Home Office – Violation Found (United Kingdom, 2024)

The Home Office (controller) is a United Kingdom government department that is responsible for immigration, security and law. As such, it oversees matters related to visas, immigration, asylum and citizenship in the UK. The ICO initiated an investigation in August 2022, citing concerns about the controller's Satellite Tracking Services GPS Expansion Pilot project, which involved continuous electronic monitoring as a condition of immigration bail for individuals entering the UK via risky routes. The pilot initiative involved fitting up to 600 individuals with electronic GPS tags to monitor their movements as part of the immigration bail conditions. These participants were compared to a control group of another 600 individuals who were not subjected to electronic monitoring. The purpose of the electronic tags was to collect data on the tagged individuals’ locations over time, which the controller could use for various purposes, including ensuring compliance with immigration bail conditions and potentially aiding in the efficient processing of asylum claims. The ICO provisionally found that the controller failed to comply with Articles 35 and 5(2) of the UK GDPR. On 19 December 2023, it sent the controller a Preliminary Enforcement Notice and Notice of Intent to Issue a Warning. On March 2024, ICO issued an Enforcement Notice and Warning Letter. It identified breaches by the Home Office of Articles 35 and 5(2) UK GDPR, finding that the controller did not conduct an adequate data protection impact assessment (DPIA) for its satellite tracking services GPS expansion pilot and failed to demonstrate compliance with principles of lawfulness, transparency and data minimisation under Article 5(1) UK GDPR. The ICO found that the controller's processing required a DPIA because it was systematic, extensive, and was likely to result in a high risk to the rights and freedoms of natural persons. The processing was systematic and extensive because it involved automated proces