Home Office systems will store information on all arrivals in the UK for at least six weeks
Credit: Steve Parsons/PA
The government’s contact-tracing programme to track passengers arriving in the UK will gather data on an estimated 150 million people per year.
Individual records will be kept for at least six weeks and will be stored on the Home Office’s IT infrastructure, according to a newly published data protection impact assessment.
Everyone arriving in the UK, including citizens returning from overseas trips, must complete a passenger locator form (PLF). This process includes the provision of personal information including name, date of birth, contact addresses, nationality and passport number, as well as details about their outbound and inbound journeys and evidence of a recent negative coronavirus test.
Those visiting the country for only a short time must provide the address at which they will stay in the UK. Passengers that are required to take one or more Covid-19 tests following their arrival must provide booking references, while those subject to a period of quarantine need to submit information on the hotel at which this will take place.
Access to all this information will initially be provided to Border Force officers who will use it to “carry out on-the-spot checks of arriving passengers at the UK border in order to check that a PLF had been completed and that satisfactory evidence had been produced of a negative Covid test taken in the three days prior to departure”.
- Home Office talks up digital visa plan
- Only one in 15 staff needed to run new border system has begun using platform
- Government considers role of technology in enforcing quarantine
Having completed these checks, officials when then create and fill out an additional internal form – called the MG11 – which will bring together data from the passenger locator form and in-person interviews at the border alongside “data confirming whether Border Force has issued the passenger with a fixed penalty notice relating to their failure to complete (or provide evidence of) a PLF or to complete (or provide evidence of) a negative Covid test”.
“Border Force officers will also be using a central operations platform to record anonymised data,” the DPIA added. “Once completed, the MG11 form will be securely emailed by the Criminal Justice Unit (CJU) within the Home Office, to security-cleared staff in the Civil Aviation Authority, Maritime and Coastguard Agency, and Office of Rail and Road via secure email addresses. The sharing of data is anticipated to be on a daily basis.”
All data shared between agencies as part of the passenger locator scheme will be sent via “secure email”, the assessment indicated.
Personal data will routinely be stored on Home Office systems for 42 days before deletion.
“The 42-day retention period for PLF data was agreed to allow sufficient time for both the Home Office and other data-sharing partners to access the data in relation to any further action such as enforcement of non-compliance,” the DPIA said.
“PLF data may be held further for legitimate reasons based on the original purpose for processing and on a case-by-case basis where processing is not incompatible for the purpose for which personal data was originally collected. For example, if Home Office received a legal challenge from an individual in respect of the processing, an individual is prosecuted, or appeals enforcement action or personal data was further processed by the Home Office to make a health-related immigration decision… This retention will at no time be indefinite and will remain subject to ongoing review.”
Information provided by passengers will primarily be submitted via an electronic form on GOV.UK although “in the limited instances where a paper form is used, a designated Border Force Officer will be responsible for ensuring that the form is only kept until the data can be inputted into the online form… [and] will also be responsible for destroying all forms once the data has been inputted… through shredding or secure waste facilities”.
As part of the DPIA process – which is required under data-protection law – the Home Office provided an estimate of how many records it will need to gather as part of the PLF programme.
“This is a new activity with no precedent. Business-as-usual statistics of travel suggest this may be 150 million per year,” the department said. “However, the policy will be regularly reviewed, and data sharing will be ceased should it be deemed no longer necessary. Provisions have been put in place for the system to deal with these volumes of form completions.”
In the section of the DPIA in which the Home Office was required to either specify a publication date or a reason for withholding publication, the department indicated that – at the time of the assessment – it was not minded to publish the document, although would give further consideration to the matter.
“It is not Home Office policy to routinely publish DPIAs,” it said. “This is a niche Border Force provision and assessment in conjunction with transport regulators, which is fully disclosed to data subjects. Publication would therefore not massively enhance the transparency of this process. Consideration will be given however, to disclosure under FOI or on advice received by the Home Office Data Protection Officer or the Information Commissioner’s Office.”