Analysis of the Disclosures following the ICO Enforcement Notice on GPS Tagging of Migrants

PI opposed the ongoing collection of invasive and potentially flawed data about individuals that the Home Office uses to make life-changing decisions about people. In August 2022, we challenged this policy by filing a complaint against the Home Office with the UK data protection authority, the Information Commissioner’s Office (ICO). Our complaint argued that the Home Office’s  practice of GPS tagging breached the UK GDPR and DPA 2018 in a number of ways, including the lack of necessity and proportionality of these intrusive practices. 

In addition to the data protection concerns, our complaint argued that GPS tagging impacts fundamental rights and freedoms, in particular the rights to privacy, freedom of expression, assembly, and association. We relied extensively on anonymous stories of individuals who recounted the debilitating impact that tagging was having on their private and family lives, as well as on their physical and mental health. We take this opportunity to thank Public Law Project, Duncan Lewis Solicitors, and Wilson Solicitors for the crucial evidence and valuable resources they have provided.

What did the ICO say in their Enforcement Notice?

On 28 February 2024, as a result of our complaint, the ICO found that the UK Government’s GPS tagging of migrants arriving to the UK by small boats and other “irregular” routes, known as the Expansion Pilot, was unlawful. The ICO issued an enforcement notice, a formal directive of the ICO requiring an organisation or authority to take corrective action, which urged the Home Office to improve its data protection compliance of the GPS tagging policy, in light of past failure to adequately consider privacy and data protection obligations.

The ICO’s findings are significant as they expose the systemic intrusive features of the GPS tagging policy. PI’s detailed analysis of the enforcement notice can be found here.

In sum, and according to the ICO, the Home Office failed to adequately assess:

• the privacy intrusion of GPS tracking, which is a highly intrusive type of processing and requires a strong justification;
• the specific risks posed to people in vulnerable positions, and failed to mitigate those risks;
• the necessity and proportionality of continuously ‘tracking individuals’ movements, particularly in light of people’s vulnerabilities and potential of further harm;
• the impact of GPS tagging on individuals and on their fundamental rights and freedoms, and in particular taking into account that relevant data subjects might be in vulnerable positions;
• the need for improved guidance and procedures to accompany such intrusive data processing because existing safeguards deemed insufficient, and;
• the obligation to properly inform data subjects of the extent of processing of their personal data, in light of its particularly intrusive nature.

This decision was a significant and unprecedented blow to the Home Office’s GPS tagging of migrants, which, has been a key part of the UK’s hostile environment policy that hinders access to rights and services, deters entry, and encourages “voluntary” departures. The ICO’s findings serve as a powerful reminder that migrants have the same data protection rights as everyone else. Additionally, this decision illustrates how privacy and data protection law can be a powerful tool in the protection of migrants’ rights.

What have we done since?

After the ICO issued its decision, PI continued to scrutinise the Home Office's ongoing GPS tagging program. 

First, we submitted Freedom of Information Act requests to the Home Office, asking for copies of the same Home Office policy documents evaluated by the ICO in its enforcement notice. We compared these documents with Home Office policy documents produced after the ICO decision to assess what measures, if any, the Home Office had enacted to comply with the decision and UK GDPR.

Our analysis reveals a disappointing situation. Significant concerns remain, and it is unclear how the few new safeguards will be implemented. Existing Home Office policies remain contradictory to one another, which may threaten the human rights of those who have been subjected to GPS tags through a lack of clarity and consistency. In some instances, the limited improvement we observed in these documents was later severely undermined by updated policies of the Home Office.

Moreover, the Border Security, Asylum and Immigration Act, which was adopted on 2 December 2025, overlooks the findings of the ICO on the invasive nature and life-altering impact of continuous monitoring through GPS tracking, and aims to mainstream electronic monitoring in an almost arbitrary manner, void of essential safeguards, and without due regard to fundamental human rights.

What did we find out?

Below we outline the key findings from the Freedom of Information requests we submitted to the Home Office in May 2024 after the ICO issued its enforcement notice. Through these requests, we sought information cited in the ICO’s enforcement notice and the warning relating to future processing dated 28 February 2024. Moreover, we asked for the available information evidencing the Home Office’s implementation of the enforcement notice and the warning.

While some information we sought was exempted from disclosure, we analysed data protection impact assessments, privacy information notices, data access requests guidance documents, and relevant annexes that can be found here. In order to understand the remedies taken by the Home Office, we compared the changes in these policy documents to the shortcomings and failures identified by the ICO. We present our key concerns below, namely continued access to trail data, collection of special category data, new uses of trail data, and the threat of mainstreaming GPS monitoring through further legislation.

Continued access to trail data

Before the ICO decision, the Home Office could access trail data without any meaningful time restrictions, enabling them to see where an individual has been at any time of the day, who they visited, and what activities they took part in. This meant that the Home Office was able to request and access trail data in excessive and unnecessary quantities, contrary to data protection laws and the right to privacy of the individuals subjected to GPS tags. The ICO determined that the Home Office failed to demonstrate that they were considering data minimisation when accessing personal data produced by GPS tags.

Trail data refers to the records of a person’s movements over time. It can reveal sensitive information - including about people's relationships, religious beliefs, political affiliations, health concerns, and sexual orientation, and can be interpreted in many ways. Moreover, trail data is not always accurately recorded with GPS tags. In an experiment conducted by Privacy International using GPS tags, we found several instances where recorded locations were inaccurate — in some cases, the wearer was shown as being on a completely different street from their actual location.

The Home Office does not seem to have made significant changes to its GPS tagging program after the ICO issued its Enforcement Notice. While the Expansion Pilot ended in December 2023, it appears that the data collected is still accessible to the Home Office. The ICO did not request the deletion of the data unlawfully collected within the Expansion Pilot, and the Home Office appears to be exploiting this gap by allowing ongoing access requests to this data. After the ICO findings, guidance produced by the Home Office in September 2024 (Satellite Tracking Services Privacy Information Notice) provided that the trail data collected within this Expansion Pilot can be accessed via a request for a specified period, “usually up to two weeks”, and a justification for the access request. 

In addition, as far as we can see due to redactions, the Home Office has not issued any actual guidance on how to assess which requests to access trail data are necessary, proportional, and in conformity with the data minimisation principle. The Home Office seems to have neglected the crucial point raised by the ICO to ensure compliance with data minimisation. In a template form for staff to request access to trail data, the space given to justify the request appears to be minimal.

Further, it appears that access to trail data remains unlimited for the Home Office in all other GPS tagging cases (i.e., trail data collected from individuals tagged after being released on immigration bail). The policy documents produced after the ICO decision are void of any safeguards. The Immigration Bail Policy of June 2025, a Home Office policy that applies to all GPS tagging practices within Schedule 10 to the Immigration Act 2016, still permits access to full trail data collected through GPS tags, arguably contrary to the requirements and spirit of the ICO’s decision.

Article 5 of UK GDPR imposes a requirement on controllers to only process personal data in accordance with seven principles. One of these principles, known as data minimisation, requires that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. As a result, in order to obtain any data, the requestor is generally required to set out the justification for accessing any personal data.

It is particularly concerning that the Home Office continues to ignore this requirement, seemingly in breach of its obligations under the UK GDPR, but also in defiance of the ICO Enforcement Notice, which explicitly identified this as an area of non-compliance. This disregard is even more troubling considering that the ICO indicated in the enforcement notice that in July 2023 it had issued a report to the Home Office which set out the Commissioner’s concerns regarding the use of GPS tagging, and presented recommendations for action needed to correct breaches of UK GDPR as the Commissioner. Concerns raised by the ICO included the volume and the nature of the data collected, especially the intrusiveness of trail data, as further outlined in the Enforcement Notice.

Collection of special category data

Special category data relates to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification purposes), data concerning health, data concerning a person’s sex life, and data concerning a person’s sexual orientation. UK GDPR requires that special category data be treated with a higher degree of protection as the use of such data could create significant risks to fundamental rights and freedoms.

Previous versions of Home Office policy documents on GPS tagging denied the collection of special category data. However, after the ICO decision, in September 2024 the Home Office updated its Privacy Information Notice for the Expansion Pilot and finally acknowledged that through GPS tracking, “it might be possible to infer special category data from the locations visited” from the data in relation to a specific time period.

The policy now acknowledges that special category data can be revealed by analysing the data that GPS tags collect. Yet, it claims that no inferences will be made from data collected for the main purposes of the Expansion Pilot. Moreover, the policy still fails to provide adequate guidance on how special category data will be treated for secondary purposes, i.e. for uses other than the primary reason it was collected, such as investigating breaches of immigration bail conditions. Further, the same document states that the GPS tags will not track precise movements in or around one’s address “to preserve dignity and privacy in the home”.

As it stands, these two Home Office promises are unconvincing. There is no clear guidance in these policies on how accidental inference of special category data will be prevented or mitigated, and it is unclear how, in practice, the Home Office refrains from tracking tagged individuals around their addresses. 

The Home Office's Expansion Pilot ended in December 2023. However, this GPS tagging policy still applies to the information collected whilst the pilot was in progress, including to special category  data. The disregard for adequate safeguards for special categories of data risks exposing the personal and sensitive information of individuals submitted to GPS tags.

New uses of trail data

Under the Expansion Pilot, the Home Office, as the data controller, can access trail data collected through the GPS tags in cases of: breach of immigration bail conditions, when the individual wearer loses contact with the Home Office and effectively ‘absconds’, to support or rebut claims that the wearer's Article 8 right to privacy has been violated by their GPS tag, in cases of allegations of electronic monitoring breaches, or upon receiving intelligence of an immigration bail condition, such as curfew, being breached (ICO Enforcement Notice, para. 37).

As noted by the ICO, the Home Office will continue to be able to access the personal information gathered throughout the pilot, until all the data has been deleted or anonymised, even though the pilot scheme ended in December 2023.

However, after the ICO decision, the Data Access Request Guidance document produced by the Home Office in April 2024 seems to vaguely expand the reasons for accessing the data collected via GPS tags during the Expansion Pilot. In unclear terms, it provides that the data can be accessed “in order to allow the Home Office to build an intelligence picture of potential activities that could breach the immigration laws of the United Kingdom”.

There are two main concerns with this development. Firstly, the Privacy Information Notice, also produced in September 2024, seemingly fails to lay out this specific use of collected data. This means that those subjected to GPS tags are not informed of this new use of their own data. Secondly, according to the same policy, “data passed to Home Office Intelligence would be anonymised and not attributed to individuals”. It is unclear how such data can truly be anonymised when the alleged purpose of collecting this data to begin with is to identify individuals who breach immigration laws.

Data retention

The Home Office policy regarding data collected through the GPS tag Expansion Pilot is to retain the data, in most cases, for six years. According to the Home Office, the six year retention period was determined over a period of years and allows time for judicial reviews, complaints, and legal reparation (ICO Enforcement Notice, para. 130).

The ICO found that the Home Office failed to adequately justify why their retention period for data was necessary, proportionate, and compatible with the purpose of the processing. It stated that “in light of the volume and sensitivity of the trail data collected”, the Home Office should have demonstrated an assessment of whether all of the trail data is required to be retained for the stated retention periods (ICO Enforcement Notice, para. 129). The Privacy Information Notice document updated after the ICO decision still maintains the blanket 6-year data retention period, except if the data subject leaves the UK, or is granted leave to remain in the UK. There is still no process for individuals to seek earlier deletion of their data.

What is next

PI maintains that GPS tagging migrants is an inhumane and unlawful practice. We will continue our efforts to challenge the GPS tagging of migrants including by supporting those challenging the practice in court as well as by assisting organisations involved in the drafting of legislation and policies which aim to protect the human rights and dignity of migrants.

In this spirit, on 18th August 2025, PI filed a formal complaint to the ICO about the Home Office’s use of two automated tools in immigration enforcement operations, which PI argues do not adequately comply with the UK GDPR and Data Protection Act 2018. The Identify and Prioritise Immigration Cases (IPIC) tool and the Electronic Monitoring Review Tool (EMRT) appear to be used to make life-altering decisions, including detention, removal from the UK, or electronic monitoring via GPS tags, in ways PI argues lack sufficient safeguards for the right to privacy and data protection standards.

We have yet to be informed of the decision of the ICO with regards to our complaint, but hope to see developments on this matter in 2026. 

We also continue to pressure the Home Officer to review its policies and practices with regards to electronic monitoring. In August 2025, PI submitted evidence regarding the use of electronic monitoring in the form of GPS tagging in the contexts of immigration bail and asylum. We are glad to report that citing a lack of evidence supporting the efficacy of GPS tagging in immigration contexts, the Committee was unconvinced that electronic monitoring should be used as a condition of immigration bail, and requested that the Home Office review the proportionality of this practice.

Legal practitioners, migrants rights groups and other interested human rights and data protection organisations are welcome to contact us for more information on our findings. You can email us at: [email protected]