Complaint against the UK’s automated recommendation tools in immigration operations
Privacy International filed a complaint with the UK Information Commissioner’s Office (ICO) against the Home Office’s policy and practice of collecting and processing data through two algorithms used in immigration enforcement operations.
On 18 August 2025, Privacy International (PI) filed a complaint against the UK Secretary of State for the Home Department (Home Office) with the UK data protection authority, the Information Commissioner (ICO). PI’s complaint challenges the large-scale processing of migrants’ personal data, including special category data through two algorithmic tools known as the Identify and Prioritise Immigration Cases (IPIC) and Electronic Monitoring Review Tool (EMRT).
What are our concerns?
EMRT and IPIC tools have both been used in the large-scale processing of migrants’ personal data, including special category data, as part of the Home Office’s immigration enforcement actions.
The use of these tools appears to often involve limited human involvement, a situation that is catalysed by unclear and inconsistent guidance provided to case workers and ‘design nudges’ which encourage them to accept the tools’ recommendations with little scrutiny.
Individuals lack any meaningful information about how their data is used, and where information is provided, it is inconsistent and contradictory. No coherent and comprehensive information is provided to migrants concerning what information the tools process and how it is used, including what consequences their deployment could have on decisions that may impact their lives.
What are our legal claims?
Our complaint argues that the Home Office’s EM policy and practice breaches the UK GDPR and DPA 2018 in a number of ways. In summary:
- Lack of transparent and adequate information provided to data subjects regarding the nature and extent of data collection and processing.
- There is an absence of a clear, accessible and foreseeable legal basis authorising the processing in violation of the lawfulness principle.
- The processing does not comply with the fairness principle and in particular falls outside the reasonable expectations of data subjects.
- The extent of data collected and the uses of the automated recommendation-making tools do not comply with the principles of necessity and proportionality.
- The re-purposing of input datasets to generate automated recommendations is incompatible with the purpose limitation principle.
- The retention of certain data is unjustified and in breach of the storage limitation principle.
- The HO has failed to carry out a lawful Data Protection Impact Assessment (“DPIA”) and/or undertake a DPIA at all in case of the EMRT. It has also failed to demonstrate compliance with the data protection principles pursuant to the accountability principle.
- The human review processes implemented by the HO are inadequate as it may in certain cases be carrying out solely ADM in breach of Article 22(1) of the GPDR.
Our evidence and collaboration
Our evidence includes substantial disclosures regarding both IPIC and the EMRT obtained via requests submitted under the Freedom of Information Act 2000 (“FOIA”) by PI and multiple other organisations.
You can access the FOIAs submitted by Privacy International on the WhatYouKnow platform, and all other publicly available information provided by others is referenced in our submission.