General Data Protection Regulation (GDPR) , Standards, Regulations & Compliance
ICO Reprimands UK Home Office for Privacy Violations
Home Office Electronic Migrant Tracking System Violates UK GDPR, Says ICOA defunct U.K. Home Office pilot project that tracked the whereabouts of 600 migrants violated British privacy law, the British data regulator said early Friday in London, giving the agency a deadline of nearly a month to bring its data processing requirements under compliance.
See Also: Software Supply Chain Platform for Financial Services
The U.K. Information Commissioner's Office issued a warning to the Home Office for failing to evaluate the privacy risks posed by a pilot electronic monitoring program the department deployed to track 600 migrants in the United Kingdom from 2021 until December 2023.
The real-time monitoring system consisted of a global positioning system receiver that the migrants wore on their ankles. According to the Home Office, the project sought to test the effectiveness of the location monitoring system for maintaining regular contact with asylum claimants.
Rights group Privacy International filed a complaint against the Home Office project in 2022, calling the system "invasive." Location information can reveal a slew of sensitive information, such as religious observance, romantic status and health.
Acting on the Privacy International complaint, an ICO investigation found the Home Office had failed to assess the potential privacy impact of the "continuous collection of people's location information" on people who "may already be in a vulnerable position."
The Home Office also did not provide clear information to immigrants, whose first language may not have been English, on how their live location was being used and its purpose, said the ICO.
"Lack of clarity on how this information will be used can also inadvertently inhibit people's movements and freedom to take part in day-to-day activities," said Information Commissioner John Edwards. "The Home Office did not assess those risks sufficiently, which means the pilot scheme was not legally compliant."
The data regulator gave the Home Office 28 days to comply with privacy obligations under the U.K. General Data Protection Regulation - a British statute that mirrors the European privacy regulation. The regulator also ordered the department to delete or anonymize the data collected from the scrapped project.
A Home Office spokesperson rejected the ICO's observation that the department had failed to "sufficiently address" privacy risks posed by the pilot program.
"The pilot was designed to help us maintain contact with selected asylum claimants, deter absconding and progress asylum claims more effectively," the spokesperson told Information Security Media Group. "We will now carefully consider the ICO's findings and respond in due course."
Lucie Audibert, a senior lawyer at Privacy International, said the ICO decision is a "small ray of hope in a context of systematic, tech-facilitated violations."
"Immigration authorities around the world keep deploying cruel and performative policies without regard for the law. Now the niche but fundamental area of data protection law is starting to bite back at them and showing itself to be a powerful tool to protect people on the move," Audibert said.
Last year, the ICO fined the Ministry of Defense 350,000 pounds for accidentally exposing sensitive data 250 Afghan nationals eligible for evacuation following the complete withdrawal of Western military troops from the country in 2021.