bto solicitors - Corporate & Commercial Business Lawyers Glasgow Edinburgh Scotland

  • "really fights your corner..."
    "really fights your corner..." Chambers UK
  • "Consistently high-quality work and client-friendly approach."
    "Consistently high-quality work and client-friendly approach." Chambers UK

UK Home Office privacy breaches: what can we learn from the ICO’s recent enforcement notice?

15 March 2024

The UK’s Information Commissioner’s Office (ICO) issued an enforcement notice and warning to the UK Home Office this week for breach of data protection rules. It provides a helpful reminder to all organisations in the UK handling personal data, from UK government institutions right down to small businesses.

The scheme under scrutiny

The Home Office launched a pilot scheme to electronically monitor people arriving in the UK via unauthorised means in June 2022. The pilot sought to test whether electronically monitoring migrants seeking asylum could be an effective replacement for detention and make flight less likely. The Home Office’s GPS enabled ankle trackers were worn by a sample of migrants and tested until December 2023.

    Lily Morrison

Lily Morrison
Solicitor

ICO disapproval

The Home Office, like any entity handling personal data, must balance the privacy risks associated with its activities and balance these with rights of data subjects. The relevant considerations in this case were some of those that all entities should have in mind when processing data.

Proportionality. A high level of intrusion into private life will increase the risks to data subjects’ rights and freedoms. For example, in the Home Office case, tracking people continuously is highly intrusive and so a strong justification for doing so must be provided. It could potentially reveal sensitive information such as religion, sexuality or health status. Any information to be collected by an entity must be proportionate to the aims sought, and it should be clear to data subjects how the information will be used.

Vulnerable data subjects. The nature of data subjects involved in processing is also a highly relevant consideration to the possible risks involved. In the Home Office case, the data may be in a vulnerable position due to their immigration status. It was a relevant consideration that English may not be their first language so special measures should be in place to ensure they understood the processing that was to be carried out.

Risk of data breach. Where sensitive personal data is being used, and where the vulnerability of data subjects is a concern, it is important to recognise that the information could be mishandled in a way that would have serious consequences for the data subjects and their future. Organisations must identify such risks at the outset and assess them sufficiently.

The Home Office could not explain to the ICO sufficiently why the tracking was necessary or proportionate to the aims it sought to achieve. It could not evidence that it had considered less intrusive methods. The guidance it had provided for staff did not contain guidance to ensure the tracking was applied consistently. The Home Office also failed to provide clear and understandable information to data subjects on what information would be collected, why, how long it would be stored for, and who it may be shared with.

Lessons for all organisations

There are two key points in our opinion to take away from this enforcement notice.

The first is that the ICO did not declare that the Home Office simply may notuse this technology. Rather, it was for the Home Office to sufficiently justify such intrusive data processing. Had the Home Office properly considered alternative measures and appropriate security it may well not have been subject to the enforcement notice.

Data protection and privacy regulations should not prevent businesses from carrying out the innovative projects they seek to develop. Indeed, the UK government has been clear that it is seeking to promote innovation and foster business growth while it considers updating UK data protection laws. However, the obligation remains on organisation seeking to carry out processing to ensure it is compliant.

The second lesson is that a privacy by design approach is key. Data protection and privacy considerations must be built into projects from the bottom up. The ICO in this case noted that policies were not uniform, staff were not trained adequately, and privacy considerations were not clearly noted. Organisations seeking to use new innovative technologies must ensure they seek expert data protection advice at the outset of the project to ensure it is built into its roots.

If you are seeking data protection advice please do not hesitate to get in touch.

Lily Morrison, Trainee Solicitor: lmo@bto.co.uk / 0131 222 2939 

Related Links

“The level of service has always been excellent, with properly experienced solicitors dealing with appropriate cases" Legal 500

Contact BTO

Glasgow

  • 48 St. Vincent Street
  • Glasgow
  • G2 5HS
  • T:+44 (0)141 221 8012
  • F:+44 (0)141 221 7803

Edinburgh

  • One Edinburgh Quay
  • Edinburgh
  • EH3 9QG
  • T:+44 (0)131 222 2939
  • F:+44 (0)131 222 2949

Sectors

Services