ICO (UK) - Enforcement Notice and Warning Letter - Home Office
ICO - Enforcement Notice and Warning Letter - Home Office | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 5(2) GDPR Article 35 GDPR |
Type: | Advisory Opinion |
Outcome: | n/a |
Started: | 01.08.2022 |
Decided: | 21.03.2024 |
Published: | 21.03.2024 |
Fine: | n/a |
Parties: | Home Office |
National Case Number/Name: | Enforcement Notice and Warning Letter - Home Office |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English English |
Original Source: | ICO (in EN) ICO (in EN) |
Initial Contributor: | Mgrd |
The DPA issued an enforcement notice to the Home Office, ordering it to bring its processing of personal data via GPS monitoring of migrants arriving in the UK into compliance with the UK GDPR after it failed to conduct an adequate data protection impact assessment.
English Summary
Facts
The Home Office (controller) is a United Kingdom government department that is responsible for immigration, security and law. As such, it oversees matters related to visas, immigration, asylum and citizenship in the UK.
The ICO initiated an investigation in August 2022, citing concerns about the controller's Satellite Tracking Services GPS Expansion Pilot project, which involved continuous electronic monitoring as a condition of immigration bail for individuals entering the UK via risky routes.
The pilot initiative involved fitting up to 600 individuals with electronic GPS tags to monitor their movements as part of the immigration bail conditions. These participants were compared to a control group of another 600 individuals who were not subjected to electronic monitoring. The purpose of the electronic tags was to collect data on the tagged individuals’ locations over time, which the controller could use for various purposes, including ensuring compliance with immigration bail conditions and potentially aiding in the efficient processing of asylum claims.
The ICO provisionally found that the controller failed to comply with Articles 35 and 5(2) of the UK GDPR. On 19 December 2023, it sent the controller a Preliminary Enforcement Notice and Notice of Intent to Issue a Warning.
Holding
On March 2024, ICO issued an Enforcement Notice and Warning Letter. It identified breaches by the Home Office of Articles 35 and 5(2) UK GDPR, finding that the controller did not conduct an adequate data protection impact assessment (DPIA) for its satellite tracking services GPS expansion pilot and failed to demonstrate compliance with principles of lawfulness, transparency and data minimisation under Article 5(1) UK GDPR.
The ICO found that the controller's processing required a DPIA because it was systematic, extensive, and was likely to result in a high risk to the rights and freedoms of natural persons. The processing was systematic and extensive because it involved automated processing carried out according to the pilot's strategy and captured a large volume of personal data. In particular, the ICO noted that the GPS processing collected trail data from data subjects, permitted a wide range to be inferred from it and would be used to make decisions having legal effects. The ICO also considered that trail data likely includes a special category of data because, when processed alongside information about the subject's geolocation, it can reveal special categories of data (such as religion).
It concluded that the controller's DPIA failed to meet several requirements specified in Article 35(7) UK GDPR, namely:
- It did not include a systematic description of processing operations with details about the scope, categories, context and purpose of processing;
- It lacked an assessment of the necessity and proportionality of the processing, particularly failing to consider reasonable alternatives, the proportionality of intrusiveness and the appropriateness of a 6-year retention period;
- It did not properly evaluate risks to individual rights and freedoms;
- It inaccurately concluded that the processing of trail data was not processing of a special category of data ; and
- It inaccurately concluded that processing would not involve mostly vulnerable data subjects, contrary to ICO Guidance, and should have conducted a detailed assessment of vulnerabilities.
In addition, the ICO noted that the DPA failed to implement mitigation measures to address the risks. Though the controller took a number of mitigating actions, its failure to make a sufficiently detailed assessment of potential risks resulted in inadequate measures to address processing risks.
The ICO also held that the controller violated the principle of accountability pursuant to Article 5(2) UK GDPR because it failed to demonstrate compliance with Article 5(1)(a) and (c) UK GDPR principles of lawfulness, fairness and transparency as well as data minimisation. With regard to the lawfulness principle, the ICO considered that the controller could not demonstrate that processing had a legal basis pursuant to Article 9(2)(g), which did not convincingly demonstrate that the processing was necessary and proportionate. Moreover, privacy notices were found lacking in clarity and coherence, failing to meet transparency requirements. The controller also lacked documentation and guidance on accessing and using "trail data" (data produced by electronic monitoring devices), indicating that the processing of this data might not have been limited to what was necessary for the purposes for which they were processed. The failure to demonstrate compliance with Articles 6 and 9, the inadequacies in privacy notices, and the lack of guidance on data minimisation collectively led to the conclusion that the Home Office did not fulfill its obligations under Article 5(2) of the UK GDPR, emphasizing the principle of accountability.
The ICO issued an Enforcement Notice to the Home Office, requiring it to take specific steps to remedy failures identified in relation to the UK GDPR. In its warning letter, the ICO highlighted its concern with the continued use of the same or similar documents to those used in the Pilot, which did not comply with the necessary GDPR requirements. It emphasized the importance of the Home Office addressing these issues to prevent potential infringements in any future processing similar to the pilot.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Enforcement Notice issued by the Information Commissioner concerning contraventions of Article 5(2) and Article 35 UK GDPR by the Home Office ENFORCEMENT NOTICE H OME OFFICE 28 February 2024 Enforcement Notice DATA PROTECTION ACT 2018 ENFORCEMENT POWERS OF THE INFORMATION COMMISSIONER ENFORCEMENT NOTICE To: The Secretary of State for the Home Department. Of: The Home Office, Peel Building, 2 Marsham Street, London, SW1P 4DF. PART I: INTRODUCTION AND SUMMARY 1. The Home Office is a “controller” as variously defined in sections 3(6), 5 and 6 of the Data Protection Act 2018 (“DPA”) and Article 4(7) of the UK General Data Protection Regulation (“UK GDPR”). 2. Unless otherwise stated, references to “Articles” are to articles of UK GDPR, and “Sections” to sections of the DPA. 3. The Home Office processes personal data for the purposes of its management of immigration, including individuals entering or leaving the UK, securing the border, leave, settlement, citizenship or other immigration services, claiming asylum or other forms of protection. The Home Office also processes personal data as part of its functions to enforce immigration laws, law enforcement for criminal matters and other lawful matters including those related to public health. The Home Office is the controller for this information, including when the information is collected or processed by third parties on its behalf. 2 Enforcement Notice 4. The Information Commissioner (the “Commissioner”) hereby issues the Home Office with an Enforcement Notice (“EN”) under section 149 DPA, in the terms set out in this EN. This EN relates to contraventions by the Home Office of Articles 35 and 5(2) UK GDPR in relation to its processing of personal data for its satellite tracking services GPS expansion pilot (the “pilot”). 5. This pilot extended the Home Office’s use of electronic tagging as an immigration bail condition to a new cohort: data subjects who arrive in the UK via unnecessary and dangerous routes who have claims suitable for consideration under the detained asylum casework (DAC) process. The infringements 6. The Commissioner has found that the Home Office has infringed Articles 35 and 5(2) UK GDPR (the “infringements”) as follows: Article 35: The Home Office failed to carry out a DPIA in relation to the pilot which satisfies the requirements of Article 35. In summary, the DPIA (Draft DPIA V2.3) did not set out either at all, or in sufficient detail: • A systematic description of the envisaged processing operations and the purposes of the processing. The DPIA did not set out each processing operation, and the stated purposes are inconsistent and unclear. • An assessment of the necessity and proportionality of the processing operations in relation to those purposes. 3Enforcement Notice • Continuous monitoring using GPS tracking by an electronic tag is intrusive. The Home Office did not demonstrate that less privacy intrusive methods could not meet its objectives. • An objective assessment of the risks to the rights and freedoms of data subjects, and the measures envisaged to address those risks. Whilst some risks to the rights and freedoms of data subjects were identified, Draft DPIA V2.3 (including the section 7.2 risk table) failed to sufficiently assess all of the risks, and as a result did not sufficiently propose measures to address those risks. Article 5(2): The Home Office, in breach of the accountability principle, has failed to demonstrate its compliance with Article 5(1), in particular: • Article 5(1)(a) principle of lawfulness: the Home Office identified the lawful basis for the processing as Article 6(1)(e), and for special category data as Article 9(2)(g) and schedule 1 paragraph 6 DPA. However, the Home Office did not demonstrate that the processing was necessary and proportionate for these purposes. This was not demonstrated in its DPIA or its guidance for Home Office staff. The Home Office failed to demonstrate why less privacy-intrusive methods could not meet its objectives. • Article 5(1)(a) principle of fairness and transparency: the Home Office’s privacy notice(s) do not demonstrate compliance with minimum transparency requirements, as set out at Articles 12 and 13. 4 Enforcement Notice • Article 5(1)(c) principle of data minimisation: the Home Office’s Draft DPIA V2.3 and guidance for Home Office staff does not demonstrate that data minimisation will be considered and actioned when requesting access to the personal data produced by the electronic tags (the “trail data”). 7. Annex 1 of this EN sets out the actions that the Commissioner requires the Home Office to take to correct the infringements. 8. The findings set out in this EN and the requirements set out in Annex 1 relate to the assessments and documentation the Home Office has shared with the Commissioner which underpin the pilot. The Commissioner expresses no view in this EN as to whether processing of personal data by the Home Office in relation to the pilot is otherwise compliant with data protection legislation more generally. PART II: LEGAL FRAMEWORK 9. Section 149(1) DPA provides that, if the Commissioner is satisfied that a person has failed, or is failing, as described in section 149(2) DPA, the Commissioner may, by written notice (an “enforcement notice”), require that person to take steps or refrain from taking steps specified in the enforcement notice. 10. The types of failure described in section 149(2) DPA include “where a controller or processor has failed, or is failing, to comply with …”: • at section 149(2)(a) “a provision of Chapter II of the UK GDPR … (principles of processing)”; and 5Enforcement Notice • at section 149(2)(c) “a provision of articles 25 to 39 of the UK GDPR … (obligations of controllers and processors)”. 11. Section 150 DPA provides that: “(1) An enforcement notice must - (a) “state what the person has failed or is failing to do”, and (b) “give the Commissioner’s reasons for reaching that opinion. 12. Chapter II of the UK GDPR sets out the principles which controllers must comply with, and requirements which apply when controllers are processing special categories of data and criminal records data. 13. Article 5(2) UK GDPR sets out the principle of accountability and requires that controllers must “be able to demonstrate compliance with” Article 5(1) UK GDPR. 14. Article 5(1) sets out the other principles relating to processing of personal data which are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality. 15. Articles 24 to 39 UK GDPR set out general obligations which controllers and processors must comply with when processing personal data. 16. Article 35(1) UK GDPR requires controllers, prior to the processing, to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data where those processing operations are likely to result in a high risk to the rights and freedoms of natural persons. 6 Enforcement Notice 17. Other relevant provisions of the UK GDPR and DPA are set out below in the specific paragraphs dealing with the infringements by the Home Office (Part IV: The Commissioner’s findings of infringement). 18. The legal framework for issuing an enforcement notice is set out in Part V: Decision to issue this EN. Home Office powers 19. The Home Office’s powers to grant immigration bail are governed by schedule 10 of the Immigration Act 2016. The Home Office has published guidance on immigration bail . Immigration bail may be granted by the Home Office where a person is detained or is liable to be detained under specified statutory provisions .2 20. Schedule 10 paragraph 2(1) Immigration Act 2016 requires that if immigration bail is granted to a person, it must be granted subject to one or more of the following conditions – • a condition requiring the person to appear before the Secretary of State or, the First Tier Tribunal at a specified time and place; • a condition restricting the person’s work, occupation or studies in the United Kingdom; • a condition about the person’s residence; 1 2Immigration Bail Version 16.0 dated 8August 2023 Namely: (a) paragraph 16(1), (1A) or (2) of Schedule 2 to the ImmigrationAct 1971 (detention of persons liable to examination or removal); (b) paragraph 2(1), (2) or (3) of Schedule 3 to thatAct (detention pending deportation); (c) section 62 of the Nationality, Immigration andAsylumAct 2002 (detention of persons liable to examination or removal); and (d) section 36(1) of the UK BordersAct 2007 (detention pending deportation). 7 Enforcement Notice • a condition requiring the person to report to the Secretary of State or such other person that may be specified; • an electronic monitoring condition; or • such other conditions as the person granting immigration bail sees fit. 21. Schedule 10 paragraph 4(1) Immigration Act 2016 confirms that electronic monitoring condition “means a condition requiring the person on whom it is imposed (“P”) to co-operate with such arrangements as the Secretary of State may specify for detecting and recording by electronic means one or more of the following— (a) P’s location at specified times, during specified periods of time or while the arrangements are in place; (b) P’s presence in a location at specified times, during specified periods of time or while the arrangements are in place; (c) P’s absence from a location at specified times, during specified periods of time or while the arrangements are in place” PART III: THE BACKGROUND 22. This section sets out the relevant facts of the infringements that are the subject of this EN. The pilot and its scope 23. On 15 June 2022 the Home Office commenced the pilot to run initially for 12 months, and later extended this period by a further six months. The pilot extended the Home Office’s use of electronic monitoring as an immigration bail condition to a new cohort: 8 Enforcement Notice individuals who arrive in the UK via unnecessary and dangerous routes who have claims suitable for consideration under the detained asylum casework (DAC) process. The pilot size was set at up to 600 individuals to be subject to electronic monitoring and 600 further individuals to form the control group. 24. The high-level purpose of the pilot is described as: “… test whether electronic monitoring (EM) is an effective means by which to improve and maintain regular contact with asylum claimants who arrive in the UK via unnecessary and dangerous routes and more effectively progress their claims towards conclusion.” 3 25. Initially the pilot also covered asylum seekers who arrived in the UK via unnecessary and dangerous routes and were considered inadmissible, but this cohort ceased as a result of a successful legal challenge. 26. Pilot participants were monitored for breach of immigration bail conditions by the Home Office’s processor in the same way as the existing process for electronic monitoring as an immigration bail condition. 27. The pilot ended in December 2023, and so did the collection of personal data using electronic monitoring devices for the pilot. However, processing of personal data gathered or created during the course of the pilot will continue until such time as all pilot personal data has been deleted or anonymised. This EN relates to the extent that the Home Office has failed and is failing to deal 3Set out in Draft DPIAV2.3 and Pilot Guidance. 9 Enforcement Notice with this personal data in accordance with the requirements of the UK GDPR. The DPIAs and other Home Office documents 28. The Commissioner has reviewed the following DPIAs provided by the Home Office: Title Document Date GPS Expansion (small Boats) final version 0.1 26.01.22 Satellite Tracking Services (STS) GPS expansion 30/05/2022 version 0.2 (ODPO review complete) STS GPS expansion Version 2.0 12.12.22 Satellite Tracking Services (STS) Version 2.2 (draft) with separate risk table 7.2 (“Draft DPIA 07.08.23 V2.2”) Satellite Tracking Services (STS) Version 2.3 (draft) with separate risk table 7.2 (“Draft DPIA 13.10.23 V2.3”) 29. The Home Office published guidance: “Immigration Bail Conditions: Electronic monitoring (EM) expansion pilot” version 1. This was updated and published as version 2 on 23 June 2023 (the “Pilot Guidance”). This document states that it must be read in conjunction with the Immigration Bail Guidance (the “Immigration Bail Guidance”). The most recent version of this document is Version 16.0 published on 8 August 2023. 30. This Pilot Guidance sets out the process for Home Office staff when considering electronic monitoring as a condition of immigration bail for persons who fall within the scope of the pilot. 31. In terms of privacy information, the Home Office provided the STS Bespoke Privacy Information Notice to the Commissioner on 10 Enforcement Notice 30 January 2023 and the STS Privacy Information Notice GPS Expansion Pilot Cases on 21 August 2023. An updated version of the STS Privacy Information Notice GPS Expansion Pilot Cases was provided to the Commissioner on 13 October 2023 (the “STS PIN”). 32. The Home Office provided copies of the Home Office EM Internal Data Request Form (the “Data Access Request Form") and the data access request guidance (the "Data Access Guidance") to the Commissioner on 6 January 2023. The Home Office provided the Process Control Document Process Data Requests v0.8SM and the Process data requests v0.10 to the Commissioner on 1 September 2023 (“the Process to Access Information”). These documents set out the process for Home Office staff to follow when accessing the trail data collected by the electronic tags. 33. In addition, the Home Office provided the Commissioner with an Appropriate Policy Document v3.0, GPS Expansion ROPA v2, and a document entitled General observations and recommendations outside pilot scope, on 21 August 2023. A “DPIA and Recs gap analysis document” was sent on 22 August 2023. A Glossary of Terms for DPIA 2 and a GPS Data Flow Map were provided to the Commissioner on 1 September 2023. 34. The Home Office did not refer to or provide any additional documents in its formal representations made following the PEN. The purpose of the pilot 35. From paragraph 2 of the Draft DPIA V2.3 the purpose of the pilot is as follows: “This pilot will examine the impact of EM [electronic monitoring] on compliance with immigration bail and the 11Enforcement Notice asylum process. At the end of the pilot, recommendations will be made regarding the efficacy or not of using EM as a condition of bail for those awaiting an asylum decision and/or following a negative decision. The intended outcomes are as follows: - The pilot is set up to tag a number of individuals who have arrived in the UK via unnecessary and dangerous routes and fail to have their claims considered under the detained asylum casework processes or are potentially inadmissible. The pilot is a mechanism for gathering the evidence to inform a future decision on wider roll out of GPS tagging, supported by the underpinning policy rationale of: • Increasing levels of compliance and improved and regular contact management, whilst reducing the risks of absconding; • Establishing whether tagging is an effective alternative to detention. Data will be used to test whether electronic monitoring (EM) is an effective means by which to improve and maintain regular contact with asylum claimants who arrive in the UK via unnecessary and dangerous routes and more effectively progress their claims toward conclusion.” 36. In Paragraph 3 of Draft DPIA V2.3, there is similar wording but with additional details. In particular, in addition to the policy rationale above, it also includes: 12Enforcement Notice • “Ensuring that the data subjects are in regular contact with the Home Office throughout their application process. • The Home Office has a duty to prevent asylum seekers absconding without appropriate leave to remain. • Detention is the only current option that prevents absconding”. It goes on to state that “there is a potential benefit that it may assist in disrupting criminal networks – eg people traffickers”. Finally in this section, the Home Office states that “The hypothesis [for the pilot] is that tagging individuals will reduce the rate of absconding”. 37. The Pilot Guidance confirms this and sets out additional purposes (page 6): “…establishing whether electronic monitoring is an effective way to improve and maintain regular contact management with asylum claimants who arrive in the UK via unnecessary and dangerous routes, in order to progress their immigration case. We will also be able to test the rate of absconding and obtain data on how frequently this happens as well as developing a greater understanding of the stages in the process it is likely to occur and establish if electronic monitoring and associated improvements in contact management prevent absconding. If anyone does abscond and therefore breaches their conditions of bail, we will also be able to test whether we are able to use this knowledge to more effectively re-establish 13Enforcement Notice contact with individuals or locate them for removal or detention if appropriate in their case. Trail data will be held by the EM supplier but may be accessed by the Home Office where one or more of the following applies and where proportionate and justified in the circumstances in accordance with data protection law: • a breach of immigration bail conditions has occurred, or intelligence suggests a breach has occurred to consider what action should be taken in response to a breach up to and including prosecution • where a breach of immigration bail conditions has occurred, which has resulted in the severing of contact via EM, trail data will be used to try to locate the person • where it may be relevant to a claim by the individual under Article 8 ECHR • to be shared with law enforcement agencies where they make a legitimate and specific request for access to that data.” 38. The first two bullets above set out reasons why trail data will be accessed which form part of the operation of the pilot (“Operational Purposes”). The second two bullets are reasons why trail data may be accessed which do not form part of the operation of the pilot (“Non-Operational Purposes”). 14Enforcement Notice The pilot personal data 39. The personal data which will be processed for the pilot (the “pilot personal data”) is set out in paragraph 2.1 of the Draft DPIA V2.3. The main description is: “Bail Form Information (The Bail 206) will include individuals Name, DOB, Nationality, Photograph, offending history and any vulnerabilities (for example health data) identified that the third party supplier may need to be aware of. This information is used to assess suitability for inclusion in the pilot and if selected is the identification information that links individuals to the tagging device. “Electronic Monitoring Device. Where individuals have an EM immigration bail condition imposed, the device (a fitted ankle tag) will send a notification where the conditions are breached using the GPS location information and time information recorded. The GPS equipment worn by individuals being monitored, transmits data events to the central servers. The data collected comprises latitudinal and longitudinal location data only. Movements around home address or other domestic addresses are not tracked. The device itself does not retain data. “Alerts received by the system are processed by EMS staff who will review the data, determine whether there is anything that amounts to a breach of the conditions and notify those breach events to the Home Office where appropriate.” 15 Enforcement Notice 40. In addition, the Draft DPIA V2.3 sets out that there will be a control group of individuals, who will meet the criteria but will not be electronically monitored. The Draft DPIA V2.3 sets out that the control group is: “...made up of individuals who met the condition for tagging as part of DAC or MEDP [Migration and Economic Development Partnership] but who are not tagged either following individualised assessment or as a consequence of a variety of other factors eg timing, tribunal activity etc which have no bearing on likelihood of absconding and therefore act as a legitimate comparator.” The DPIA sets out that no new data will be generated for this control group but rather the Home Office will rely on data which is already held on the Home Office systems as part of business as usual processes. The pilot data subjects 41. The data subjects are the individuals who fall within the scope of the pilot, plus those in the control group. ICO engagement with the Home Office 42. The ICO has been engaging with the Home Office since 11 August 2022. The Commissioner’s understanding of the Home Office’s processing, and his findings in this EN, are based on the information he has received over the course of his engagement with the Home Office. 43. During this engagement, the Commissioner raised concerns with the Home Office about the legality of processing of personal data captured by the GPS tags. The Commissioner raised concerns that 16Enforcement Notice continuous monitoring of individuals using GPS tracking by an electronic tag is intrusive. These concerns related to the GPS tracking data which the device collects, both in terms of the volume and the nature of the data collected and the way the electronic tag is fitted and worn. The Commissioner identified concerns that the data protection impact assessment (DPIA) and privacy notice(s) provided by the Home Office did not meet UK GDPR requirements. The Commissioner also highlighted the importance of the Pilot Guidance and improvements which could be made. 44. On 6 July 2023, the Commissioner issued a report to the Home Office (the “Report”), setting out the Commissioner’s concerns and recommendations for action needed to correct breaches of UK GDPR. 45. On 21 August 2023 the Home Office responded with: • an Appropriate Policy Document regarding the Home Office’s use of special category data; • GPS Expansion ROPA v2; • STS Privacy Information Notice (PIN) GPS Expansion Pilot Cases; the Draft DPIA V2.2 with a separate DPIA risk section 7.2; • a DPIA and Recs gap analysis (correct version provided on 22 August 2023); and • a document setting out General observations and recommendations outside the pilot scope. 17Enforcement Notice 46. On 1 September 2023, the Home Office provided the Commissioner with a Glossary of Terms for DPIA 2, GPS Data Flow Map and the Process to Access Information. 47. On 28 September 2023, the Commissioner provided the Home Office with a draft preliminary enforcement notice. The draft preliminary enforcement notice was shared at an early stage to allow the opportunity for early action by the Home Office to resolve the infringements. By email dated 13 October 2023 the Home Office responded with: • the Draft DPIA V2.3 with an updated separate DPIA risk document (7.2(2)); • a link to the immigration bail guidance and the Pilot Guidance. This was the version published on 23 June 2023. This had not been updated after the draft preliminary enforcement notice; • a copy of the Process to Access Information and Data Access Request Form. These documents had not been updated after the draft preliminary enforcement notice; and • the STS PIN. 48. In the email of 13 October 2023 the Home Office confirmed that: “In reflecting on this draft preliminary enforcement notice, although a DPIA was in place prior to processing, it is acknowledged that initial interpretation of the legislation in this case, that a DPIA was not mandatory, resulted in the process and engagement that has since 18Enforcement Notice needed to take place. Learning, following engagement with the ICO will be taken for the future.” 49. On 19 December 2023, the Information Commissioner sent to the Home Office a Preliminary Enforcement Notice and a Notice of Intent to Issue a Warning which set out the Commissioner’s provisional findings of infringement. They also set out how the Home Office may make both written and/or oral representations as to why the Commissioner should not issue an enforcement notice and about the Commissioner’s provisional decision to issue a warning. 50. On 31 January 2024 the Home Office provided written representations to the Information Commissioner (the “Representations”). The Home Office did not request an oral hearing. 51. This EN relates to matters to which the Report and PEN were directed and takes into account the documents set out in paragraphs 28 - 33 above. 52. The Commissioner recognises the approach taken by the Home Office to address some of the issues of concern raised . Careful consideration has been given to all of the relevant material provided by the Home Office at all stages of the process. 53. This EN relates only to matters which in the view of the Commissioner have not yet been addressed and applies to the ongoing processing of pilot personal data 19 Enforcement Notice PART IV: THE COMMISSIONER’S FINDINGS OF INFRINGEMENT A. CONTROLLERSHIP AND JURISDICTION 54. The Commissioner is satisfied that the Home Office is the controller of the pilot personal data , and that UK GDPR applies to the Home Office as controller under Article 3(1). 55. The Home Office processes personal data for its management of immigration, including individuals entering or leaving the UK, securing the border, leave, settlement, citizenship or other immigration services, claiming asylum or other forms of protection. The Home Office also processes personal data as part of its functions to enforce immigration laws, law enforcement for criminal matters, and other lawful matter including those related to public health. The Home Office is the controller for this information, including when the information is collected or used by third parties on its behalf. 56. The Commissioner’s assessment is that the Home Office has committed a number of infringements of the UK GDPR in relation to its processing of the pilot personal data. These are addressed below. B. INFRINGEMENT OF ARTICLE 35 UK GDPR 57. For the reasons set out below, the Commissioner’s assessment is that the Home Office has failed and is failing to comply with Article 35 UK GDPR in relation to its processing of the pilot personal data. 20 Enforcement Notice Legal Framework – Article 35 58. Article 35 UK GDPR requires controllers, prior to processing, to carry out a DPIA where processing is likely to result in a high risk to the rights and freedoms of individuals. 59. A DPIA is a process designed to help controllers systematically identify and analyse data protection risks to individuals arising from the processing of personal data, and to minimise those risks as far as possible. 60. Article 35(1) requires that: “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.” 61. Article 35(7) sets out the requirements for this assessment (known as a data protection impact assessment or DPIA). 62. A controller could breach Article 35(1) in several ways, including because: • it has not carried out a DPIA at all, • it carried out a DPIA but it does not meet the requirements of Article 35(7). 21 Enforcement Notice • it carried out a DPIA which meets the requirements of Article 35(7) but not prior to the relevant processing. 63. Article 35(3) lists three types of processing that automatically require a DPIA. These are: (a) “systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale.” 64. Article 35(4) requires the Commissioner to “establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1”. 65. Accordingly, as required by Article 35(4) UK GDPR, the Commissioner has published a list of ten examples of processing “likely to result in high risk” (referred to as “ICO DPIA Examples”). 4Examples of processing ‘likely to result in high risk’| ICO 22 Enforcement Notice 66. Article 35(7) specifies what is required, at a minimum, to be included in a DPIA carried out in compliance with Article 35(1). The assessment must contain: (a) “a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; (b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; (c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.” The requirement for the Home Office to carry out an Article 35 DPIA prior to the start of the processing 67. The Commissioner’s assessment is that the Home Office was required by Article 35(1) to have carried out a DPIA which met the requirements of Article 35(7), prior to the start of the processing of the pilot personal data, for the reasons set out below. 68. First, the processing of personal data for the pilot falls within Article 35(3)(a) as it involves: 23Enforcement Notice “systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;” 69. ICO guidance sets out when processing is “systematic”: “‘systematic’ means that the processing: • occurs according to a system; • is pre-arranged, organised or methodical; • takes place as part of a general plan for data collection; or • is carried out as part of a strategy.” 70. The pilot involves systematic processing as the GPS tags will systematically collect personal data regarding the location of the data subjects at specific times and dates. 71. ICO guidance sets out when processing is “extensive”: “The term ‘extensive’ implies that the processing also covers a large area, involves a wide range of data or affects a large number of individuals.” 72. The pilot involves extensive processing because, overall, it captures a very large volume of personal data. In particular, the processing has the potential to cover trail data sent from a large area (GPS tags will collect the trail data of the data subjects), and a wide range of data can be inferred from it. 73. The pilot involves automated processing as the GPS tags automatically collect and send the trail data of the data subjects 24Enforcement Notice to the Home Office’s processor. As the ICO guidance states, “the processing occurs according to a system.” 74. The trail data will be used by Home Office staff to make decisions regarding the data subjects which will have legal effects. For example, whether the data subject has breached the conditions of their immigration bail and what actions the Home Office will take, for example whether the data subject should be detained as a result. 75. Second, the processing of personal data under the pilot falls within at least three of the ICO DPIA Examples of processing “likely to result in a high risk to the rights and freedoms of natural persons”, as set out in the following paragraphs. 76. ICO DPIA Example 2: Denial of service: “Decisions about an individual’s access to a product, service, opportunity or benefit that is based to any extent on automated decision-making (including profiling) or involves the processing of special category data.” 77. The trail data may include special category data (see paragraphs 95-101 below). The Home Office staff will be using that data to make decisions as to whether a data subject has breached their bail conditions and whether that means those conditions need to be altered or immigration bail revoked. 78. ICO DPIA Example 3: Large scale processing: “any profiling of individuals on a large scale” 79. The processing of personal data for the pilot is “large scale processing” because a large volume of trail data about the data subjects will be collected. It is profiling as the trail data records 25 Enforcement Notice the location, movements and behaviours of the data subject. For the purpose of assessing whether processing operations require a DPIA, it is not relevant that the large volume of trail data will only be accessed by the Home Office staff in limited circumstances. 80. This is very similar to one of the examples in the Commissioner’s guidance, namely “tracking individuals using a city’s public transport system.” 81. ICO DPIA Example 8: Tracking, when combined with any of the criteria from the European guidelines :5 “processing which involves tracking an individual’s geolocation or behaviour.” The Home Office processing of trail data involves tracking both geolocation and behaviour. 82. The relevant criteria within the European guidelines are: processing of sensitive data or data of a highly personal nature; processing of data on a large scale; and processing personal data concerning vulnerable data subjects. 83. The pilot is likely to involve sensitive data and data of a highly personal nature, including special category data. This is because trail data contains a data subject’s time and date of visits to particular locations which could reveal this information, such as a visit to a specific medical clinic. 84. The pilot involves processing of personal data on a large scale due to the volume of trail data collected about data subjects. A 5“Guidelines on Data Protection ImpactAssessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679”Adopted on 4April 2017.As last Revised and Adopted on 4 October 2017 26 Enforcement Notice significant number of data subjects are likely to be vulnerable (see paragraphs 102-110 below). The Home Office’s infringement of Article 35(1) – to carry out a DPIA which meets the requirements in Article 35(7) 85. The Home Office completed its first DPIA for the pilot on 26 January 2022, GPS Expansion (small Boats) final version 0.1. Version 2.0 was signed off by the ODPO (the office of the data protection officer) before the pilot started. The ICO on behalf of the Commissioner provided detailed comments on this Version 2.0, setting out how it needed to be improved to bring it into line with Article 35. 86. This version of the DPIA has since been updated a number of times to form the Draft DPIA V2.3. The Commissioner’s assessment is that none of the versions of the DPIA meet the requirements of Art 35(7). 87. For the purpose of this EN the Commissioner has focused only on the deficiencies in the most recent version, being Draft DPIA V2.3. 88. An analysis of the four component parts of Article 35(7) is set out in turn below, ie Articles 35(7)(a), 35(7)(b), 35(7)(c) and 35(7)(d). 89. Before identifying the infringements in detail, the Commissioner makes the following overarching comments in relation to the DPIAs provided by the Home Office: • The Commissioner is mindful of the Home Office’s statutory obligations to keep citizens safe and the country secure through maintaining the integrity of the UK’s borders and managing immigration effectively. 27 Enforcement Notice • The limited level of detail included in the DPIAs was not commensurate with the nature, context and scope of processing for the pilot, and therefore did not comply with the requirements of Article 35(7). • The level of detail required by Article 35(7)(a) is vital for the Home Office to: make a proper risk assessment and assessment of the necessity and proportionality of the processing for its purposes; to be in a position to effectively mitigate any risks; and to document compliance with Article 5(1). • This assessment should have demonstrated whether there were any reasonable alternatives to electronic monitoring. This would have allowed the Home Office to decide whether the level of intrusiveness of electronic monitoring was necessary and proportionate when considering those alternatives. • As a result of the breaches of Article 35, the Home Office was unable to rely on Draft DPIA V2.3 to demonstrate it was processing personal data for the pilot in compliance with UK GDPR and was unable to meet the requirements of Article 5(2) to be able to demonstrate compliance with Article 5(1) (See from paragraph 53 onwards and below). Assessment of whether Draft DPIA V2.3 meets the requirements of Article 35(7) 90. Set out below is the Commissioner’s assessment of whether Draft DPIA V2.3 meets the requirements of each of Articles 35(7)(a) to 35(7)(d). His conclusion is that the Home Office has failed to produce a DPIA which meets these requirements. 28 Enforcement Notice Article 35(7)(a): “a systematic description of the envisaged processing operations and the purposes of the processing including, where applicable, the legitimate interest pursued by the controller” 91. The ICO’s DPIA guidance , following UK GDPR recital 90, states that DPIAs must include a description of how and why the controller plans to use the personal data, and that this description must include the nature, scope, context and purposes of the processing. 92. The Commissioner’s assessment is that the Home Office did not systematically describe the processing operations it was undertaking for the purposes of the pilot in the Draft DPIA V2.3, and as a result, the Draft DPIA V2.3 did not sufficiently describe the nature, scope, context and purposes of processing, as set out in the following paragraphs. (i) The nature of the processing 93. The Commissioner’s assessment is that the Home Office did not sufficiently explain in its Draft DPIA V2.3 the nature of the processing. In particular, there was insufficient information and/or not enough detail of: • The categories of personal data being processed at each stage, for each processing operation. In particular, Draft DPIA V2.3 lacked clarity about which categories of personal data were being processed for each purpose that had been listed. • The Data Flow map that the Home Office refers to in their Representations was not referenced in the DPIA. 6How do we do a DPIA? | ICO 29 Enforcement Notice • The circumstances under which the Home Office staff could access the trail data, and the conditions and restrictions that must or could be placed upon that access (including where the trail data is being provided to a third party agency). Section 2.1 of the DPIA lacked detail about the conditions and restrictions that must or could be placed upon any access (including where the trail data is being provided to a third party). In its Representations, the Home Office states that this information is contained in its “Process Control Document” V0.8. However, this document was not referenced in Draft DPIA V2.3. • The safeguards in place for the access and ongoing retention of trail data to demonstrate that access and ongoing retention is necessary, proportionate and compatible with the purpose of the processing. (ii) The scope of the processing 94. The Commissioner’s assessment is that the Home Office did not sufficiently explain in its Draft DPIA V2.3 the scope of the processing (ie what the processing covers), including: • details of the volume, frequency and nature of the trail data. It does not explain in enough detail the data sent by the electronic tags ; • what special category data is processed for the pilot (see paragraphs 95-101 below); and • detailed identification of the assessment of whether individuals could be vulnerable and their actual and potential vulnerabilities and risks. (see paragraphs 102-110 below). 30 Enforcement Notice Special category data 95. In the Draft DPIA V2.3, section 2.3 sets out that the processing included criminal conviction data, race or ethnic origin (including nationality) and health. The Home Office stated that this is data it was already processing as part of its immigration case file. 96. The Draft DPIA V2.3 set out that health data was used in the assessment of suitability for electronic monitoring. It also stated that nationality is not special category data but that the Home Office routinely treats this in the same way as it does race or ethnicity to protect the individual to the same level. 97. The Draft DPIA V2.3 accepted that trail data could be used to determine the precise type of place that the data subject is attending but stated that: “...this information is not required for the purpose of this trial and will not be used to infer anything about their nature or behaviour.” 98. The Home Office stated in its Representations that it specifically ruled out inferring any special category data from the trail data, and does not agree that trail data is “highly likely” to constitute special category data. 99. In this situation, personal data in the trail data is special category data if, in and of itself, the personal data reveals the special category data with a reasonable degree of certainty. 100. The Commissioner’s assessment is that there is a likelihood (that is more than minimal) that the Home Office will on occasion be processing special category data when it processes the trail data alongside information about the places the data subject visits. For example, a map showing the use of buildings and/or the names 31 Enforcement Notice and locations of organisations. This likelihood is outside of the Home Office’s control as it depends on the data subject’s movements. The trail data when processed alongside that information, will, on occasion, in and of itself reveal special category data. For example, personal data showing a person attending a religious building each week on the day of regular worship, in and of itself reveals their religion with enough certainty that this is special category data. 101. The Home Office processed the trail data alongside this type of information when it accessed and used the trail data for its Operational Purposes. This may also be the case for its Non- Operational Purposes. How likely it is that the Home Office will process special category data is dependent on the number of data subjects whose trail data is accessed, but it is a (more than minimal) possibility with every data subject. On that basis, the Home Office must consider that using the trail data alongside this type of information will be processing special category data. Vulnerable data subjects 102. In Draft DPIA V2.3 the conclusion is reached that the processing will not involve “mostly data concerning vulnerable data subjects.” The Draft DPIA V2.3 sets out that “any material vulnerability will be considered as part of the assessment prior to tagging. Any individuals that may be unduly affected as a consequence of electronic monitoring will not be included in the pilot.” 103. The Draft DPIA V2.3 does not provide any basis for this conclusion that the trail data does not “mostly” concern vulnerable data subjects. 32 Enforcement Notice 104. In its Representations, the Home Office refers to the section in the DPIA which screens for potentially vulnerable data subjects, and states that the “Immigration Bail conditions documents provide guidance in relation to vulnerabilities”. 105. The guidance on “Vulnerability consideration” is in the “Immigration Bail” guidance on pages 31 to 35. and in the “Immigration Bail conditions: Electronic monitoring expansion pilot” guidance on pages 13 and 14. The latter guidance also refers back to the main Immigration Bail guidance. 106. Both contain a non-exhaustive list of conditions/issues/ considerations which could mean that a person is not suitable for an electronic monitoring condition. The lists are very similar, but not identical. In both cases the list sets a high bar for vulnerability. For example, both lists require medical evidence that an electronic monitoring condition would cause serious harm, or evidence that a claim of torture or modern slavery has been accepted by the Home Office or a Court. Although neither are exhaustive lists, the implication is that other conditions/issues/ considerations must be of a similarly serious nature. 107. Home Office’s stated purpose is to consider “material vulnerability” as part of the decision whether or not to issue an electronic monitoring condition. This is not the same as the requirement in a DPIA to consider any vulnerability of data subjects. 7 108. The ICO Guidance sets out how to consider if an individual is vulnerable when conducting a DPIA. It says: 7When do we need to do a DPIA? | ICO 33 Enforcement Notice “Individuals can be vulnerable where circumstances may restrict their ability to freely consent or object to the processing of their personal data, or to understand its implications. “Even if the individuals are not part of a group you might automatically consider vulnerable, an imbalance of power in their relationship with you can cause vulnerability for data protection purposes if they believe that they will be disadvantaged if the processing doesn’t go ahead.” 109. The Commissioner considers that a detailed assessment of vulnerabilities is required as there is a risk that a significant number of individuals within the scope of the pilot could be vulnerable. This is because of (inter alia) the conditions they have come from, the circumstances of their journey, their reception and experiences in the UK, their level of English language skills and the imbalance of power between the data subjects and the Home Office. The Home Office has not provided any Representations as to why this might not be the case. 110. The Draft DPIA V2.3 does not address the risk of vulnerabilities and therefore does not consider whether any mitigating factors should be put in place. This means the Draft DPIA V2.3 does not consider if there are increased or additional risks to the vulnerable, nor how to mitigate those risks. (iii) The context of the processing 111. The context of the processing involves considering the wider picture, including (inter alia) how far individuals are likely to expect and understand the processing. 34 Enforcement Notice 112. The Draft DPIA V2.3 at paragraph 2.7 sets out that individuals will be informed of their privacy rights through the privacy notice(s). The Home Office in its Representations has referred to the Immigration Bail Conditions guidance which states that: “It is important that decision makers inform the bailed person of their responsibilities regarding electronic monitoring and how their data can be used”. This may have assisted the understanding of some data subjects. But this is not referred to in the Draft DPIA V2.3, so could not form part of the “context” for consideration. 113. As set out at paragraphs 184-188 below, the Commissioner’s assessment is that the Home Office has failed to demonstrate compliance with its transparency obligations under Article 5(1)(a) and articles 12 and 13. 114. The Commissioner’s assessment is that there is a significant risk that some data subjects, in particular those who are vulnerable, will not understand how their personal data is being processed and for what purposes. He understands that for some data subjects this risk has been mitigated by Home Office staff explaining how their data would be used. This should have been noted in the DPIA as part of the context, alongside further detail as to how this information must be delivered and recorded. On that basis, his assessment is that the context of the processing has not been set out in enough detail in Draft DPIA V2.3. (iv) The purpose of the processing 115. The Commissioner’s assessment is that while the Home Office may have set out all of its purposes in processing the personal data somewhere in the Draft DPIA V2.3, they are not set out 35 Enforcement Notice precisely and in sufficient detail in one place, so that the Home Office could correctly carry out the assessment of necessity and proportionality of the processing operations in relation to the purposes (required by Article 35(7)(b)) and an assessment of the risks to the rights and freedoms of the data subjects (required by Article 35(7)(c)). 116. The purpose is set out in sections 2 and 3 of the Draft DPIA V2.3 (which are set out in full in paragraph 34, 35 and 36 above). Although the lawful basis for processing is set out at sections 3.2, 3.3 and 3.4 of the DPIA, for clarity, the Commissioner also recommends that the Home Office links its purposes to both its Article 6(1)(e) public task and its Article 9(2)(g) public interest condition. Article 35(7)(b): “an assessment of the necessity and proportionality of the processing operations in relation to the purposes” 117. In accordance with Article 35(7)(b), the DPIAs must contain an assessment of the necessity and proportionality of each processing operation in relation to the purposes. 8 118. ICO guidance explains that, in considering necessity and proportionality, controllers should assess: • if the plans help to achieve their purpose; and • if there is any other reasonable way to achieve the same result. 119. The assessment of proportionality and necessity is set out in section 3.1 of the Draft DPIA V2.3. For the reasons set out in the following paragraphs, the Commissioner’s conclusion is that this 8How do we do a DPIA? | ICO 36Enforcement Notice was not a complete, reasoned analysis of whether each of the processing activities in the pilot is necessary and proportionate for the purpose. 120. The details set out within the Draft DPIA V2.3, and in particular section 3.1, were too high level and did not provide a sufficient consideration of all the factors involved, nor the underlying evidence base. 121. There was insufficient consideration of any reasonable alternatives, and whether the level of intrusiveness of electronic monitoring is proportionate when considering those alternatives. The Draft DPIA V2.3 set out that to date, no options other than detention have been identified as available to control rates of absconding. The Commissioner’s view is that if no other options were identified as available to control rates of absconding, then the DPIA should have specified the options or alternatives which had been considered but discounted and explain why each alternative was rejected. 122. Section 3.1 of the Draft DPIA V2.3 explains that: “When [trail] data is requested, the requester must prove the need for the data and that they have considered the amount of data that is required. All applications are scrutinised by the Service Delivery Team who reject any requests where they determine that proportionality and/ or necessity are not adequately proven.” This sets out how the decision was made to allow access to trail data, but it is not a complete, reasoned analysis of the necessity and proportionality when access is given to the trail data. 37Enforcement Notice 123. The Home Office in its Representations has referred to Section 2.1 which explains that: “Data collected is not accessed unless an exception alert is triggered. Authorised Home Office staff may request access to GPS trail data for a specified period and review that data in the event of [a list of specific occurrences, such as a breach of Immigration Bail Conditions]. This section sets out circumstances when Home Office staff will access trail data for their Operational Purposes. Again, it is not a complete, reasoned analysis of the necessity and proportionality when access is given to the trail data. 124. Section 3.1 of the Draft DPIA V2.3 explains that the pilot is a mechanism for gathering evidence to inform a future decision on wider roll out of electronic monitoring, supported by the underpinning policy rationale of: • Ensuring that the data subjects are in regular contact with the Home Office throughout their application process. • The Home Office having a duty to prevent asylum seekers absconding without appropriate leave to remain. • Detention as the only current option that prevents absconding. There is no detail setting out an assessment that processing personal data for the pilot (including all categories of data) is necessary and proportionate for those stated goals. 125. Section 3.1 states that data subjects are “effectively randomly assigned whether they are provided with a tag or not once their 38Enforcement Notice suitability has been assessed based on factors unrelated to the likelihood of absconding.” This statement, without further explanation as to the rationale for this selection process, does not sufficiently explain how choosing the particular pilot participants will assist the Home Office in meeting its stated purposes. As a result, it fails to set out how the selection of each participant is necessary and proportionate for the purpose of the pilot. 126. Section 3.1 of the Draft DPIA V2.3 also states that data subjects will not be electronically tagged if it would breach “Convention Rights” (meaning Human Rights under the Human Rights Act 1998) or if it is not practical to do so, and that this assessment is taken on a case by case basis, with representations invited. There is insufficient further detail as to the circumstances in which electronic monitoring might breach Convention Rights or be deemed not to be practical, and insufficient detail is given as to the means by which Home Office staff will identify potential Convention Rights interferences. The Commissioner’s views on how the Pilot Guidance deals with Convention Rights are addressed further at paragraphs 171-174 below. 127. The tenth paragraph of section 3.1 of the Draft DPIA V2.3 sets out that data subjects will be given a new notice. There is not enough detail to demonstrate how data subjects are informed about how their data is being processed, particularly taking into account their circumstances and potential vulnerabilities. (See paragraphs 184- 188 in relation to the Commissioner’s assessment of the extent to which the Updated Privacy Notice(s) comply with UK GDPR). We note that Home Office has stated in its Representations that 39Enforcement Notice “Whilst privacy notices were available, the primary communication method was via direct engagement (given the limitations of privacy notices in this context)” 128. The Commissioner acknowledges the benefit of this approach, but additional details would be needed to explain how this information was effectively delivered and documented. This must be recorded within the DPIA so this can be taken into account as part of the necessity and proportionality test. 129. The DPIA should contain an assessment of the necessity and proportionality of retaining the data and the safeguards in place for access to retained data. This should include justification for the retention periods. In light of the volume and sensitivity of the trail data collected this should include an assessment of whether all the trail data is required to be retained for the stated retention periods. 130. The Home Office in its Representations explained that: “Standard Home Office policy applies (in most cases, this will be six years after the closure of the claim). The six year retention period was determined over a period of years and allows time for judicial reviews, complaints and legal reparation. Where information is used as part of a criminal investigation the standard law enforcement retention times will apply once the data is moved to the investigation service.” 131. The DPIA should have documented that the Home Office had considered whether the standard Home Office policy of a 6 year retention period should apply, and the reasons why it was decided that it does. The Commissioner agrees that in principle a 6 year 40Enforcement Notice retention period may be appropriate, provided Home Office has decided that this complies with the principle of data storage limitation for these particular types of personal data. The DPIA should also have noted that any pilot personal data which is used as part of a criminal investigation will then be retained in line with the retention periods of the Home Office investigation service. 132. Where access to the trail data forms part of the Operational Purposes of the pilot, the DPIA must set out whether this processing is also necessary and proportionate for the purposes of the pilot and is in compliance with UK GDPR generally (such as the Article 5(1)(c) principle of data minimisation). This is not in Draft DPIA V2.3. 133. Where access to the trail data is supplementary to the purposes of the pilot (the Non-Operational Purposes), there is no need for a detailed necessity and proportionality assessment within the DPIA itself as long as this assessment is made as part of the process prior to access being granted. There should be detailed guidance in place to reflect this and ensure that Home Office staff carry out the assessment correctly. The DPIA should refer to this decision process to ensure UK GDPR compliance. This is not referred to in Draft DPIA V2.3. Article 35(7)(c): “an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1” 134. Article 35(7)(c) states that a DPIA shall contain at least: “...an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1.” 41 Enforcement Notice 135. The ICO’s DPIA guidance states that controllers should consider the potential impact of the processing on individuals, and any harm or damage the processing may cause (whether physical, emotional or material). 136. Section 7 of the Draft DPIA V2.3 set out the “Risks of the Processing.” Only two risks were identified: (1) “processing of data relating to an individual’s whereabouts during the monitoring period” and (2) “the individual is subjected to monitoring and the data that this produces.” 137. The Draft DPIA V2.3 additional risk section 7.2(2) set out the following additional risks: 1(A)&(B) “continuous access to data/monitoring, inappropriate access and/or use of data”; 1(C)&(D) “use of data collected not compatible with purpose, misuse of special category data, unauthorised access to data”; 1(E) “unauthorised access to data”; and 1(F) “risk to vulnerable data subjects.” 138. There is a column in the additional risk section 7.2(2) headed “Impact”, but for each risk the detail is insufficient. For example, for risk 1(A), (B) and (C) it states “intrusion on privacy (disproportionate to the purpose of collection).” 139. The Commissioner’s assessment is that more detail on risks and impact is needed here, beyond a high-level statement of the types of risk and impact. The DPIA should detail and consider: • the risks and impact of physical, psychological and material harm. The Home Office should refer to the ICO’s 9How do we do a DPIA? | ICO 42 Enforcement Notice harms taxonomy . For example, the risks of stigmatisation of data subjects and inhibited movement; • the potential risks and impact to vulnerable data subjects; • the potential risks and impact of processing special category data; • the risk and impact to a data subject if a Home Office staff member mistakenly issues an electronic tag in breach of Convention Rights and/or without understanding their vulnerability; • the risk and impact of at least some data subjects being unlikely to have a comprehensive understanding of the data processing activities associated with electronic monitoring and the associated risks to them, due to their circumstances; • the risk and impact of a lack of transparency regarding the data processing activities associated with electronic monitoring, which may undermine, complicate or hinder the data subjects’ exercise of their rights; and • risks and impacts related to compliance with the data minimisation principle in Article 5(1)(c) when accessing trail data. 140. The above paragraph does not represent a comprehensive list of the risks arising from processing connected to the pilot and the potential harms that could be caused. 10Overview of Data Protection Harms and the ICO Taxonomy 43Enforcement Notice 141. The Home Office in its Representations has stated that “these risks are more speculative, contingent and more remote in nature than the rest listed or than is usually considered in such circumstances”. 142. The Commissioner strongly disagrees with this representation. An important part of a DPIA is to undertake a comprehensive review of risks based on the likelihood and severity. Of course it is not always possible for a DPIA to cover every risk, and it is reasonable to omit risks which are too speculative and too remote. However, the risks outlined in paragraph 139 above should have been included in the risk assessment. In each case there is more than a minimal risk of occurrence, in particular given the number of data subjects, their vulnerabilities and the invasive nature of the processing. 143. The Commissioner’s assessment is that, in breach of Article 35(7)(c) UK GDPR, the Home Office has either failed to assess, or has inadequately assessed, the risks to the rights and freedoms of data subjects arising from the processing connected with the pilot. Article 35(7)(d) “the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned”. 144. The Commissioner’s view is that the Home Office’s assessment of measures to address the risks was insufficient to meet the requirements of Article 35(7)(d). 44Enforcement Notice 145. The risk assessment table sets out a number of mitigating actions which the Home Office has taken to reduce or eliminate the risks identified. However, without a full and complete assessment of the potential risks to data subjects in accordance with Article 35(7)(c), the measures to address risk in the pilot are insufficient. 146. Paragraph 7.3 of the Draft DPIA V2.3 poses the question: “Can you demonstrate that the risk to the individuals is sufficiently balanced by the perceived public protection benefits[?]”. In response, the Draft DPIA V2.3 states that: “GPS expansion is still a Pilot at this stage to test the use of Electronic Monitoring (EM) as a condition of immigration bail for those making hazardous journey to the UK. If a decision is made about its wider roll-out, the team will test and weigh the risks to the individuals against the perceived benefits.” 147. The Commissioner acknowledges that the fact this is a pilot did provide allowances in the evidence base for decisions. The Commissioner’s view is that a pilot still required a detailed risk assessment and effective risk mitigation, given that the data subjects involved in the pilot would have been exposed to any relevant risks. 148. The Commissioner’s view is that the Home Office has not fully complied with the requirements of Article 35(7)(d). The mitigation measures listed in the Draft DPIA V2.3 were not based on a sufficiently detailed risk assessment (in accordance with Article 35(7)(c)) and so the Home Office cannot assess if the mitigations are appropriate. 45 Enforcement Notice INFRINGEMENT OF ARTICLE 5(2) UK GDPR 149. The Commissioner’s assessment is that the Home Office has failed and is failing to comply with Article 5(2) UK GDPR in relation to its processing of the pilot personal data for the reasons set out below. Legal Framework – Article 5 150. Article 5(1) UK GDPR imposes a requirement on controllers to only process personal data in accordance with six principles: “(1) Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the 46Enforcement Notice purposes for which they are processed, are erased or rectified without delay (‘accuracy’); (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” 151. There is a seventh principle, which is set out in Article 5(2) UK GDPR: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” 47 Enforcement Notice The Home Office’s failure to comply with Article 5(2): the principle of accountability 152. The Commissioner’s assessment is that the Home Office has failed and is failing to adequately demonstrate its compliance with: • Article 5(1)(a), the principle of lawfulness, fairness and transparency; and • Article 5(1)(c), the principle of data minimisation. 153. In these circumstances, the principle of lawfulness, fairness and transparency requires compliance with (inter alia) four key UK GDPR Articles: • for lawfulness: Article 6 (lawfulness of processing) and Article 9 (processing of special categories of personal data); and • for fairness and transparency: Article 12 (transparent information, communication and modalities for the exercise of the rights of the data subject) and Article 13 (information to be provided where personal data are collected from the data subject). The Home Office must demonstrate its compliance with those four Articles, to comply with Article 5(2). 154. The Commissioner accepts the Home Office’s Representation that the UK GDPR does not require compliance with Article 5(2) in any particular form. The Commissioner has based his assessment on the documents provided by the Home Office, and notes that the Home Office has not provided any further documents with its Representations for consideration. On that basis, the Commissioner concludes that there are no additional documents 48Enforcement Notice which demonstrate the Home Office’s compliance with the purpose of compliance with Article 5(2). 155. For ‘lawfulness’, the key documents are: the Draft DPIA V2.3, the Pilot Guidance, the Data Access Request Form, the Data Access Guidance and Process to Access Information. 156. For ‘fairness and transparency’, the key documents are those provided as privacy information. From Draft DPIA V2.3, these are: • the departmental privacy notice (the Home Office’s high level privacy notice: Borders, immigration and citizenship: privacy information notice); • privacy information within the EMS booklet; and • the STS PIN. In this EN, these documents together will be referred to as the “Updated Privacy Notice”. 157. For ‘data minimisation’, the key documents are Draft DPIA V2.3, the Data Access Request Form, the Data Access Guidance and the Process to Access Information. 158. The Commissioner’s assessment is that the cited documents do not demonstrate compliance with the relevant Article 5(1) principles, and on that basis the Home Office has failed and is failing to comply with Article 5(2). The details are set out in the following paragraphs. 49 Enforcement Notice (i) LAWFULNESS: demonstrating compliance with Article 6 (lawfulness of processing) and Article 9 (processing of special categories of personal data) 159. The Commissioner’s assessment is that the Home Office has failed and is failing to demonstrate its compliance with Articles 6 and Articles 9, for the reasons set out below. Draft DPIA V2.3: 160. From Draft DPIA V2.3, the Home Office is processing pilot personal data under the Article 6(1)(e) lawful basis: “...processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” 161. According to Draft DPIA V2.3 the Home Office is processing special category personal data for the pilot under Article 9(2)(g) and schedule 1 paragraph 6 of the DPA, which together require that processing is (a) necessary for either the exercise of a function conferred on a person by an enactment or the rules of law, or a function of a Minister of the Crown or government department; and (b) is necessary for reasons of substantial public interest. 162. In these circumstances, the public ‘task’ referred to in paragraph 160 above, and the public ‘functions’ referred to in paragraph 161 above, are the same, being those functions of the Home Office set out in various immigration statutes (see paragraphs 19-21 above) (the “relevant public tasks/functions”). 163. The Commissioner’s view is that the Home Office has not demonstrated in the Draft DPIA V2.3 the assessment of how 50Enforcement Notice processing of pilot personal data is necessary and proportionate for each processing activity needed for the Home Office to carry out relevant public tasks/functions. More information on this is set out in paragraphs 117-133 above. The Pilot Guidance, the Data Access Request Form, the Data Access Guidance and Process to Access Information 164. Furthermore, the Commissioner’s assessment is that the guidance given to Home Office staff in the Pilot Guidance, the Data Access Request Form, the Data Access Guidance and Process to Access Information, does not demonstrate that the Home Office is only processing the pilot personal data when it is necessary and proportionate for the Home Office to carry out relevant public tasks/functions. In particular, when its staff processes pilot personal data in relation to: (a) deciding whether or not to issue an electronic monitoring bail condition to a data subject; and (b) accessing the trail data. (a) In deciding whether or not to issue an electronic monitoring bail condition to a data subject 165. In deciding whether or not to issue an electronic monitoring bail condition to a data subject: the decision-making process laid out by the Pilot Guidance is that the presumption is that electronic monitoring should be used unless: • one of only four exceptions apply, namely the data subject is under 18, has been released from detention under sections 37 or 41 of the Mental Health Act 1983 and remains subject to a supervision order, is pregnant 51Enforcement Notice (18+ weeks) or has recently given birth (up to 3 months post-partum), or resides in Scotland or Northern Ireland. However this can be overridden by an Assistant Director; or • it is impractical; or • it would breach Convention Rights. 166. Home Office in its Representations stated that: “These were not the only exemptions – they were merely the exemptions that definitely applied in every case. There was no presumption that EM should be used unless a limited set of exemptions applied. Decision makers were able to take a non- exhaustive list of practical reasons and representations into account. “Immigration bail conditions guidance: There will be some cases that may not be suitable for an EM condition for practicality reasons or because there is a risk that their rights under ECHR could be breached. When reviewing the individual circumstances of the particular case and deciding whether it is appropriate to monitor a person, the following should be taken into consideration: • whether there is strong independent medical evidence to suggest that an EM condition would cause serious harm to the person’s mental or physical health • whether a claim of torture been accepted by the Home Office or a Court 52Enforcement Notice • whether there has been a positive conclusive grounds decision in respect of a claim to be a victim of modern slavery • whether the person’s mental capacity is deemed to be a bar to understanding the EM conditions and therefore their ability to comply for example, a person suffering with dementia • whether the individual is suffering with phlebitis or similar conditions which cause swelling of the lower legs • whether the individual is showing any signs of frailty or age-related conditions which may impact on the person’s ability to wear and/or maintain the device The above list is not exhaustive: decision makers must consider the individual circumstances of each case.” 167. It seems that the stated intention of the Home Office in its Representations, is not reflected in the Pilot Guidance. The Commissioner remains of the view that the way the decision making process is explained in the Pilot Guidance does mean there was a presumption that electronic monitoring must be used unless limited exceptions applied. In particular: • The first key section is the list of 4 exemptions, under the heading ‘Use of EM’, on page 8 of the Pilot Guidance. The effect of this on the decision making process is that only those people who fit within the exemptions are ruled out of electronic monitoring. • The second key section is on page 13 of the Pilot Guidance. It states that: 53Enforcement Notice “There will be some cases that may not be suitable for an EM condition for practicality reasons or because there is a risk that their rights under ECHR could be breached.” The effect of this sentence is that the presumption is that an electronic monitoring condition should be imposed unless there is a practicality reason or a risk to ECHR rights. 168. The fact that this is the guidance provided (in other words, that the presumption for Home Office staff is to electronically tag a data subject) means that two further actions should have been taken by the Home Office: • first, the DPIA should have explained why adopting a default position of tagging the data subject unless one of a limited and explicit list of exceptions applies was necessary and proportionate for the relevant public tasks/functions. This is not the case here (see paragraphs 117-133); and • second, the Pilot Guidance should have set out a detailed and (near) exhaustive set of situations in which the default presumption will be inapplicable and/or detailed guidance how to decide if the electronic monitoring is impracticable or breaches rights under ECHR. This is not the case here (see paragraphs 170-177). 169. Without this, the Home Office is unable to demonstrate why, for each data subject, the decision to tag them was necessary and proportionate for the purpose of the pilot and the relevant public tasks/functions. 54Enforcement Notice 170. In particular, there is no or limited guidance as to: • when an Assistant Director should decide to issue an electronic monitoring condition despite one of the exceptions applying; • when an electronic monitoring condition is “impractical”. Just two paragraphs are provided on this point, at page 10 of the Pilot Guidance, with the only example being that “an individual may reside in a property which has both a poor GPS signal and is not served by electricity”; and • when an electronic monitoring condition breaches Convention Rights (although this seems to be in the wrong section of the guidance). 171. The main section in the Pilot Guidance on how Home Office staff should apply Convention Rights sets out a list of considerations for staff when “deciding whether it is appropriate to monitor a person”. This is the list of criteria set out in the Representations in paragraph 166 above. 172. The Pilot Guidance states that meeting one of these criteria does not prohibit imposing an electronic monitoring bail condition. The Home Office staff must consider the balance between that and other (unnamed) factors. The Pilot Guidance requires that the decision to impose in that situation must be agreed by at least an Assistant Director. There is no further detail in the Pilot Guidance as to how those decisions should be made to ensure compliance with Convention Rights and UK GDPR. 173. In finding that balance, it is not clear if the alternative is detention or alternative bail condition(s). 55Enforcement Notice 174. If the Home Office staff member did not consider it appropriate to issue an electronic monitoring bail condition for a different reason, this had to be signed off at least at SEO level. There is no further detail in the Pilot Guidance as to how those decisions should be made to ensure compliance with Convention Rights and UK GDPR. 175. The Pilot Guidance requires medical evidence but acknowledges that it may take time to substantiate that claim (up to 28 days). There is no reference to allowing time for the Home Office or a court to accept a claim of torture, or for a Home Office decision that the data subject is a victim of modern slavery. 176. The Pilot Guidance sets out when representations from the individuals must be invited. The Home Office has stated in its Representations that: “The HO is under various legal duties to consider the rights position and welfare of data subjects and this standard of care won’t change materially whether a person makes representations or not or makes less or limited representation because of the power balance. The representations mechanism is designed as an additional evidence gathering route to assist carrying out HO duties. If an individual didn’t make representations or limited their representations due to power imbalance that wouldn’t legally or practically allow the HO to provide them with a lower level of treatment.” 177. The Commissioner accepts this Representation. However the section of the Pilot Guidance which deals with data subject representations does not explain this. This means the Home Office is unable to demonstrate that proportionate influence is placed on 56Enforcement Notice the representations (including where limited or no representations are made) in the decision making process. (b) In accessing the trail data 178. There is limited detail as to when and how decisions to access and use the trail data must be made in the Draft DPIA V2.3, the Pilot Guidance, the Data Access Request Form, the Data Access Guidance or the Process to Access Information. This means that Home Office is unable to demonstrate that this processing of the trail data would be necessary and proportionate for the relevant public functions/tasks. 179. For access to the trail data for the Operational Purposes, there is insufficient assessment in the Draft DPIA V2.3 as to whether and to what extent access to trail data is necessary and proportionate for the purposes of the pilot and so the relevant public functions/tasks. (See paragraphs 132 and 133 above). 180. For access to the trail data for the Non-Operational Purposes, the Home Office could choose to make an assessment of the necessity and proportionality of each particular instance of access by reference to the purpose of the request on a case by case basis at the time of receipt. This could then be demonstrated in its guidance for staff who are deciding to access and use the trail data for those purposes. 181. For both the Operational and Non-Operational Purposes, the, there is little or no guidance in the Pilot Guidance, the Data Access Request Form, the Data Access Guidance or the Process to Access Information for Home Office staff as to how to make the decision to access the trail data. 57 Enforcement Notice 182. Home Office has stated in its Representations that accessing and using trail data: “… is covered in the Process Control Document. N.B. There were 62 occasions in which trail data was accessed for the purposes of the pilot. 56 of these occasions related to alerts as a result of ‘strap tamper’ i.e. where the EM device was damaged and rendered inoperable. 6 related to less serious bail breaches e.g. battery depletion.” 183. The Process Control Document (which we refer to as the Process to Access Information) sets out the Home Office process for data requests but does not provide guidance to Home Office staff about how to make the decision to access the trail data. The only guidance given is that when triaging the request the staff member: ”triages it to ensure it meets the necessary data sharing protocols, eg duly authorised, and the request is necessary, justified and proportionate…” This is not sufficient to demonstrate that access to the trail data is necessary and proportionate for the relevant public functions/tasks. (ii)FAIRNESS AND TRANSPARENCY: Demonstrating compliance with Articles 12 and 13 184. The Updated Privacy Notice is made up of three documents, namely: • the STS PIN; 58Enforcement Notice • a privacy notice within the EMS booklet; and • the departmental privacy notice (the Home Office’s high level privacy notice: “Borders, Immigration and Citizenship: privacy information notice”). 185. The Commissioner’s assessment is that the Home Office has not demonstrated by its Updated Privacy Notice, that, in compliance with Article 12, all data subjects have been provided with all the information required by Article 13 in a: “concise, transparent, intelligible and easily accessible form, using clear and plain language”, This means the Home Office has not demonstrated compliance with Article 5(1)(a) (the principle of ‘fairness and transparency’). 186. The failures to demonstrate compliance with Article 12 are as follows: • The Updated Privacy Notice, and in particular the STS PIN, fails to set out the privacy information clearly in one place. This may be a single document with clear links or references to other documents with an explanation as to how each applies and interacts. • The purpose of processing in the STS PIN remains unclear and is not consistent with the purpose set out within the Draft DPIA V2.3. The STS PIN describes the purpose of processing as follows: “From 15 June 2022, the HO is running a pilot to test whether Electronic Monitoring is a better means of maintaining contact with people who have arrived in 59Enforcement Notice the UK via unnecessary and dangerous routes. The HO wants to know if the use of these devices will: • Help the HO keep in contact with more people while their application is being processed than is currently the case; • Test out whether the device information can help the HO in regaining contact with individuals when contact is lost; And as [a] result this may enable the HO to process applications quicker”. This does not align with the purposes set out in Draft DPIA V2.3 (see paragraph 35 and 36 above). • The addition of the reference in STS PIN to processing applications “quicker” is at best confusing for data subjects and at worst could be misleading, as it may lead them to consider that their application will be processed more quickly if they participate in the pilot. • The STS PIN sets out how and when trail data is accessed: “It is not anticipated that GPS trail data will be needed other than in very exceptional circumstances and the Home Office will always consider whether to do so is necessary and proportionate before making a request to see the data.” There is no explanation or guidance on what the “very exceptional circumstances” may include. 60Enforcement Notice • The term “GPS Trail data” is not defined or explained and this gap in the STS PIN is likely to inhibit understanding. • The three documents forming the Updated Privacy Notice are not sufficiently integrated; there are inconsistencies and information gaps. For example, the Electronic Monitoring Handbook states the controller to be the Ministry of Justice. • The information in the STS PIN provided on special category data is not clear. It states that: “This project will be using special category data that concerns a person’s health when considering whether a GPS tag is suitable for each individual. No other special category data is used for this project. However, the Home Office does collect and use data that identifies an individual’s nationality and has decided that this information will be given the same level of protection as that of special category data to protect the individual. Where geographic location is collected, this purpose will not be used to identify special category data. Geolocation is only used for the purposes outlined in your EM booklet to maintain contact with you.” This is confusing and it would be unclear to a data subject what this meant for them. It is not clear if information about a person’s health and nationality are processed only as a result of the pilot, or if this is personal data which the Home Office would process in any event. 61Enforcement Notice In addition, this does not accurately reflect the fact that special category data may be processed when the trail data is accessed, depending on the data subjects movements (see Paragraphs 95-101 above). This should be clearly explained to data subjects. • The STS PIN refers to GPS coordinates, trail data, geographic location and geolocation. It is not clear if these are different types of data or different ways of referring to the same data. 187. The Commissioner has reviewed the improvements to the privacy information made by the Home Office in response to previous recommendations made by the Commissioner. However, the Commissioner’s view remains that the Updated Privacy Notice, and in particular the STS PIN, still does not demonstrate compliance with the requirements of Article 12, and this means that compliance with the requirements of Article 13 has not been effectively provided. 188. The Commissioner welcomes the explanation from the Home Office in its Representations that its Home Office staff explained orally to data subjects how their data will be used. However: • There is still a requirement in Article 12 for the information referred to in Article 13 to be provided in writing or other means such as electronic means. The information must be provided in a concise, transparent, intelligible and easily accessible form using clear and plain language. It can be provided orally if requested by the data subject. 62 Enforcement Notice • In any event, this oral explanation cannot be taken into account regarding Article 5(2) and demonstrating compliance with the transparency principle and Articles 12 and 13, as how this was done by Home Office staff was not set out in any detail in Draft DPIA V2.3 and/or Pilot Guidance and/or in the Updated Privacy Notice. (iii) DATA MINIMISATION: Demonstrating compliance with Article 5(1)(c) 189. The Commissioner’s assessment is that the Home Office has failed to demonstrate its compliance with Article 5(1)(c), and so is in breach of Article 5(2), for the reasons set out below. 190. This finding is further to the lack of detailed guidance available to Home Office staff when deciding whether or not to access trail data and use trail data in making decisions (see paragraphs 178- 183 above). 191. The Draft DPIA V2.3 fails to expressly apply the principle of data minimisation to the occasions when the Home Office may access the trail data (for its own or a third party’s purposes) and how much of the trail data to request access to. For example, there is no reference to the importance of limiting the time period for which access is requested. 192. Similarly, the Data Access Request Form, the Data Access Guidance and Process to Access Information fail to give Home Office staff any guidance on how to consider and apply the principle of data minimisation when requesting access to the trail data. For example, the Data Access Guidance does not advise Home Office staff to consider whether to make the request at all (in circumstances where, for a minor breach, the first step could 63 Enforcement Notice be to contact the data subject), or to only make a request for specific data and for a limited time period where required. PART V: DECISION TO ISSUE THIS ENFORCEMENT NOTICE 193. The Commissioner requires the Home Office to take the steps set out in Annex 1. The Commissioner considers these are appropriate and proportionate steps for the purpose of remedying the failures identified by the Commissioner in this EN. Legal Framework – Enforcement Notices 194. Under section 149(6) DPA, an enforcement notice given in reliance on section 149(2) DPA may only impose requirements which the Commissioner considers appropriate for the purpose of remedying the failures identified by the Commissioner. 195. Pursuant to section 150(1) DPA, “an enforcement notice must state what the person has failed or is failing to do, and give the Commissioner’s reasons for reaching that opinion.” 196. When considering whether to issue an enforcement notice in reliance on section 149(2) DPA, the Commissioner must, in accordance with section 150(2) DPA: “consider whether the failure has caused, or is likely to cause any person damage or distress.” 197. Where an enforcement notice is issued in reliance on section 149(2) DPA, section 150(3) DPA makes it clear that: “the Commissioner’s power under section 149(1)(b) to require a person to refrain from taking specified steps includes the power: 64 Enforcement Notice a) to impose a ban relating to all processing of personal data, or b) to impose a ban relating only to a specified description of processing of personal data, including by specifying one or more of the following: (i) a description of personal data; (ii) the purpose or manner of the processing; (iii) the time when the processing takes place.” 198. Pursuant to section 150(4): “an enforcement notice may specify the time or times at which, or period or periods within which, a requirement imposed by the notice must be complied with.” Matters the Commissioner has had regard to: 199. The Commissioner has made an assessment (as required in accordance with section 150(2) DPA when deciding whether to serve an enforcement notice) of whether any contravention has caused or is likely to cause any person damage or distress. The Commissioner’s view is that, based on the current versions of the Draft DPIA V2.3, the Pilot Guidance, Data Access Request Form, the Data Access Guidance and Process to Access Information, and Updated Privacy Notice, for at least some data subjects, damage and/or distress is likely to have been caused and there is a significant risk that damage and/or distress may be caused in future. 200. This is because (inter alia): 65Enforcement Notice • the infringements which the Commissioner has identified could have had, and could have, important consequences for those data subjects who were electronically tagged, in particular as the data subjects were in a situation which was likely to make at least some of them vulnerable; • the failure by the Home Office to adequately assess (in Draft DPIA V2.3) and give guidance to its staff on how to make the assessment of the necessity and proportionality of the processing for the purpose of the pilot meant there was no assurance for any data subject that electronic monitoring as an immigration bail condition was a fair and balanced measure, assessed alongside alternatives. Some data subjects may have been tagged when it was not necessary and proportionate; • the Commissioner has not seen adequate evidence of safeguards against the risks to data subjects associated with electronic monitoring as an immigration bail condition. For those being monitored, for example, this could have included psychological harm for example due to actual or perceived stigmatisation and a perceived need to inhibit movement; • data subjects may not have expected their data to be processed in the way that the Home Office is processing it, and may not expect their data to be processed in the way the Home Office and third parties may process it in future (as they have not been given an effective privacy notice); and/or 66Enforcement Notice • some or all of a data subject’s trail data may have been accessed when it was not necessary and proportionate for the purpose of the pilot (or for one of the Non- Operational Purposes), and may be accessed when it is not necessary and proportionate for one of the Non- Operational Purposes. In addition more trail data than is needed may have been, or may be accessed. 201. The Commissioner’s assessment is that compliance with the UK GDPR provisions referred to above is a matter of importance to data protection law. Even if a failure to comply has not caused, or is not likely to cause, any person damage or distress, the issue of this enforcement notice to compel compliance would nonetheless be an appropriate exercise of the Commissioner’s enforcement powers. 202. The Commissioner considers that the failures set out in this EN are important for compliance with UK GDPR by the Home Office more broadly than just this pilot. The Commissioner is concerned that failures here could be repeated by Home Office for other operations. In particular the Home Office’s failure to: • document in enough detail each processing activity for the purpose of a DPIA, including the nature, scope, context and purposes; • carry out an assessment of necessity and proportionality for each processing activity; • carry out a risk assessment of the risks to the rights and freedoms of data subjects for the purpose of a DPIA • identify vulnerability in data subjects 67 Enforcement Notice • provide a privacy notice “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”, which takes into account the nature of data subject including any vulnerabilities • provide detailed guidance to staff who need to apply key legal constructs such as applying the necessity and proportionality test, the principle of data minimisation, or applying rights under the Human Rights Act. 203. The Commissioner has taken into consideration the Representations, including the fact that the pilot has ended, including all electronic monitoring under the pilot, and no new trail data is being collected. The ongoing processing of pilot personal data is in the retention of the pilot personal data including trail data, and potential access and use of the trail data by Home Office staff and potential disclosure to the data subject and third parties of the trail data. 204. In June 2022, the Commissioner set out a revised approach to public sector enforcement to be trialled over two years. 11 To support this approach, the Commissioner committed to working proactively with senior leaders in the public sector to encourage compliance, prevent harms before they occur, and learn lessons when things have gone wrong. In practice, this means that for the public sector the Commissioner has committed to increasing the use of public reprimands and enforcement notices, only issuing 12 fines in the most egregious cases. 11Open letter from UK Information Commissioner John Edwards to public authorities, 30 June 2022. 12See ICO25 – Our RegulatoryApproach, 7 November 2022, p.7. 68 Enforcement Notice 205. The Commissioner has had regard to the revised public sector approach in reaching the decision to issue this EN. The Commissioner is satisfied that this case is one which meets the criteria for formal enforcement action, to reflect the seriousness of the infringement and the significant risk to data subjects. 206. The Commissioner has had regard to the desirability of promoting economic growth, and the potential impact this enforcement notice might have in this regard. Decision to issue this Enforcement Notice 207. Having had regard to those matters set out in paragraphs 199- 206 above, and the nature of the infringements, the vulnerable nature of some data subjects, the scale of the personal data being processed and the context in which it is processed, the Commissioner’s view is that this EN is an appropriate regulatory step to remedy the failures identified in this EN. PART VI: APPEAL 208. The Home Office is entitled to appeal against this EN to the First- tier Tribunal (Information Rights) by virtue of Section 162(1)(c) DPA. If an appeal is brought against this EN, the EN need not be complied with pending determination or withdrawal of that appeal. 209. Information about the appeals process may be obtained from: General Regulatory Chamber HM Courts & Tribunals Service PO Box 9300 Leicester Lel 8DJ 69 Enforcement Notice Telephone: 0203 936 8963 Email: grc@justice.gov.uk 85. 210. Any Notice of Appeal should be served on the First-tier Tribunal within 28 calendar days of the date on which this EN is sent. Dated: 28 February 2024 John Edwards Information Commissioner Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF 70 Enforcement Notice ANNEX 1 TERMS OF THE ENFORCEMENT NOTICE Within 28 days of the date of this Enforcement Notice, the Home Office must provide to the Commissioner the following documents: 1 Updated versions of the Data Access Request Form, the Data Access Request Guidance and the Process Control Document which meet the requirements of Article 5(2) to demonstrate compliance with the Article 5(1)(a) principle of lawfulness and Article 5(1)(c) principle of data minimisation, when Home Office staff access, use and disclose trail data. 2 An updated version of the STS PIN which meets the requirements of Article 5(2) to demonstrate compliance with the Article 5(1)(a) principle of fairness and transparency and which meets all the requirements of Articles 12 and 13 (“Revised Privacy Notice”). This Revised Privacy Notice must cover the past, current and potential future processing of the pilot personal data by the Home Office. 3 Documentation of the process to provide the Revised Privacy Notice to all data subjects whose trail data is retained by the Home Office, in accordance with Article 12. This must include how this Revised Privacy Notice will be provided to data subjects with limited understanding of English. 71