The ruling, which comes following a case brought by the3million and the Open Rights Group, requires the government to set out safeguards, particularly around how people in a potentially vulnerable position within the immigration system are able to access the information held about them.
The Information Commissioner was an interested party in the claim. We raised concerns that previous actions from the government, including guidance, did not provide enough clarity to an exemption that is used in a significant number of cases.
John Edwards, Information Commissioner, said:
“This ruling is about giving migrants greater clarity in how their information is used to inform life-changing decisions about where they have the right to live. It doesn’t change the immigration process, but it does mean that people will have greater confidence when they ask to see what is happening with their information, those responding to their requests will have the guidance they need to treat people fairly and with greater empathy, and it will be easier for my office to scrutinise where those requests for information have not been handled correctly.
“Given the importance of people’s right to request information about themselves, we are pleased that the court has been clear that the government must clearly set out safeguards when it restricts this right - even when these restrictions are for important purposes like immigration control.
“Protecting people’s rights, particularly where those people may not even be aware those rights exist, is a key part of the role the ICO was set up to fulfil. We were pleased to be able to offer our expertise around this case, and we’ll continue to provide advice to the government to ensure these safeguards are applied in practice.”
The Government has three months to make the changes required by the court. The ICO will update its own guidance in due course.
Notes to editors
- The ICO is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use, and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns.