The Government is expanding data-sharing, within the Home Office, between Government departments, with private entities, like banks, and internationally. These developments are worrying, as they expand access to people’s personal and private data, bringing surveillance in our daily lives, including when accessing vital services like healthcare.
Discrimination against migrants and migratised people is enshrined in data-sharing practices. Government guidance has emphasised that this is a form of legal discrimination on the basis of nationality and national or ethnic origin and implicit racial discrimination. This is in accordance with exceptions in Schedules 3 and 23 of the Equality Act 2010, which remove discrimination protections in relation to immigration law enforcement.
We are particularly concerned about how data-sharing disproportionately impacts migrants and migratised people, especially those with precarious immigration status. We are currently looking into these data-sharing agreements and how they are being implemented in order to challenge them.
The financial sector
The Home Office shares data with financial institutions, like banks and building societies, to prevent people with irregular status from having a bank account. The agreement with the financial sector is being restarted after it was paused in 2019 following the Windrush Scandal and the Government claims to have updated safeguards.
The practice of ‘de-risking’ has also resulted in bank account closures as a result of policies around terrorism and “high-risk” countries that disproportionately affect minoritised groups. The expansion of these categories has resulted in civil servants, political figures, and activists being caught up in these practices. Third-party databases are often used in these decisions, where data collected on customers is passed onto banks. Reputational and compliance risk are overzealously applied on grounds of potential implications in terrorism and “politically-exposed persons”. These are vague and therefore subject to biases that link migratised and minoritised populations to terms like “terrorism”, for example if they were born in and send money to relatives in a country deemed to finance terrorism. This has resulted in a massive increase in account closures in recent years, which has impacted marginalised communities in particular.
Data protection rules must be properly enforced under financial due diligence and compliance to prevent this. We are also concerned about the way that AI and machine learning are being integrated into this practice, further entrenching biases in decision-making and increasing wrongful closures. We are currently conducting research into how these practices are now taking place, including how they identify individuals.
Home Office NHS Reference Number
A tracking scheme where the NHS shared patients’ details with the Home Office was suspended in 2018 after a legal challenge from health and civil society groups, including MRN. Now, the Government has introduced new plans to assign Home Office reference numbers to migrants’ NHS files. Adding this reference number would not aid the NHS in identifying patients’ fee status, as they are already notified of who has paid the Immigration Health Surcharge, but would enable the Home Office to track migrants’ healthcare records.
This comes after a previous scheme that used NHS data to track down patients allegedly breaching immigration rules was abandoned following a legal challenge pertaining to patient confidentiality, discrimination and deterring migrants from seeking care. The new plans will have the same effect: they immediately single out migratised patients, potentially deterring people from seeking treatment, as well as extending state surveillance over migratised populations’ entire lives.
We have written to the Chief Executive of NHS England over this, and will continue to challenge the extension of the border into vital services like healthcare.
The Policing Minister recently said that he plans for passport data to be integrated into the Police National Database (PND) for facial recognition purposes in criminal investigations. For foreign nationals not on the passport database, this would be through the immigration and biometrics database. The use of these databases exacerbates the biases that already exist with facial recognition software, enabling further surveillance of racialised and migratised communities.
It is important to note that Prevent data also goes on the PND, highlighting how arbitrary the criteria is to be placed on this database. This also shows the discriminatory foundations of the practice, as Prevent has been widely criticised as Islamophobic. Moves to integrate passport and visa biometrics databases into the PND are highly concerning. They expand surveillance over all of us through opaque means of mass data-sharing, harming migrants with precarious status in particular.
There have been several developments in deals involving the sharing of data between the UK and EU. Most recently, the UK extension to the EU-US Transatlantic Data Privacy Framework came into effect in October 2023. Through this scheme, US companies can share personal data with the EU, and now the UK. The framework replaces a prior iteration, the Privacy Shield, that the European Court of Justice found contained inadequate safeguards against unlawful surveillance by US state agencies. While this replacement framework aims to fix this, the US has still failed to substantially change its surveillance laws.
The UK extension to this comes amidst the Data Protection and Digital Information Bill, which would allow for personal data from the UK to be shared with third countries, even when data protection for unlawful access from foreign authorities is inadequate.
There are also two plans for data-sharing involving the EU for the purpose of tracking migrants’ movements through the continent using personal data: the EU Plan for International Data Sharing System and the soon to be announced EU-UK deal for Frontex to share data with UK Border Force.
The former involves security-related data being shared between frontline EU forces, like Frontex, and key partner countries, strengthening internal security through new IT developments and expanding this in the future to non-member states. This includes a proposal to compare data stored under the Prüm Convention, containing national biometric, vehicle registration and police record databases, to “third country-sourced data”.
The latter deal came out of the European Political Community summit in October. Frontex uses personal data from people travelling through Europe, such as from phones, to “map” migrants’ movements in real time. This deal would see this mapping data shared with the UK Border Force.
Expanding data-sharing is worrying. The uses of and access to that data are often opaque, especially when private corporations are involved, and discriminatory, disproportionately affecting migratised and racialised communities and contributing to the excessive surveillance that they are subjected to. This is why we are committed to investigating how these data-sharing agreements are being implemented and raising awareness of this issue more broadly in how it affects our community.
You can find out more about how we’re challenging the Digital Hostile Environment here.
Find out more
The Digital Hostile Environment