpose of the pilot is described as:
“… test whether electronic monitoring (EM) is an effective
means by which to improve and maintain regular contact
with asylum claimants who arrive in the UK via unnecessary
and dangerous routes and more effectively progress their
claims towards conclusion.” 3
25. Initially the pilot also covered asylum seekers who arrived in the
UK via unnecessary and dangerous routes and were considered
inadmissible, but this cohort ceased as a result of a successful
legal challenge.
26. Pilot participants were monitored for breach of immigration bail
conditions by the Home Office’s processor in the same way as the
existing process for electronic monitoring as an immigration bail
condition.
27. The pilot ended in December 2023, and so did the collection of
personal data using electronic monitoring devices for the pilot.
However, processing of personal data gathered or created during
the course of the pilot will continue until such time as all pilot
personal data has been deleted or anonymised. This EN relates to
the extent that the Home Office has failed and is failing to deal
3Set out in Draft DPIAV2.3 and Pilot Guidance.
9 Enforcement Notice
with this personal data in accordance with the requirements of the
UK GDPR.
The DPIAs and other Home Office documents
28. The Commissioner has reviewed the following DPIAs provided by
the Home Office:
Title Document Date
GPS Expansion (small Boats) final version 0.1 26.01.22
Satellite Tracking Services (STS) GPS expansion 30/05/2022
version 0.2 (ODPO review
complete)
STS GPS expansion Version 2.0 12.12.22
Satellite Tracking Services (STS) Version 2.2
(draft) with separate risk table 7.2 (“Draft DPIA 07.08.23
V2.2”)
Satellite Tracking Services (STS) Version 2.3
(draft) with separate risk table 7.2 (“Draft DPIA
13.10.23
V2.3”)
29. The Home Office published guidance: “Immigration Bail
Conditions: Electronic monitoring (EM) expansion pilot” version 1.
This was updated and published as version 2 on 23 June 2023
(the “Pilot Guidance”). This document states that it must be read
in conjunction with the Immigration Bail Guidance (the
“Immigration Bail Guidance”). The most recent version of this
document is Version 16.0 published on 8 August 2023.
30. This Pilot Guidance sets out the process for Home Office staff
when considering electronic monitoring as a condition of
immigration bail for persons who fall within the scope of the pilot.
31. In terms of privacy information, the Home Office provided the
STS Bespoke Privacy Information Notice to the Commissioner on
10 Enforcement Notice
30 January 2023 and the STS Privacy Information Notice GPS
Expansion Pilot Cases on 21 August 2023. An updated version of
the STS Privacy Information Notice GPS Expansion Pilot Cases
was provided to the Commissioner on 13 October 2023 (the “STS
PIN”).
32. The Home Office provided copies of the Home Office EM Internal
Data Request Form (the “Data Access Request Form") and the
data access request guidance (the "Data Access Guidance") to the
Commissioner on 6 January 2023. The Home Office provided the
Process Control Document Process Data Requests v0.8SM and the
Process data requests v0.10 to the Commissioner on 1 September
2023 (“the Process to Access Information”). These documents set
out the process for Home Office staff to follow when accessing the
trail data collected by the electronic tags.
33. In addition, the Home Office provided the Commissioner with an
Appropriate Policy Document v3.0, GPS Expansion ROPA v2, and
a document entitled General observations and recommendations
outside pilot scope, on 21 August 2023. A “DPIA and Recs gap
analysis document” was sent on 22 August 2023. A Glossary of
Terms for DPIA 2 and a GPS Data Flow Map were provided to the
Commissioner on 1 September 2023.
34. The Home Office did not refer to or provide any additional
documents in its formal representations made following the PEN.
The purpose of the pilot
35. From paragraph 2 of the Draft DPIA V2.3 the purpose of the pilot
is as follows:
“This pilot will examine the impact of EM [electronic
monitoring] on compliance with immigration bail and the
11Enforcement Notice
asylum process. At the end of the pilot, recommendations
will be made regarding the efficacy or not of using EM as a
condition of bail for those awaiting an asylum decision
and/or following a negative decision.
The intended outcomes are as follows:
- The pilot is set up to tag a number of individuals who
have arrived in the UK via unnecessary and dangerous
routes and fail to have their claims considered under the
detained asylum casework processes or are potentially
inadmissible. The pilot is a mechanism for gathering the
evidence to inform a future decision on wider roll out of
GPS tagging, supported by the underpinning policy
rationale of:
• Increasing levels of compliance and improved and
regular contact management, whilst reducing the
risks of absconding;
• Establishing whether tagging is an effective
alternative to detention.
Data will be used to test whether electronic monitoring (EM)
is an effective means by which to improve and maintain
regular contact with asylum claimants who arrive in the UK
via unnecessary and dangerous routes and more effectively
progress their claims toward conclusion.”
36. In Paragraph 3 of Draft DPIA V2.3, there is similar wording but
with additional details. In particular, in addition to the policy
rationale above, it also includes:
12Enforcement Notice
• “Ensuring that the data subjects are in regular
contact with the Home Office throughout their
application process.
• The Home Office has a duty to prevent asylum
seekers absconding without appropriate leave to
remain.
• Detention is the only current option that prevents
absconding”.
It goes on to state that “there is a potential benefit that it may
assist in disrupting criminal networks – eg people traffickers”.
Finally in this section, the Home Office states that “The hypothesis
[for the pilot] is that tagging individuals will reduce the rate of
absconding”.
37. The Pilot Guidance confirms this and sets out additional purposes
(page 6):
“…establishing whether electronic monitoring is an effective
way to improve and maintain regular contact management
with asylum claimants who arrive in the UK via unnecessary
and dangerous routes, in order to progress their immigration
case. We will also be able to test the rate of absconding and
obtain data on how frequently this happens as well as
developing a greater understanding of the stages in the
process it is likely to occur and establish if electronic
monitoring and associated improvements in contact
management prevent absconding.
If anyone does abscond and therefore breaches their
conditions of bail, we will also be able to test whether we are
able to use this knowledge to more effectively re-establish
13Enforcement Notice
contact with individuals or locate them for removal or
detention if appropriate in their case. Trail data will be held
by the EM supplier but may be accessed by the Home Office
where one or more of the following applies and where
proportionate and justified in the circumstances in
accordance with data protection law:
• a breach of immigration bail conditions has occurred,
or intelligence suggests a breach has occurred to
consider what action should be taken in response to a
breach up to and including prosecution
• where a breach of immigration bail conditions has
occurred, which has resulted in the severing of contact
via EM, trail data will be used to try to locate the
person
• where it may be relevant to a claim by the individual
under Article 8 ECHR
• to be shared with law enforcement agencies where
they make a legitimate and specific request for access
to that data.”
38. The first two bullets above set out reasons why trail data will be
accessed which form part of the operation of the pilot
(“Operational Purposes”). The second two bullets are reasons why
trail data may be accessed which do not form part of the
operation of the pilot (“Non-Operational Purposes”).
14Enforcement Notice
The pilot personal data
39. The personal data which will be processed for the pilot (the “pilot
personal data”) is set out in paragraph 2.1 of the Draft DPIA V2.3.
The main description is:
“Bail Form Information (The Bail 206) will include
individuals Name, DOB, Nationality, Photograph,
offending history and any vulnerabilities (for example
health data) identified that the third party supplier may
need to be aware of. This information is used to assess
suitability for inclusion in the pilot and if selected is the
identification information that links individuals to the
tagging device.
“Electronic Monitoring Device.
Where individuals have an EM immigration bail condition
imposed, the device (a fitted ankle tag) will send a
notification where the conditions are breached using the
GPS location information and time information recorded.
The GPS equipment worn by individuals being
monitored, transmits data events to the central servers.
The data collected comprises latitudinal and longitudinal
location data only. Movements around home address or
other domestic addresses are not tracked. The device
itself does not retain data.
“Alerts received by the system are processed by EMS
staff who will review the data, determine whether there
is anything that amounts to a breach of the conditions
and notify those breach events to the Home Office where
appropriate.”
15 Enforcement Notice
40. In addition, the Draft DPIA V2.3 sets out that there will be a
control group of individuals, who will meet the criteria but will not
be electronically monitored. The Draft DPIA V2.3 sets out that the
control group is:
“...made up of individuals who met the condition for tagging
as part of DAC or MEDP [Migration and Economic
Development Partnership] but who are not tagged either
following individualised assessment or as a consequence of a
variety of other factors eg timing, tribunal activity etc which
have no bearing on likelihood of absconding and therefore
act as a legitimate comparator.”
The DPIA sets out that no new data will be generated for this
control group but rather the Home Office will rely on data which is
already held on the Home Office systems as part of business as
usual processes.
The pilot data subjects
41. The data subjects are the individuals who fall within the scope of
the pilot, plus those in the control group.
ICO engagement with the Home Office
42. The ICO has been engaging with the Home Office since 11 August
2022. The Commissioner’s understanding of the Home Office’s
processing, and his findings in this EN, are based on the
information he has received over the course of his engagement
with the Home Office.
43. During this engagement, the Commissioner raised concerns with
the Home Office about the legality of processing of personal data
captured by the GPS tags. The Commissioner raised concerns that
16Enforcement Notice
continuous monitoring of individuals using GPS tracking by an
electronic tag is intrusive. These concerns related to the GPS
tracking data which the device collects, both in terms of the
volume and the nature of the data collected and the way the
electronic tag is fitted and worn. The Commissioner identified
concerns that the data protection impact assessment (DPIA) and
privacy notice(s) provided by the Home Office did not meet UK
GDPR requirements. The Commissioner also highlighted the
importance of the Pilot Guidance and improvements which could
be made.
44. On 6 July 2023, the Commissioner issued a report to the Home
Office (the “Report”), setting out the Commissioner’s concerns
and recommendations for action needed to correct breaches of UK
GDPR.
45. On 21 August 2023 the Home Office responded with:
• an Appropriate Policy Document regarding the Home
Office’s use of special category data;
• GPS Expansion ROPA v2;
• STS Privacy Information Notice (PIN) GPS Expansion
Pilot Cases; the Draft DPIA V2.2 with a separate DPIA
risk section 7.2;
• a DPIA and Recs gap analysis (correct version provided
on 22 August 2023); and
• a document setting out General observations and
recommendations outside the pilot scope.
17Enforcement Notice
46. On 1 September 2023, the Home Office provided the
Commissioner with a Glossary of Terms for DPIA 2, GPS Data Flow
Map and the Process to Access Information.
47. On 28 September 2023, the Commissioner provided the Home
Office with a draft preliminary enforcement notice. The draft
preliminary enforcement notice was shared at an early stage to
allow the opportunity for early action by the Home Office to
resolve the infringements. By email dated 13 October 2023 the
Home Office responded with:
• the Draft DPIA V2.3 with an updated separate DPIA risk
document (7.2(2));
• a link to the immigration bail guidance and the Pilot
Guidance. This was the version published on 23 June
2023. This had not been updated after the draft
preliminary enforcement notice;
• a copy of the Process to Access Information and Data
Access Request Form. These documents had not been
updated after the draft preliminary enforcement notice;
and
• the STS PIN.
48. In the email of 13 October 2023 the Home Office confirmed that:
“In reflecting on this draft preliminary enforcement
notice, although a DPIA was in place prior to processing,
it is acknowledged that initial interpretation of the
legislation in this case, that a DPIA was not mandatory,
resulted in the process and engagement that has since
18Enforcement Notice
needed to take place. Learning, following engagement
with the ICO will be taken for the future.”
49. On 19 December 2023, the Information Commissioner sent to the
Home Office a Preliminary Enforcement Notice and a Notice of
Intent to Issue a Warning which set out the Commissioner’s
provisional findings of infringement. They also set out how the
Home Office may make both written and/or oral representations
as to why the Commissioner should not issue an enforcement
notice and about the Commissioner’s provisional decision to issue
a warning.
50. On 31 January 2024 the Home Office provided written
representations to the Information Commissioner (the
“Representations”). The Home Office did not request an oral
hearing.
51. This EN relates to matters to which the Report and PEN were
directed and takes into account the documents set out in
paragraphs 28 - 33 above.
52. The Commissioner recognises the approach taken by the Home
Office to address some of the issues of concern raised . Careful
consideration has been given to all of the relevant material
provided by the Home Office at all stages of the process.
53. This EN relates only to matters which in the view of the
Commissioner have not yet been addressed and applies to the
ongoing processing of pilot personal data
19 Enforcement Notice
PART IV: THE COMMISSIONER’S FINDINGS OF INFRINGEMENT
A. CONTROLLERSHIP AND JURISDICTION
54. The Commissioner is satisfied that the Home Office is the
controller of the pilot personal data , and that UK GDPR applies to
the Home Office as controller under Article 3(1).
55. The Home Office processes personal data for its management of
immigration, including individuals entering or leaving the UK,
securing the border, leave, settlement, citizenship or other
immigration services, claiming asylum or other forms of
protection. The Home Office also processes personal data as part
of its functions to enforce immigration laws, law enforcement for
criminal matters, and other lawful matter including those related
to public health. The Home Office is the controller for this
information, including when the information is collected or used
by third parties on its behalf.
56. The Commissioner’s assessment is that the Home Office has
committed a number of infringements of the UK GDPR in relation
to its processing of the pilot personal data. These are addressed
below.
B. INFRINGEMENT OF ARTICLE 35 UK GDPR
57. For the reasons set out below, the Commissioner’s assessment is
that the Home Office has failed and is failing to comply with
Article 35 UK GDPR in relation to its processing of the pilot
personal data.
20 Enforcement Notice
Legal Framework – Article 35
58. Article 35 UK GDPR requires controllers, prior to processing, to
carry out a DPIA where processing is likely to result in a high risk
to the rights and freedoms of individuals.
59. A DPIA is a process designed to help controllers systematically
identify and analyse data protection risks to individuals arising
from the processing of personal data, and to minimise those risks
as far as possible.
60. Article 35(1) requires that:
“Where a type of processing in particular using new
technologies, and taking into account the nature, scope,
context and purposes of the processing, is likely to result in
a high risk to the rights and freedoms of natural persons,
the controller shall, prior to the processing, carry out an
assessment of the impact of the envisaged processing
operations on the protection of personal data. A single
assessment may address a set of similar processing
operations that present similar high risks.”
61. Article 35(7) sets out the requirements for this assessment
(known as a data protection impact assessment or DPIA).
62. A controller could breach Article 35(1) in several ways, including
because:
• it has not carried out a DPIA at all,
• it carried out a DPIA but it does not meet the
requirements of Article 35(7).
21 Enforcement Notice
• it carried out a DPIA which meets the requirements of
Article 35(7) but not prior to the relevant processing.
63. Article 35(3) lists three types of processing that automatically
require a DPIA. These are:
(a) “systematic and extensive evaluation of personal
aspects relating to natural persons which is based on
automated processing, including profiling, and on which
decisions are based that produce legal effects
concerning the natural person or similarly significantly
affect the natural person;
(b) processing on a large scale of special categories of data
referred to in Article 9(1), or of personal data relating to
criminal convictions and offences referred to in Article
10; or
(c) a systematic monitoring of a publicly accessible area on
a large scale.”
64. Article 35(4) requires the Commissioner to “establish and make
public a list of the kind of processing operations which are subject
to the requirement for a data protection impact assessment
pursuant to paragraph 1”.
65. Accordingly, as required by Article 35(4) UK GDPR, the
Commissioner has published a list of ten examples of processing
“likely to result in high risk” (referred to as “ICO DPIA
Examples”).
4Examples of processing ‘likely to result in high risk’| ICO
22 Enforcement Notice
66. Article 35(7) specifies what is required, at a minimum, to be
included in a DPIA carried out in compliance with Article 35(1).
The assessment must contain:
(a) “a systematic description of the envisaged processing
operations and the purposes of the processing,
including, where applicable, the legitimate interest
pursued by the controller;
(b) an assessment of the necessity and proportionality of
the processing operations in relation to the purposes;
(c) an assessment of the risks to the rights and freedoms of
data subjects referred to in paragraph 1; and
(d) the measures envisaged to address the risks, including
safeguards, security measures and mechanisms to
ensure the protection of personal data and to
demonstrate compliance with this Regulation taking into
account the rights and legitimate interests of data
subjects and other persons concerned.”
The requirement for the Home Office to carry out an Article 35
DPIA prior to the start of the processing
67. The Commissioner’s assessment is that the Home Office was
required by Article 35(1) to have carried out a DPIA which met
the requirements of Article 35(7), prior to the start of the
processing of the pilot personal data, for the reasons set out
below.
68. First, the processing of personal data for the pilot falls within
Article 35(3)(a) as it involves:
23Enforcement Notice
“systematic and extensive evaluation of personal
aspects relating to natural persons which is based on
automated processing, including profiling, and on which
decisions are based that produce legal effects
concerning the natural person or similarly significantly
affect the natural person;”
69. ICO guidance sets out when processing is “systematic”:
“‘systematic’ means that the processing:
• occurs according to a system;
• is pre-arranged, organised or methodical;
• takes place as part of a general plan for data collection; or
• is carried out as part of a strategy.”
70. The pilot involves systematic processing as the GPS tags will
systematically collect personal data regarding the location of the
data subjects at specific times and dates.
71. ICO guidance sets out when processing is “extensive”:
“The term ‘extensive’ implies that the processing also covers
a large area, involves a wide range of data or affects a large
number of individuals.”
72. The pilot involves extensive processing because, overall, it
captures a very large volume of personal data. In particular, the
processing has the potential to cover trail data sent from a large
area (GPS tags will collect the trail data of the data subjects), and
a wide range of data can be inferred from it.
73. The pilot involves automated processing as the GPS tags
automatically collect and send the trail data of the data subjects
24Enforcement Notice
to the Home Office’s processor. As the ICO guidance states, “the
processing occurs according to a system.”
74. The trail data will be used by Home Office staff to make decisions
regarding the data subjects which will have legal effects. For
example, whether the data subject has breached the conditions of
their immigration bail and what actions the Home Office will take,
for example whether the data subject should be detained as a
result.
75. Second, the processing of personal data under the pilot falls
within at least three of the ICO DPIA Examples of processing
“likely to result in a high risk to the rights and freedoms of natural
persons”, as set out in the following paragraphs.
76. ICO DPIA Example 2: Denial of service:
“Decisions about an individual’s access to a product, service,
opportunity or benefit that is based to any extent on
automated decision-making (including profiling) or involves
the processing of special category data.”
77. The trail data may include special category data (see paragraphs
95-101 below). The Home Office staff will be using that data to
make decisions as to whether a data subject has breached their
bail conditions and whether that means those conditions need to
be altered or immigration bail revoked.
78. ICO DPIA Example 3: Large scale processing:
“any profiling of individuals on a large scale”
79. The processing of personal data for the pilot is “large scale
processing” because a large volume of trail data about the data
subjects will be collected. It is profiling as the trail data records
25 Enforcement Notice
the location, movements and behaviours of the data subject. For
the purpose of assessing whether processing operations require a
DPIA, it is not relevant that the large volume of trail data will only
be accessed by the Home Office staff in limited circumstances.
80. This is very similar to one of the examples in the Commissioner’s
guidance, namely “tracking individuals using a city’s public
transport system.”
81. ICO DPIA Example 8: Tracking, when combined with any of the
criteria from the European guidelines :5
“processing which involves tracking an individual’s
geolocation or behaviour.”
The Home Office processing of trail data involves tracking both
geolocation and behaviour.
82. The relevant criteria within the European guidelines are:
processing of sensitive data or data of a highly personal nature;
processing of data on a large scale; and processing personal data
concerning vulnerable data subjects.
83. The pilot is likely to involve sensitive data and data of a highly
personal nature, including special category data. This is because
trail data contains a data subject’s time and date of visits to
particular locations which could reveal this information, such as a
visit to a specific medical clinic.
84. The pilot involves processing of personal data on a large scale due
to the volume of trail data collected about data subjects. A
5“Guidelines on Data Protection ImpactAssessment (DPIA) and determining whether processing is “likely to
result in a high risk” for the purposes of Regulation 2016/679”Adopted on 4April 2017.As last Revised and
Adopted on 4 October 2017
26 Enforcement Notice
significant number of data subjects are likely to be vulnerable
(see paragraphs 102-110 below).
The Home Office’s infringement of Article 35(1) – to carry out a
DPIA which meets the requirements in Article 35(7)
85. The Home Office completed its first DPIA for the pilot on 26
January 2022, GPS Expansion (small Boats) final version 0.1.
Version 2.0 was signed off by the ODPO (the office of the data
protection officer) before the pilot started. The ICO on behalf of
the Commissioner provided detailed comments on this Version
2.0, setting out how it needed to be improved to bring it into line
with Article 35.
86. This version of the DPIA has since been updated a number of
times to form the Draft DPIA V2.3. The Commissioner’s
assessment is that none of the versions of the DPIA meet the
requirements of Art 35(7).
87. For the purpose of this EN the Commissioner has focused only on
the deficiencies in the most recent version, being Draft DPIA V2.3.
88. An analysis of the four component parts of Article 35(7) is set out
in turn below, ie Articles 35(7)(a), 35(7)(b), 35(7)(c) and
35(7)(d).
89. Before identifying the infringements in detail, the Commissioner
makes the following overarching comments in relation to the
DPIAs provided by the Home Office:
• The Commissioner is mindful of the Home Office’s
statutory obligations to keep citizens safe and the
country secure through maintaining the integrity of the
UK’s borders and managing immigration effectively.
27 Enforcement Notice
• The limited level of detail included in the DPIAs was not
commensurate with the nature, context and scope of
processing for the pilot, and therefore did not comply
with the requirements of Article 35(7).
• The level of detail required by Article 35(7)(a) is vital for
the Home Office to: make a proper risk assessment and
assessment of the necessity and proportionality of the
processing for its purposes; to be in a position to
effectively mitigate any risks; and to document
compliance with Article 5(1).
• This assessment should have demonstrated whether
there were any reasonable alternatives to electronic
monitoring. This would have allowed the Home Office to
decide whether the level of intrusiveness of electronic
monitoring was necessary and proportionate when
considering those alternatives.
• As a result of the breaches of Article 35, the Home Office
was unable to rely on Draft DPIA V2.3 to demonstrate it
was processing personal data for the pilot in compliance
with UK GDPR and was unable to meet the requirements
of Article 5(2) to be able to demonstrate compliance with
Article 5(1) (See from paragraph 53 onwards and
below).
Assessment of whether Draft DPIA V2.3 meets the requirements
of Article 35(7)
90. Set out below is the Commissioner’s assessment of whether Draft
DPIA V2.3 meets the requirements of each of Articles 35(7)(a) to
35(7)(d). His conclusion is that the Home Office has failed to
produce a DPIA which meets these requirements.
28 Enforcement Notice
Article 35(7)(a): “a systematic description of the envisaged
processing operations and the purposes of the processing including,
where applicable, the legitimate interest pursued by the controller”
91. The ICO’s DPIA guidance , following UK GDPR recital 90, states
that DPIAs must include a description of how and why the
controller plans to use the personal data, and that this description
must include the nature, scope, context and purposes of the
processing.
92. The Commissioner’s assessment is that the Home Office did not
systematically describe the processing operations it was
undertaking for the purposes of the pilot in the Draft DPIA V2.3,
and as a result, the Draft DPIA V2.3 did not sufficiently describe
the nature, scope, context and purposes of processing, as set out
in the following paragraphs.
(i) The nature of the processing
93. The Commissioner’s assessment is that the Home Office did not
sufficiently explain in its Draft DPIA V2.3 the nature of the
processing. In particular, there was insufficient information and/or
not enough detail of:
• The categories of personal data being processed at each
stage, for each processing operation. In particular, Draft
DPIA V2.3 lacked clarity about which categories of
personal data were being processed for each purpose
that had been listed.
• The Data Flow map that the Home Office refers to in
their Representations was not referenced in the DPIA.
6How do we do a DPIA? | ICO
29 Enforcement Notice
• The circumstances under which the Home Office staff
could access the trail data, and the conditions and
restrictions that must or could be placed upon that
access (including where the trail data is being provided
to a third party agency). Section 2.1 of the DPIA lacked
detail about the conditions and restrictions that must or
could be placed upon any access (including where the
trail data is being provided to a third party). In its
Representations, the Home Office states that this
information is contained in its “Process Control
Document” V0.8. However, this document was not
referenced in Draft DPIA V2.3.
• The safeguards in place for the access and ongoing
retention of trail data to demonstrate that access and
ongoing retention is necessary, proportionate and
compatible with the purpose of the processing.
(ii) The scope of the processing
94. The Commissioner’s assessment is that the Home Office did not
sufficiently explain in its Draft DPIA V2.3 the scope of the
processing (ie what the processing covers), including:
• details of the volume, frequency and nature of the trail data. It
does not explain in enough detail the data sent by the
electronic tags ;
• what special category data is processed for the pilot (see
paragraphs 95-101 below); and
• detailed identification of the assessment of whether individuals
could be vulnerable and their actual and potential vulnerabilities
and risks. (see paragraphs 102-110 below).
30 Enforcement Notice
Special category data
95. In the Draft DPIA V2.3, section 2.3 sets out that the processing
included criminal conviction data, race or ethnic origin (including
nationality) and health. The Home Office stated that this is data it
was already processing as part of its immigration case file.
96. The Draft DPIA V2.3 set out that health data was used in the
assessment of suitability for electronic monitoring. It also stated
that nationality is not special category data but that the Home
Office routinely treats this in the same way as it does race or
ethnicity to protect the individual to the same level.
97. The Draft DPIA V2.3 accepted that trail data could be used to
determine the precise type of place that the data subject is
attending but stated that:
“...this information is not required for the purpose of this trial and
will not be used to infer anything about their nature or behaviour.”
98. The Home Office stated in its Representations that it specifically
ruled out inferring any special category data from the trail data,
and does not agree that trail data is “highly likely” to constitute
special category data.
99. In this situation, personal data in the trail data is special category
data if, in and of itself, the personal data reveals the special
category data with a reasonable degree of certainty.
100. The Commissioner’s assessment is that there is a likelihood (that
is more than minimal) that the Home Office will on occasion be
processing special category data when it processes the trail data
alongside information about the places the data subject visits. For
example, a map showing the use of buildings and/or the names
31 Enforcement Notice
and locations of organisations. This likelihood is outside of the
Home Office’s control as it depends on the data subject’s
movements. The trail data when processed alongside that
information, will, on occasion, in and of itself reveal special
category data. For example, personal data showing a person
attending a religious building each week on the day of regular
worship, in and of itself reveals their religion with enough
certainty that this is special category data.
101. The Home Office processed the trail data alongside this type of
information when it accessed and used the trail data for its
Operational Purposes. This may also be the case for its Non-
Operational Purposes. How likely it is that the Home Office will
process special category data is dependent on the number of data
subjects whose trail data is accessed, but it is a (more than
minimal) possibility with every data subject. On that basis, the
Home Office must consider that using the trail data alongside this
type of information will be processing special category data.
Vulnerable data subjects
102. In Draft DPIA V2.3 the conclusion is reached that the processing
will not involve “mostly data concerning vulnerable data subjects.”
The Draft DPIA V2.3 sets out that “any material vulnerability will
be considered as part of the assessment prior to tagging. Any
individuals that may be unduly affected as a consequence of
electronic monitoring will not be included in the pilot.”
103. The Draft DPIA V2.3 does not provide any basis for this conclusion
that the trail data does not “mostly” concern vulnerable data
subjects.
32 Enforcement Notice
104. In its Representations, the Home Office refers to the section in
the DPIA which screens for potentially vulnerable data subjects,
and states that the “Immigration Bail conditions documents
provide guidance in relation to vulnerabilities”.
105. The guidance on “Vulnerability consideration” is in the
“Immigration Bail” guidance on pages 31 to 35. and in the
“Immigration Bail conditions: Electronic monitoring expansion
pilot” guidance on pages 13 and 14. The latter guidance also
refers back to the main Immigration Bail guidance.
106. Both contain a non-exhaustive list of conditions/issues/
considerations which could mean that a person is not suitable for
an electronic monitoring condition. The lists are very similar, but
not identical. In both cases the list sets a high bar for
vulnerability. For example, both lists require medical evidence
that an electronic monitoring condition would cause serious harm,
or evidence that a claim of torture or modern slavery has been
accepted by the Home Office or a Court. Although neither are
exhaustive lists, the implication is that other conditions/issues/
considerations must be of a similarly serious nature.
107. Home Office’s stated purpose is to consider “material
vulnerability” as part of the decision whether or not to issue an
electronic monitoring condition. This is not the same as the
requirement in a DPIA to consider any vulnerability of data
subjects.
7
108. The ICO Guidance sets out how to consider if an individual is
vulnerable when conducting a DPIA. It says:
7When do we need to do a DPIA? | ICO
33 Enforcement Notice
“Individuals can be vulnerable where circumstances may
restrict their ability to freely consent or object to the
processing of their personal data, or to understand its
implications.
“Even if the individuals are not part of a group you might
automatically consider vulnerable, an imbalance of power in
their relationship with you can cause vulnerability for data
protection purposes if they believe that they will be
disadvantaged if the processing doesn’t go ahead.”
109. The Commissioner considers that a detailed assessment of
vulnerabilities is required as there is a risk that a significant
number of individuals within the scope of the pilot could be
vulnerable. This is because of (inter alia) the conditions they have
come from, the circumstances of their journey, their reception
and experiences in the UK, their level of English language skills
and the imbalance of power between the data subjects and the
Home Office. The Home Office has not provided any
Representations as to why this might not be the case.
110. The Draft DPIA V2.3 does not address the risk of vulnerabilities
and therefore does not consider whether any mitigating factors
should be put in place. This means the Draft DPIA V2.3 does not
consider if there are increased or additional risks to the
vulnerable, nor how to mitigate those risks.
(iii) The context of the processing
111. The context of the processing involves considering the wider
picture, including (inter alia) how far individuals are likely to
expect and understand the processing.
34 Enforcement Notice
112. The Draft DPIA V2.3 at paragraph 2.7 sets out that individuals will
be informed of their privacy rights through the privacy notice(s).
The Home Office in its Representations has referred to the
Immigration Bail Conditions guidance which states that:
“It is important that decision makers inform the bailed
person of their responsibilities regarding electronic
monitoring and how their data can be used”.
This may have assisted the understanding of some data subjects.
But this is not referred to in the Draft DPIA V2.3, so could not
form part of the “context” for consideration.
113. As set out at paragraphs 184-188 below, the Commissioner’s
assessment is that the Home Office has failed to demonstrate
compliance with its transparency obligations under Article 5(1)(a)
and articles 12 and 13.
114. The Commissioner’s assessment is that there is a significant risk
that some data subjects, in particular those who are vulnerable,
will not understand how their personal data is being processed
and for what purposes. He understands that for some data
subjects this risk has been mitigated by Home Office staff
explaining how their data would be used. This should have been
noted in the DPIA as part of the context, alongside further detail
as to how this information must be delivered and recorded. On
that basis, his assessment is that the context of the processing
has not been set out in enough detail in Draft DPIA V2.3.
(iv) The purpose of the processing
115. The Commissioner’s assessment is that while the Home Office
may have set out all of its purposes in processing the personal
data somewhere in the Draft DPIA V2.3, they are not set out
35 Enforcement Notice
precisely and in sufficient detail in one place, so that the Home
Office could correctly carry out the assessment of necessity and
proportionality of the processing operations in relation to the
purposes (required by Article 35(7)(b)) and an assessment of the
risks to the rights and freedoms of the data subjects (required by
Article 35(7)(c)).
116. The purpose is set out in sections 2 and 3 of the Draft DPIA V2.3
(which are set out in full in paragraph 34, 35 and 36 above).
Although the lawful basis for processing is set out at sections 3.2,
3.3 and 3.4 of the DPIA, for clarity, the Commissioner also
recommends that the Home Office links its purposes to both its
Article 6(1)(e) public task and its Article 9(2)(g) public interest
condition.
Article 35(7)(b): “an assessment of the necessity and proportionality
of the processing operations in relation to the purposes”
117. In accordance with Article 35(7)(b), the DPIAs must contain an
assessment of the necessity and proportionality of each
processing operation in relation to the purposes.
8
118. ICO guidance explains that, in considering necessity and
proportionality, controllers should assess:
• if the plans help to achieve their purpose; and
• if there is any other reasonable way to achieve the same
result.
119. The assessment of proportionality and necessity is set out in
section 3.1 of the Draft DPIA V2.3. For the reasons set out in the
following paragraphs, the Commissioner’s conclusion is that this
8How do we do a DPIA? | ICO
36Enforcement Notice
was not a complete, reasoned analysis of whether each of the
processing activities in the pilot is necessary and proportionate for
the purpose.
120. The details set out within the Draft DPIA V2.3, and in particular
section 3.1, were too high level and did not provide a sufficient
consideration of all the factors involved, nor the underlying
evidence base.
121. There was insufficient consideration of any reasonable
alternatives, and whether the level of intrusiveness of electronic
monitoring is proportionate when considering those alternatives.
The Draft DPIA V2.3 set out that to date, no options other than
detention have been identified as available to control rates of
absconding. The Commissioner’s view is that if no other options
were identified as available to control rates of absconding, then
the DPIA should have specified the options or alternatives which
had been considered but discounted and explain why each
alternative was rejected.
122. Section 3.1 of the Draft DPIA V2.3 explains that:
“When [trail] data is requested, the requester must prove
the need for the data and that they have considered the
amount of data that is required. All applications are
scrutinised by the Service Delivery Team who reject any
requests where they determine that proportionality and/ or
necessity are not adequately proven.”
This sets out how the decision was made to allow access to trail
data, but it is not a complete, reasoned analysis of the necessity
and proportionality when access is given to the trail data.
37Enforcement Notice
123. The Home Office in its Representations has referred to Section 2.1
which explains that:
“Data collected is not accessed unless an exception alert is
triggered. Authorised Home Office staff may request access
to GPS trail data for a specified period and review that data
in the event of [a list of specific occurrences, such as a
breach of Immigration Bail Conditions].
This section sets out circumstances when Home Office staff will
access trail data for their Operational Purposes. Again, it is not a
complete, reasoned analysis of the necessity and proportionality
when access is given to the trail data.
124. Section 3.1 of the Draft DPIA V2.3 explains that the pilot is a
mechanism for gathering evidence to inform a future decision on
wider roll out of electronic monitoring, supported by the
underpinning policy rationale of:
• Ensuring that the data subjects are in regular contact
with the Home Office throughout their application
process.
• The Home Office having a duty to prevent asylum
seekers absconding without appropriate leave to remain.
• Detention as the only current option that prevents
absconding.
There is no detail setting out an assessment that processing
personal data for the pilot (including all categories of data) is
necessary and proportionate for those stated goals.
125. Section 3.1 states that data subjects are “effectively randomly
assigned whether they are provided with a tag or not once their
38Enforcement Notice
suitability has been assessed based on factors unrelated to the
likelihood of absconding.” This statement, without further
explanation as to the rationale for this selection process, does not
sufficiently explain how choosing the particular pilot participants
will assist the Home Office in meeting its stated purposes. As a
result, it fails to set out how the selection of each participant is
necessary and proportionate for the purpose of the pilot.
126. Section 3.1 of the Draft DPIA V2.3 also states that data subjects
will not be electronically tagged if it would breach “Convention
Rights” (meaning Human Rights under the Human Rights Act
1998) or if it is not practical to do so, and that this assessment is
taken on a case by case basis, with representations invited. There
is insufficient further detail as to the circumstances in which
electronic monitoring might breach Convention Rights or be
deemed not to be practical, and insufficient detail is given as to
the means by which Home Office staff will identify potential
Convention Rights interferences. The Commissioner’s views on
how the Pilot Guidance deals with Convention Rights are
addressed further at paragraphs 171-174 below.
127. The tenth paragraph of section 3.1 of the Draft DPIA V2.3 sets out
that data subjects will be given a new notice. There is not enough
detail to demonstrate how data subjects are informed about how
their data is being processed, particularly taking into account their
circumstances and potential vulnerabilities. (See paragraphs 184-
188 in relation to the Commissioner’s assessment of the extent to
which the Updated Privacy Notice(s) comply with UK GDPR). We
note that Home Office has stated in its Representations that
39Enforcement Notice
“Whilst privacy notices were available, the primary
communication method was via direct engagement (given
the limitations of privacy notices in this context)”
128. The Commissioner acknowledges the benefit of this approach, but
additional details would be needed to explain how this information
was effectively delivered and documented. This must be recorded
within the DPIA so this can be taken into account as part of the
necessity and proportionality test.
129. The DPIA should contain an assessment of the necessity and
proportionality of retaining the data and the safeguards in place
for access to retained data. This should include justification for
the retention periods. In light of the volume and sensitivity of the
trail data collected this should include an assessment of whether
all the trail data is required to be retained for the stated retention
periods.
130. The Home Office in its Representations explained that:
“Standard Home Office policy applies (in most cases, this
will be six years after the closure of the claim). The six
year retention period was determined over a period of
years and allows time for judicial reviews, complaints and
legal reparation. Where information is used as part of a
criminal investigation the standard law enforcement
retention times will apply once the data is moved to the
investigation service.”
131. The DPIA should have documented that the Home Office had
considered whether the standard Home Office policy of a 6 year
retention period should apply, and the reasons why it was decided
that it does. The Commissioner agrees that in principle a 6 year
40Enforcement Notice
retention period may be appropriate, provided Home Office has
decided that this complies with the principle of data storage
limitation for these particular types of personal data. The DPIA
should also have noted that any pilot personal data which is used
as part of a criminal investigation will then be retained in line with
the retention periods of the Home Office investigation service.
132. Where access to the trail data forms part of the Operational
Purposes of the pilot, the DPIA must set out whether this
processing is also necessary and proportionate for the purposes of
the pilot and is in compliance with UK GDPR generally (such as
the Article 5(1)(c) principle of data minimisation). This is not in
Draft DPIA V2.3.
133. Where access to the trail data is supplementary to the purposes
of the pilot (the Non-Operational Purposes), there is no need for a
detailed necessity and proportionality assessment within the DPIA
itself as long as this assessment is made as part of the process
prior to access being granted. There should be detailed guidance
in place to reflect this and ensure that Home Office staff carry out
the assessment correctly. The DPIA should refer to this decision
process to ensure UK GDPR compliance. This is not referred to in
Draft DPIA V2.3.
Article 35(7)(c): “an assessment of the risks to the rights and
freedoms of data subjects referred to in paragraph 1”
134. Article 35(7)(c) states that a DPIA shall contain at least:
“...an assessment of the risks to the rights and freedoms of
data subjects referred to in paragraph 1.”
41 Enforcement Notice
135. The ICO’s DPIA guidance states that controllers should consider
the potential impact of the processing on individuals, and any
harm or damage the processing may cause (whether physical,
emotional or material).
136. Section 7 of the Draft DPIA V2.3 set out the “Risks of the
Processing.” Only two risks were identified: (1) “processing of
data relating to an individual’s whereabouts during the monitoring
period” and (2) “the individual is subjected to monitoring and the
data that this produces.”
137. The Draft DPIA V2.3 additional risk section 7.2(2) set out the
following additional risks: 1(A)&(B) “continuous access to
data/monitoring, inappropriate access and/or use of data”;
1(C)&(D) “use of data collected not compatible with purpose,
misuse of special category data, unauthorised access to data”;
1(E) “unauthorised access to data”; and 1(F) “risk to vulnerable
data subjects.”
138. There is a column in the additional risk section 7.2(2) headed
“Impact”, but for each risk the detail is insufficient. For example,
for risk 1(A), (B) and (C) it states “intrusion on privacy
(disproportionate to the purpose of collection).”
139. The Commissioner’s assessment is that more detail on risks and
impact is needed here, beyond a high-level statement of the
types of risk and impact. The DPIA should detail and consider:
• the risks and impact of physical, psychological and
material harm. The Home Office should refer to the ICO’s
9How do we do a DPIA? | ICO
42 Enforcement Notice
harms taxonomy . For example, the risks of
stigmatisation of data subjects and inhibited movement;
• the potential risks and impact to vulnerable data
subjects;
• the potential risks and impact of processing special
category data;
• the risk and impact to a data subject if a Home Office
staff member mistakenly issues an electronic tag in
breach of Convention Rights and/or without
understanding their vulnerability;
• the risk and impact of at least some data subjects being
unlikely to have a comprehensive understanding of the
data processing activities associated with electronic
monitoring and the associated risks to them, due to their
circumstances;
• the risk and impact of a lack of transparency regarding
the data processing activities associated with electronic
monitoring, which may undermine, complicate or hinder
the data subjects’ exercise of their rights; and
• risks and impacts related to compliance with the data
minimisation principle in Article 5(1)(c) when accessing
trail data.
140. The above paragraph does not represent a comprehensive list of
the risks arising from processing connected to the pilot and the
potential harms that could be caused.
10Overview of Data Protection Harms and the ICO Taxonomy
43Enforcement Notice
141. The Home Office in its Representations has stated that “these
risks are more speculative, contingent and more remote in nature
than the rest listed or than is usually considered in such
circumstances”.
142. The Commissioner strongly disagrees with this representation. An
important part of a DPIA is to undertake a comprehensive review
of risks based on the likelihood and severity. Of course it is not
always possible for a DPIA to cover every risk, and it is
reasonable to omit risks which are too speculative and too
remote. However, the risks outlined in paragraph 139 above
should have been included in the risk assessment. In each case
there is more than a minimal risk of occurrence, in particular
given the number of data subjects, their vulnerabilities and the
invasive nature of the processing.
143. The Commissioner’s assessment is that, in breach of Article
35(7)(c) UK GDPR, the Home Office has either failed to assess, or
has inadequately assessed, the risks to the rights and freedoms of
data subjects arising from the processing connected with the
pilot.
Article 35(7)(d) “the measures envisaged to address the risks,
including safeguards, security measures and mechanisms to ensure
the protection of personal data and to demonstrate compliance with
this Regulation taking into account the rights and legitimate interests
of data subjects and other persons concerned”.
144. The Commissioner’s view is that the Home Office’s assessment of
measures to address the risks was insufficient to meet the
requirements of Article 35(7)(d).
44Enforcement Notice
145. The risk assessment table sets out a number of mitigating actions
which the Home Office has taken to reduce or eliminate the risks
identified. However, without a full and complete assessment of the
potential risks to data subjects in accordance with Article
35(7)(c), the measures to address risk in the pilot are insufficient.
146. Paragraph 7.3 of the Draft DPIA V2.3 poses the question: “Can
you demonstrate that the risk to the individuals is sufficiently
balanced by the perceived public protection benefits[?]”. In
response, the Draft DPIA V2.3 states that:
“GPS expansion is still a Pilot at this stage to test the use of
Electronic Monitoring (EM) as a condition of immigration bail
for those making hazardous journey to the UK. If a decision
is made about its wider roll-out, the team will test and weigh
the risks to the individuals against the perceived benefits.”
147. The Commissioner acknowledges that the fact this is a pilot did
provide allowances in the evidence base for decisions. The
Commissioner’s view is that a pilot still required a detailed risk
assessment and effective risk mitigation, given that the data
subjects involved in the pilot would have been exposed to any
relevant risks.
148. The Commissioner’s view is that the Home Office has not fully
complied with the requirements of Article 35(7)(d). The mitigation
measures listed in the Draft DPIA V2.3 were not based on a
sufficiently detailed risk assessment (in accordance with Article
35(7)(c)) and so the Home Office cannot assess if the mitigations
are appropriate.
45 Enforcement Notice
INFRINGEMENT OF ARTICLE 5(2) UK GDPR
149. The Commissioner’s assessment is that the Home Office has failed
and is failing to comply with Article 5(2) UK GDPR in relation to its
processing of the pilot personal data for the reasons set out
below.
Legal Framework – Article 5
150. Article 5(1) UK GDPR imposes a requirement on controllers to
only process personal data in accordance with six principles:
“(1) Personal data shall be:
(a) processed lawfully, fairly and in a transparent
manner in relation to the data subject (‘lawfulness,
fairness and transparency’);
(b) collected for specified, explicit and legitimate
purposes and not further processed in a manner that is
incompatible with those purposes; further processing for
archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes shall,
in accordance with Article 89(1), not be considered to
be incompatible with the initial purposes (‘purpose
limitation’);
(c) adequate, relevant and limited to what is necessary
in relation to the purposes for which they are processed
(‘data minimisation’);
(d) accurate and, where necessary, kept up to date;
every reasonable step must be taken to ensure that
personal data that are inaccurate, having regard to the
46Enforcement Notice
purposes for which they are processed, are erased or
rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data
subjects for no longer than is necessary for the
purposes for which the personal data are processed;
personal data may be stored for longer periods insofar
as the personal data will be processed solely for
archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes in
accordance with Article 89(1) subject to implementation
of the appropriate technical and organisational
measures required by this Regulation in order to
safeguard the rights and freedoms of the data subject
(‘storage limitation’);
(f) processed in a manner that ensures appropriate
security of the personal data, including protection
against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using
appropriate technical or organisational measures
(‘integrity and confidentiality’).”
151. There is a seventh principle, which is set out in Article 5(2) UK
GDPR:
“The controller shall be responsible for, and be able to
demonstrate compliance with, paragraph 1
(‘accountability’).”
47 Enforcement Notice
The Home Office’s failure to comply with Article 5(2): the principle
of accountability
152. The Commissioner’s assessment is that the Home Office has failed
and is failing to adequately demonstrate its compliance with:
• Article 5(1)(a), the principle of lawfulness, fairness and
transparency; and
• Article 5(1)(c), the principle of data minimisation.
153. In these circumstances, the principle of lawfulness, fairness and
transparency requires compliance with (inter alia) four key UK
GDPR Articles:
• for lawfulness: Article 6 (lawfulness of processing) and Article
9 (processing of special categories of personal data); and
• for fairness and transparency: Article 12 (transparent
information, communication and modalities for the exercise of
the rights of the data subject) and Article 13 (information to be
provided where personal data are collected from the data
subject).
The Home Office must demonstrate its compliance with those four
Articles, to comply with Article 5(2).
154. The Commissioner accepts the Home Office’s Representation that
the UK GDPR does not require compliance with Article 5(2) in any
particular form. The Commissioner has based his assessment on
the documents provided by the Home Office, and notes that the
Home Office has not provided any further documents with its
Representations for consideration. On that basis, the
Commissioner concludes that there are no additional documents
48Enforcement Notice
which demonstrate the Home Office’s compliance with the
purpose of compliance with Article 5(2).
155. For ‘lawfulness’, the key documents are: the Draft DPIA V2.3,
the Pilot Guidance, the Data Access Request Form, the Data
Access Guidance and Process to Access Information.
156. For ‘fairness and transparency’, the key documents are those
provided as privacy information. From Draft DPIA V2.3, these are:
• the departmental privacy notice (the Home
Office’s high level privacy notice: Borders,
immigration and citizenship: privacy information
notice);
• privacy information within the EMS booklet; and
• the STS PIN.
In this EN, these documents together will be referred to as the
“Updated Privacy Notice”.
157. For ‘data minimisation’, the key documents are Draft DPIA
V2.3, the Data Access Request Form, the Data Access Guidance
and the Process to Access Information.
158. The Commissioner’s assessment is that the cited documents do
not demonstrate compliance with the relevant Article 5(1)
principles, and on that basis the Home Office has failed and is
failing to comply with Article 5(2). The details are set out in the
following paragraphs.
49 Enforcement Notice
(i) LAWFULNESS: demonstrating compliance with Article 6
(lawfulness of processing) and Article 9 (processing of
special categories of personal data)
159. The Commissioner’s assessment is that the Home Office has failed
and is failing to demonstrate its compliance with Articles 6 and
Articles 9, for the reasons set out below.
Draft DPIA V2.3:
160. From Draft DPIA V2.3, the Home Office is processing pilot
personal data under the Article 6(1)(e) lawful basis:
“...processing is necessary for the performance of a task
carried out in the public interest or in the exercise of official
authority vested in the controller.”
161. According to Draft DPIA V2.3 the Home Office is processing
special category personal data for the pilot under Article 9(2)(g)
and schedule 1 paragraph 6 of the DPA, which together require
that processing is (a) necessary for either the exercise of a
function conferred on a person by an enactment or the rules of
law, or a function of a Minister of the Crown or government
department; and (b) is necessary for reasons of substantial public
interest.
162. In these circumstances, the public ‘task’ referred to in paragraph
160 above, and the public ‘functions’ referred to in paragraph 161
above, are the same, being those functions of the Home Office set
out in various immigration statutes (see paragraphs 19-21 above)
(the “relevant public tasks/functions”).
163. The Commissioner’s view is that the Home Office has not
demonstrated in the Draft DPIA V2.3 the assessment of how
50Enforcement Notice
processing of pilot personal data is necessary and proportionate
for each processing activity needed for the Home Office to carry
out relevant public tasks/functions. More information on this is set
out in paragraphs 117-133 above.
The Pilot Guidance, the Data Access Request Form, the Data
Access Guidance and Process to Access Information
164. Furthermore, the Commissioner’s assessment is that the guidance
given to Home Office staff in the Pilot Guidance, the Data Access
Request Form, the Data Access Guidance and Process to Access
Information, does not demonstrate that the Home Office is only
processing the pilot personal data when it is necessary and
proportionate for the Home Office to carry out relevant public
tasks/functions. In particular, when its staff processes pilot
personal data in relation to:
(a) deciding whether or not to issue an electronic
monitoring bail condition to a data subject; and
(b) accessing the trail data.
(a) In deciding whether or not to issue an electronic monitoring
bail condition to a data subject
165. In deciding whether or not to issue an electronic monitoring bail
condition to a data subject: the decision-making process laid out
by the Pilot Guidance is that the presumption is that electronic
monitoring should be used unless:
• one of only four exceptions apply, namely the data
subject is under 18, has been released from detention
under sections 37 or 41 of the Mental Health Act 1983
and remains subject to a supervision order, is pregnant
51Enforcement Notice
(18+ weeks) or has recently given birth (up to 3 months
post-partum), or resides in Scotland or Northern Ireland.
However this can be overridden by an Assistant Director;
or
• it is impractical; or
• it would breach Convention Rights.
166. Home Office in its Representations stated that:
“These were not the only exemptions – they were merely the
exemptions that definitely applied in every case. There was no
presumption that EM should be used unless a limited set of
exemptions applied. Decision makers were able to take a non-
exhaustive list of practical reasons and representations into
account.
“Immigration bail conditions guidance:
There will be some cases that may not be suitable for an EM
condition for practicality reasons or because there is a risk that
their rights under ECHR could be breached. When reviewing the
individual circumstances of the particular case and deciding
whether it is appropriate to monitor a person, the following
should be taken into consideration:
• whether there is strong independent medical evidence to
suggest that an EM condition would cause serious harm to
the person’s mental or physical health
• whether a claim of torture been accepted by the Home
Office or a Court
52Enforcement Notice
• whether there has been a positive conclusive grounds
decision in respect of a claim to be a victim of modern
slavery
• whether the person’s mental capacity is deemed to be a
bar to understanding the EM conditions and therefore their
ability to comply for example, a person suffering with
dementia
• whether the individual is suffering with phlebitis or similar
conditions which cause swelling of the lower legs
• whether the individual is showing any signs of frailty or
age-related conditions which may impact on the person’s
ability to wear and/or maintain the device
The above list is not exhaustive: decision makers must consider
the individual circumstances of each case.”
167. It seems that the stated intention of the Home Office in its
Representations, is not reflected in the Pilot Guidance. The
Commissioner remains of the view that the way the decision
making process is explained in the Pilot Guidance does mean
there was a presumption that electronic monitoring must be used
unless limited exceptions applied. In particular:
• The first key section is the list of 4 exemptions, under
the heading ‘Use of EM’, on page 8 of the Pilot Guidance.
The effect of this on the decision making process is that
only those people who fit within the exemptions are
ruled out of electronic monitoring.
• The second key section is on page 13 of the Pilot
Guidance. It states that:
53Enforcement Notice
“There will be some cases that may not be suitable
for an EM condition for practicality reasons or
because there is a risk that their rights under ECHR
could be breached.”
The effect of this sentence is that the presumption is that
an electronic monitoring condition should be imposed
unless there is a practicality reason or a risk to ECHR
rights.
168. The fact that this is the guidance provided (in other words, that
the presumption for Home Office staff is to electronically tag a
data subject) means that two further actions should have been
taken by the Home Office:
• first, the DPIA should have explained why adopting a
default position of tagging the data subject unless one of
a limited and explicit list of exceptions applies was
necessary and proportionate for the relevant public
tasks/functions. This is not the case here (see
paragraphs 117-133); and
• second, the Pilot Guidance should have set out a detailed
and (near) exhaustive set of situations in which the
default presumption will be inapplicable and/or detailed
guidance how to decide if the electronic monitoring is
impracticable or breaches rights under ECHR. This is not
the case here (see paragraphs 170-177).
169. Without this, the Home Office is unable to demonstrate why, for
each data subject, the decision to tag them was necessary and
proportionate for the purpose of the pilot and the relevant public
tasks/functions.
54Enforcement Notice
170. In particular, there is no or limited guidance as to:
• when an Assistant Director should decide to issue an
electronic monitoring condition despite one of the
exceptions applying;
• when an electronic monitoring condition is “impractical”.
Just two paragraphs are provided on this point, at page
10 of the Pilot Guidance, with the only example being
that “an individual may reside in a property which has
both a poor GPS signal and is not served by electricity”;
and
• when an electronic monitoring condition breaches
Convention Rights (although this seems to be in the
wrong section of the guidance).
171. The main section in the Pilot Guidance on how Home Office staff
should apply Convention Rights sets out a list of considerations
for staff when “deciding whether it is appropriate to monitor a
person”. This is the list of criteria set out in the Representations in
paragraph 166 above.
172. The Pilot Guidance states that meeting one of these criteria does
not prohibit imposing an electronic monitoring bail condition. The
Home Office staff must consider the balance between that and
other (unnamed) factors. The Pilot Guidance requires that the
decision to impose in that situation must be agreed by at least an
Assistant Director. There is no further detail in the Pilot Guidance
as to how those decisions should be made to ensure compliance
with Convention Rights and UK GDPR.
173. In finding that balance, it is not clear if the alternative is
detention or alternative bail condition(s).
55Enforcement Notice
174. If the Home Office staff member did not consider it appropriate to
issue an electronic monitoring bail condition for a different reason,
this had to be signed off at least at SEO level. There is no further
detail in the Pilot Guidance as to how those decisions should be
made to ensure compliance with Convention Rights and UK GDPR.
175. The Pilot Guidance requires medical evidence but acknowledges
that it may take time to substantiate that claim (up to 28 days).
There is no reference to allowing time for the Home Office or a
court to accept a claim of torture, or for a Home Office decision
that the data subject is a victim of modern slavery.
176. The Pilot Guidance sets out when representations from the
individuals must be invited. The Home Office has stated in its
Representations that:
“The HO is under various legal duties to consider the
rights position and welfare of data subjects and this
standard of care won’t change materially whether a
person makes representations or not or makes less or
limited representation because of the power balance. The
representations mechanism is designed as an additional
evidence gathering route to assist carrying out HO duties.
If an individual didn’t make representations or limited
their representations due to power imbalance that
wouldn’t legally or practically allow the HO to provide
them with a lower level of treatment.”
177. The Commissioner accepts this Representation. However the
section of the Pilot Guidance which deals with data subject
representations does not explain this. This means the Home Office
is unable to demonstrate that proportionate influence is placed on
56Enforcement Notice
the representations (including where limited or no representations
are made) in the decision making process.
(b) In accessing the trail data
178. There is limited detail as to when and how decisions to access and
use the trail data must be made in the Draft DPIA V2.3, the Pilot
Guidance, the Data Access Request Form, the Data Access
Guidance or the Process to Access Information. This means that
Home Office is unable to demonstrate that this processing of the
trail data would be necessary and proportionate for the relevant
public functions/tasks.
179. For access to the trail data for the Operational Purposes, there is
insufficient assessment in the Draft DPIA V2.3 as to whether and
to what extent access to trail data is necessary and proportionate
for the purposes of the pilot and so the relevant public
functions/tasks. (See paragraphs 132 and 133 above).
180. For access to the trail data for the Non-Operational Purposes, the
Home Office could choose to make an assessment of the necessity
and proportionality of each particular instance of access by
reference to the purpose of the request on a case by case basis at
the time of receipt. This could then be demonstrated in its
guidance for staff who are deciding to access and use the trail
data for those purposes.
181. For both the Operational and Non-Operational Purposes, the,
there is little or no guidance in the Pilot Guidance, the Data
Access Request Form, the Data Access Guidance or the Process to
Access Information for Home Office staff as to how to make the
decision to access the trail data.
57 Enforcement Notice
182. Home Office has stated in its Representations that accessing and
using trail data:
“… is covered in the Process Control Document.
N.B. There were 62 occasions in which trail data was
accessed for the purposes of the pilot. 56 of these
occasions related to alerts as a result of ‘strap tamper’ i.e.
where the EM device was damaged and rendered
inoperable. 6 related to less serious bail breaches e.g.
battery depletion.”
183. The Process Control Document (which we refer to as the Process
to Access Information) sets out the Home Office process for data
requests but does not provide guidance to Home Office staff
about how to make the decision to access the trail data. The only
guidance given is that when triaging the request the staff
member:
”triages it to ensure it meets the necessary data sharing
protocols, eg duly authorised, and the request is
necessary, justified and proportionate…”
This is not sufficient to demonstrate that access to the trail data
is necessary and proportionate for the relevant public
functions/tasks.
(ii)FAIRNESS AND TRANSPARENCY: Demonstrating compliance
with Articles 12 and 13
184. The Updated Privacy Notice is made up of three documents,
namely:
• the STS PIN;
58Enforcement Notice
• a privacy notice within the EMS booklet; and
• the departmental privacy notice (the Home Office’s high
level privacy notice: “Borders, Immigration and
Citizenship: privacy information notice”).
185. The Commissioner’s assessment is that the Home Office has not
demonstrated by its Updated Privacy Notice, that, in compliance
with Article 12, all data subjects have been provided with all the
information required by Article 13 in a:
“concise, transparent, intelligible and easily accessible form,
using clear and plain language”,
This means the Home Office has not demonstrated compliance
with Article 5(1)(a) (the principle of ‘fairness and transparency’).
186. The failures to demonstrate compliance with Article 12 are as
follows:
• The Updated Privacy Notice, and in particular the STS
PIN, fails to set out the privacy information clearly in one
place. This may be a single document with clear links or
references to other documents with an explanation as to
how each applies and interacts.
• The purpose of processing in the STS PIN remains
unclear and is not consistent with the purpose set out
within the Draft DPIA V2.3. The STS PIN describes the
purpose of processing as follows:
“From 15 June 2022, the HO is running a pilot to test
whether Electronic Monitoring is a better means of
maintaining contact with people who have arrived in
59Enforcement Notice
the UK via unnecessary and dangerous routes. The HO
wants to know if the use of these devices will:
• Help the HO keep in contact with more people
while their application is being processed than is
currently the case;
• Test out whether the device information can
help the HO in regaining contact with individuals
when contact is lost;
And as [a] result this may enable the HO to process
applications quicker”.
This does not align with the purposes set out in
Draft DPIA V2.3 (see paragraph 35 and 36 above).
• The addition of the reference in STS PIN to processing
applications “quicker” is at best confusing for data
subjects and at worst could be misleading, as it may lead
them to consider that their application will be processed
more quickly if they participate in the pilot.
• The STS PIN sets out how and when trail data is
accessed:
“It is not anticipated that GPS trail data will be needed
other than in very exceptional circumstances and the
Home Office will always consider whether to do so is
necessary and proportionate before making a request
to see the data.”
There is no explanation or guidance on what the “very
exceptional circumstances” may include.
60Enforcement Notice
• The term “GPS Trail data” is not defined or explained and
this gap in the STS PIN is likely to inhibit understanding.
• The three documents forming the Updated Privacy Notice
are not sufficiently integrated; there are inconsistencies
and information gaps. For example, the Electronic
Monitoring Handbook states the controller to be the
Ministry of Justice.
• The information in the STS PIN provided on special
category data is not clear. It states that:
“This project will be using special category data that
concerns a person’s health when considering
whether a GPS tag is suitable for each individual. No
other special category data is used for this project.
However, the Home Office does collect and use data
that identifies an individual’s nationality and has
decided that this information will be given the same
level of protection as that of special category data to
protect the individual. Where geographic location is
collected, this purpose will not be used to identify
special category data. Geolocation is only used for
the purposes outlined in your EM booklet to
maintain contact with you.”
This is confusing and it would be unclear to a data
subject what this meant for them. It is not clear if
information about a person’s health and nationality are
processed only as a result of the pilot, or if this is
personal data which the Home Office would process in
any event.
61Enforcement Notice
In addition, this does not accurately reflect the fact that
special category data may be processed when the trail
data is accessed, depending on the data subjects
movements (see Paragraphs 95-101 above). This should
be clearly explained to data subjects.
• The STS PIN refers to GPS coordinates, trail data,
geographic location and geolocation. It is not clear if
these are different types of data or different ways of
referring to the same data.
187. The Commissioner has reviewed the improvements to the privacy
information made by the Home Office in response to previous
recommendations made by the Commissioner. However, the
Commissioner’s view remains that the Updated Privacy Notice,
and in particular the STS PIN, still does not demonstrate
compliance with the requirements of Article 12, and this means
that compliance with the requirements of Article 13 has not been
effectively provided.
188. The Commissioner welcomes the explanation from the Home
Office in its Representations that its Home Office staff explained
orally to data subjects how their data will be used. However:
• There is still a requirement in Article 12 for the
information referred to in Article 13 to be provided in
writing or other means such as electronic means. The
information must be provided in a concise, transparent,
intelligible and easily accessible form using clear and
plain language. It can be provided orally if requested by
the data subject.
62 Enforcement Notice
• In any event, this oral explanation cannot be taken into
account regarding Article 5(2) and demonstrating
compliance with the transparency principle and Articles
12 and 13, as how this was done by Home Office staff
was not set out in any detail in Draft DPIA V2.3 and/or
Pilot Guidance and/or in the Updated Privacy Notice.
(iii) DATA MINIMISATION: Demonstrating compliance with Article
5(1)(c)
189. The Commissioner’s assessment is that the Home Office has failed
to demonstrate its compliance with Article 5(1)(c), and so is in
breach of Article 5(2), for the reasons set out below.
190. This finding is further to the lack of detailed guidance available to
Home Office staff when deciding whether or not to access trail
data and use trail data in making decisions (see paragraphs 178-
183 above).
191. The Draft DPIA V2.3 fails to expressly apply the principle of data
minimisation to the occasions when the Home Office may access
the trail data (for its own or a third party’s purposes) and how
much of the trail data to request access to. For example, there is
no reference to the importance of limiting the time period for
which access is requested.
192. Similarly, the Data Access Request Form, the Data Access
Guidance and Process to Access Information fail to give Home
Office staff any guidance on how to consider and apply the
principle of data minimisation when requesting access to the trail
data. For example, the Data Access Guidance does not advise
Home Office staff to consider whether to make the request at all
(in circumstances where, for a minor breach, the first step could
63 Enforcement Notice
be to contact the data subject), or to only make a request for
specific data and for a limited time period where required.
PART V: DECISION TO ISSUE THIS ENFORCEMENT NOTICE
193. The Commissioner requires the Home Office to take the steps set
out in Annex 1. The Commissioner considers these are
appropriate and proportionate steps for the purpose of remedying
the failures identified by the Commissioner in this EN.
Legal Framework – Enforcement Notices
194. Under section 149(6) DPA, an enforcement notice given in
reliance on section 149(2) DPA may only impose requirements
which the Commissioner considers appropriate for the purpose of
remedying the failures identified by the Commissioner.
195. Pursuant to section 150(1) DPA, “an enforcement notice must
state what the person has failed or is failing to do, and give the
Commissioner’s reasons for reaching that opinion.”
196. When considering whether to issue an enforcement notice in
reliance on section 149(2) DPA, the Commissioner must, in
accordance with section 150(2) DPA:
“consider whether the failure has caused, or is likely to
cause any person damage or distress.”
197. Where an enforcement notice is issued in reliance on section
149(2) DPA, section 150(3) DPA makes it clear that:
“the Commissioner’s power under section 149(1)(b) to
require a person to refrain from taking specified steps
includes the power:
64 Enforcement Notice
a) to impose a ban relating to all processing of
personal data, or
b) to impose a ban relating only to a specified
description of processing of personal data, including
by specifying one or more of the following:
(i) a description of personal data;
(ii) the purpose or manner of the processing;
(iii) the time when the processing takes
place.”
198. Pursuant to section 150(4):
“an enforcement notice may specify the time or times at
which, or period or periods within which, a requirement
imposed by the notice must be complied with.”
Matters the Commissioner has had regard to:
199. The Commissioner has made an assessment (as required in
accordance with section 150(2) DPA when deciding whether to
serve an enforcement notice) of whether any contravention has
caused or is likely to cause any person damage or distress. The
Commissioner’s view is that, based on the current versions of the
Draft DPIA V2.3, the Pilot Guidance, Data Access Request Form,
the Data Access Guidance and Process to Access Information, and
Updated Privacy Notice, for at least some data subjects, damage
and/or distress is likely to have been caused and there is a
significant risk that damage and/or distress may be caused in
future.
200. This is because (inter alia):
65Enforcement Notice
• the infringements which the Commissioner has identified
could have had, and could have, important consequences
for those data subjects who were electronically tagged,
in particular as the data subjects were in a situation
which was likely to make at least some of them
vulnerable;
• the failure by the Home Office to adequately assess (in
Draft DPIA V2.3) and give guidance to its staff on how to
make the assessment of the necessity and
proportionality of the processing for the purpose of the
pilot meant there was no assurance for any data subject
that electronic monitoring as an immigration bail
condition was a fair and balanced measure, assessed
alongside alternatives. Some data subjects may have
been tagged when it was not necessary and
proportionate;
• the Commissioner has not seen adequate evidence of
safeguards against the risks to data subjects associated
with electronic monitoring as an immigration bail
condition. For those being monitored, for example, this
could have included psychological harm for example due
to actual or perceived stigmatisation and a perceived
need to inhibit movement;
• data subjects may not have expected their data to be
processed in the way that the Home Office is processing
it, and may not expect their data to be processed in the
way the Home Office and third parties may process it in
future (as they have not been given an effective privacy
notice); and/or
66Enforcement Notice
• some or all of a data subject’s trail data may have been
accessed when it was not necessary and proportionate
for the purpose of the pilot (or for one of the Non-
Operational Purposes), and may be accessed when it is
not necessary and proportionate for one of the Non-
Operational Purposes. In addition more trail data than is
needed may have been, or may be accessed.
201. The Commissioner’s assessment is that compliance with the UK
GDPR provisions referred to above is a matter of importance to
data protection law. Even if a failure to comply has not caused, or
is not likely to cause, any person damage or distress, the issue of
this enforcement notice to compel compliance would nonetheless
be an appropriate exercise of the Commissioner’s enforcement
powers.
202. The Commissioner considers that the failures set out in this EN
are important for compliance with UK GDPR by the Home Office
more broadly than just this pilot. The Commissioner is concerned
that failures here could be repeated by Home Office for other
operations. In particular the Home Office’s failure to:
• document in enough detail each processing activity for
the purpose of a DPIA, including the nature, scope,
context and purposes;
• carry out an assessment of necessity and proportionality
for each processing activity;
• carry out a risk assessment of the risks to the rights and
freedoms of data subjects for the purpose of a DPIA
• identify vulnerability in data subjects
67 Enforcement Notice
• provide a privacy notice “in a concise, transparent,
intelligible and easily accessible form, using clear and
plain language”, which takes into account the nature of
data subject including any vulnerabilities
• provide detailed guidance to staff who need to apply key
legal constructs such as applying the necessity and
proportionality test, the principle of data minimisation, or
applying rights under the Human Rights Act.
203. The Commissioner has taken into consideration the
Representations, including the fact that the pilot has ended,
including all electronic monitoring under the pilot, and no new
trail data is being collected. The ongoing processing of pilot
personal data is in the retention of the pilot personal data
including trail data, and potential access and use of the trail data
by Home Office staff and potential disclosure to the data subject
and third parties of the trail data.
204. In June 2022, the Commissioner set out a revised approach to
public sector enforcement to be trialled over two years. 11 To
support this approach, the Commissioner committed to working
proactively with senior leaders in the public sector to encourage
compliance, prevent harms before they occur, and learn lessons
when things have gone wrong. In practice, this means that for the
public sector the Commissioner has committed to increasing the
use of public reprimands and enforcement notices, only issuing
12
fines in the most egregious cases.
11Open letter from UK Information Commissioner John Edwards to public authorities, 30 June 2022.
12See ICO25 – Our RegulatoryApproach, 7 November 2022, p.7.
68 Enforcement Notice
205. The Commissioner has had regard to the revised public sector
approach in reaching the decision to issue this EN. The
Commissioner is satisfied that this case is one which meets the
criteria for formal enforcement action, to reflect the seriousness
of the infringement and the significant risk to data subjects.
206. The Commissioner has had regard to the desirability of promoting
economic growth, and the potential impact this enforcement
notice might have in this regard.
Decision to issue this Enforcement Notice
207. Having had regard to those matters set out in paragraphs 199-
206 above, and the nature of the infringements, the vulnerable
nature of some data subjects, the scale of the personal data being
processed and the context in which it is processed, the
Commissioner’s view is that this EN is an appropriate regulatory
step to remedy the failures identified in this EN.
PART VI: APPEAL
208. The Home Office is entitled to appeal against this EN to the First-
tier Tribunal (Information Rights) by virtue of Section 162(1)(c)
DPA. If an appeal is brought against this EN, the EN need not be
complied with pending determination or withdrawal of that
appeal.
209. Information about the appeals process may be obtained from:
General Regulatory Chamber
HM Courts & Tribunals Service
PO Box 9300
Leicester Lel 8DJ
69 Enforcement Notice
Telephone: 0203 936 8963
Email: grc@justice.gov.uk 85.
210. Any Notice of Appeal should be served on the First-tier Tribunal
within 28 calendar days of the date on which this EN is sent.
Dated: 28 February 2024
John Edwards
Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
70 Enforcement Notice
ANNEX 1
TERMS OF THE ENFORCEMENT NOTICE
Within 28 days of the date of this Enforcement Notice, the Home Office
must provide to the Commissioner the following documents:
1 Updated versions of the Data Access Request Form, the Data
Access Request Guidance and the Process Control Document which
meet the requirements of Article 5(2) to demonstrate compliance
with the Article 5(1)(a) principle of lawfulness and Article 5(1)(c)
principle of data minimisation, when Home Office staff access, use
and disclose trail data.
2 An updated version of the STS PIN which meets the requirements
of Article 5(2) to demonstrate compliance with the Article 5(1)(a)
principle of fairness and transparency and which meets all the
requirements of Articles 12 and 13 (“Revised Privacy Notice”). This
Revised Privacy Notice must cover the past, current and potential
future processing of the pilot personal data by the Home Office.
3 Documentation of the process to provide the Revised Privacy
Notice to all data subjects whose trail data is retained by the
Home Office, in accordance with Article 12. This must include how
this Revised Privacy Notice will be provided to data subjects with
limited understanding of English.
71
