The UK Home Office has been issued an enforcement notice alongside a stern warning by the Information Commissioner’s Office (ICO) for inadequately assessing the privacy implications of electronic monitoring of migrants. This action follows discussions with the ICO regarding a controversial pilot program that tracked the GPS locations of up to 600 migrants who entered the UK via unauthorised routes and were in immigration bail. The pilot involved the use of electronic tagging.
Despite the pilot concluding in December 2023, the Home Office has maintained possession of the GPS data, continuing to access, utilise, and share it with external entities. The ICO has mandated a comprehensive revision of the Home Office’s internal policies and directives that govern access and privacy related to the data amassed from the pilot.
The Enforcement Notice and its Significance
The ICO’s enforcement notice serves as a directive requiring immediate action. It highlights non-compliance with data protection laws and calls for updates in the handling of sensitive information. Should the Home Office replicate similar data processing in the future, it would constitute a direct violation of data protection legislation, inviting further enforcement measures.
Potential Repercussions for Non-Compliance
Although the notice in itself is a call to action rather than an immediate fine or penalty, it signals potential legal repercussions for the Home Office. The order that a fine will be imposed in the future is at odds with the ICO’s more recent policy to shy away from issuing fines to government departments or threatening the use of a fine.
The Risks of Location Data
Location data is particularly sensitive data. The nature of how it’s collected means that an intricate picture of a persons life can be inferred solely from that data. This makes it a big privacy risk. This case highlights not just the risks of processing sensitive data but also the risks of processing the personal data of individuals who may not have the means to understand the implications of this data processing.
The full decision can be read on the ICO’s website.
