back to article Windrush immigration papers scandal: What it didn't teach UK.gov about data compliance

Is there a lesson for politicians around the apparent destruction of disembarkation cards of citizens from Caribbean nations who arrived in the UK after the Second World War? Perhaps. But it goes something like this: it's a bad idea for the Home Office to make it difficult for legal immigrants to prove their status. It's an …

  1. katrinab Silver badge

    One thing to remember

    The Data Protection Act is not the only law on the statute book. This may come as a surprise to some people, but it is true, there are other laws.

    So, while the Data Protection Act might be silent on deleting data you need to carry out your activities, you need to consider whether or not there are any other laws that stop you doing this.

    1. macjules Silver badge

      Re: One thing to remember

      From experience a lot of government departments simply quote Section 28 – National security.and Section 29 – Crime and taxation as a reason for exemption from the DPA.

    2. Jane Fae

      Re: One thing to remember

      Agree...and my point about there may be commercial consequences to destroying data. But apart from those, there can often be no DPA consequence.

    3. Anonymous Coward
      Anonymous Coward

      Re: One thing to remember

      Seems perfectly reasonable to dump this paperwork after ~60 years. If these foreigners haven't bothered to get legal residential status by now mostly they probably never will.

  2. SPiT

    Isn't there an obligation for accuracy

    See title. By discarding the Windrush data and then maintaining a record of an individual's immigration status which is then, as a consequence of having discarded that data, inaccurate don't we then have a case where the home office holding inaccurate data as a result of their own negligence. Isn't it reasonable to suggest that by discarding the data they have in some way forgone their right to hold other subsequent data on the data subject. I suspect that this question would be extremely unclear in law and would have to depend on action for maladministration rather than just data protection.

    For example, this would be similar to me destroying all records of a customer's contract and then when they contacted me for contract fulfilment claiming there was no contract. This would typically end up being treated as fraud with the only defence against criminal liability being a claim of incompetence. The Windrush data was destroyed after the beginnings of a period where the home office had started it's policies that made this data important.

    1. oiseau Silver badge
      FAIL

      Re: Isn't there an obligation for accuracy

      Hello:

      ... similar to me destroying all records of a customer's contract and then when they contacted me for contract fulfilment claiming there was no contract.

      Very well put.

      Similar is an understatement.

      What is undoubtedly similar is the intent: fraud, and with a very clear objective.

      Now, who takes responsibility and is actually held accountable for all the damage done?

    2. Jane Fae

      Re: Isn't there an obligation for accuracy

      No. Not holding data (accurate or otherwise) is not the same as holding inaccurate data.

      There are laws other than the DPA that mean businesses should retain contract details.

  3. TRT Silver badge

    And as for how long...

    Surely the "personally identifiable" bit dies along with the subject? Many an interesting historical facet has turned up as the result of trawling back through official records of prisons, courts, debt collectors etc. I have an expectation of a right under GDPR, but my grandfather who karked it over two decades ago... well, he's not a natural living person, is he?

    1. Smooth Newt
      Boffin

      Re: And as for how long...

      Surely the "personally identifiable" bit dies along with the subject?

      No. This is covered by other laws. e.g. under the Access to Health Records Act (1990) medical records are closed to access whether the person is alive or dead. Executors and dependents are allowed access, but personally identifiable medical data certainly don't become public property the moment that the death certificate is signed.

      1. TRT Silver badge

        Re: And as for how long...

        Totally missing the point which was to do with retention of records, rather than confidentiality and public access, but carry on...

        1. Smooth Newt
          Happy

          Re: And as for how long...

          Totally missing the point which was to do with retention of records, rather than confidentiality and public access, but carry on...

          Well retention is sort of irrelevant if you want to trawl through dead people's medical records looking for interesting historical facets, as you put it. Because you can't except in a particular exceptional circumstance. I expect they keep the records for six years, the time limit for most civil claims the health authority might be faced with. There is no reason, but there is a cost, to keeping them longer.

          1. TRT Silver badge

            Re: And as for how long...

            If one were to do a comparative study in the department of geriatric studies - perform some sort of analysis on a population that had to be comparable with data from a population last seen by a doctor 60 years ago, perhaps... well, one might be cursing the foresight of a bean counter who decided that the statute of limitations was 6 years, so that's as long as the records needed keeping for.

          2. Roland6 Silver badge

            Re: And as for how long...

            >I expect they keep the records for six years

            From memory, in the UK it is 30 years, which is laughable, as it meant my Dr could not refer to the details of various conditions, first diagnosed and treated in childhood.

            The other laugh about the long-term retention of medical records is without several generations of interrelated records, DNA researchers are somewhat hampered in their ability to identify inherited conditions...

            1. Smooth Newt
              Happy

              Re: And as for how long...

              >I expect they keep the records for six years

              From memory, in the UK it is 30 years, which is laughable, as it meant my Dr could not refer to the details of various conditions, first diagnosed and treated in childhood.

              Six years after the patient died, because a civil claim against the health authority will be out of time if not started before then. It is only three years if the claim is that the health authority injured the patient.

              Remember health records are explicitly for the treatment of the patient, not for any other purpose like later research unless the patient consented. So you can't use them for DNA studies even if the patient is now dead.

              1. Roland6 Silver badge

                Re: And as for how long...

                >Six years after the patient died

                Sorry wasn't clear, the NHS only retain the last thirty years of medical records for living people. Hence in my case, a couple of years back when I had cause for the Dr to prescribe antibiotics did I discover that the allergic reactions to various antibiotics markers added when I was a child, had been deleted - given they were made over 30 years ago...

                Whilst I did give the Dr the option, they decided on caution and added new markers and prescribed accordingly.

      2. Roland6 Silver badge

        Re: And as for how long...

        Surely the "personally identifiable" bit dies along with the subject?

        No. This is covered by other laws.

        Also, the release of records is subject to an organisation's own rules. For example, try obtaining the (UK) military service records of a relative and you will encounter the eligibility requirements ( https://www.gov.uk/get-copy-military-service-records/apply-for-someone-elses-records ), which even an Executor cannot circumvent.

        1. TRT Silver badge

          Re: And as for how long...

          Quite so. Which begs the question, if there are rules and policies in place regarding the release or publication of records, then just why is one concerned about how long one retains them for? Why destroy the records under DPA? If DPA is one's only concern, then keeping them for longer than the lifespan of the individual doesn't become a problem. As time goes on the "imperative" to destroy the records is removed.

  4. Anonymous Coward
    Anonymous Coward

    Loss of availability is a breach of the act as is inaccuracy or at least a requirement to allow data to be corrected by the data subject.

    Also to the principle of gathering consent within GDPR is an equal principle of removing consent. It must be just as easy to remove conceit as to gather it. So the days of pre-ticked consent boxes, which can only be withdrawn by a letter to Panama arriving on the third Tuesday in Lent signed by Father Christmas, the Easter Bunny and Lord Lucan; should be gone.

    I don't doubt for a minute that for many non-EU companies nothing will happen.

    1. TRT Silver badge

      Removing conceit from the incumbent government is going to be an impossible task.

  5. Anonymous Coward
    Anonymous Coward

    In my experience of civil service office moves

    These are now largely aimed fashionably as hot desking offices with no cupboards, phones or anything else.

    As they move from "old fashioned" offices any documents, contracts, plans, boarding cards, manuals, or any other kind of paper record is destroyed 1) as there is nowhere to put them, 2) no planning or audit of what they are or if they are important and 3) digitising them comes at a cost to deliver and maintain that no department has a budget for...

    So I am not surprised. I will not be surprised when this happens again and again either. It does not matter in government/civil service if records need to be kept, there are few ways of doing so, and fewer than will realistically be performed.

    1. Jane Fae

      Re: In my experience of civil service office moves

      Ah yes. No budget for digitising. This is the bane of family tree researchers...a project to digitise indexes to the GRO got shelved about five years back.

  6. Anonymous Coward
    Anonymous Coward

    Not just immigrants

    You stated:

    "it's a bad idea for the Home Office to make it difficult for legal immigrants to prove their status."

    What about people born and bred in the UK? I recently applied for a job. To prove I was eligible to live and work in the UK I needed several forms of ID - the main one being passport and driving licence.

    But the three other forms of ID I needed to provide needed to be original bills - printed on paper and delivered by post to my home address. Aside from the council tax bill (which I didn't have as I was in the middle of a move) all my other bills are online and paperless. Print-outs were not acceptable as that's only proof that I have access to the online account.

    And I was in the middle of a house move, so I had to provide address evidence for both old AND new addresses.

    Back in the day of the Windrush immigrants I'm sure most things could be got on trust (loans, houses, bank accounts, and so on). But in the 21st century with fraud being rife, you need all kinds of ID and proof of who you are and where you live.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not just immigrants

      >To prove I was eligible to live and work in the UK I needed several forms of ID - the main one being passport and driving licence.

      As this is for a job, you may find it helpful to get yourself through BPSS, if the prospective employer really understands security this should be sufficient, if not then you've just learnt something about your new employer...

    2. Anonymous Coward
      Anonymous Coward

      Re: Not just immigrants

      That's because UK administration is still stuck into the Doomsday Book era. In other countries were the X century ended many years ago, you need a single ID document.

      Also they got rid of monarchy too, they can no longer 'enjoy' babies and weddings of useless people, but their life is much easier, even when you can't track your ancestors back to the Norman Conquest.

      I'm quite sure after the restoration the Big Ben arms will move backwards, hoping to bring back the empire, and get rid of all those immigrants...

      1. Doctor Syntax Silver badge

        Re: Not just immigrants

        "That's because UK administration is still stuck into the Doomsday Book era. In other countries were the X century ended many years ago, you need a single ID document."

        I assume that you're not from these parts or are very young because a few years back when a previous Home Sec wanted to introduce ID cards it very quickly became clear that this was politically unpopular. Even the disk drives used for the pilot scheme had to be destroyed.

        We don't like such things. It smacks too much of population control.

        By the way, it's the Domesday Book. Same root as "domestic".

        1. Aitor 1 Silver badge

          Re: Not just immigrants

          I love the uk, but it seems to be one the best countries at using the manual called "1984".

          Our emails are stored and scanned, so are our searches and DNS requests, SMS, etc.

          Plenty of cameras.

          If we accept this, at the very least we should get id cards and have less hassle.

          1. Doctor Syntax Silver badge

            Re: Not just immigrants

            "If we accept this, at the very least we should get id cards and have less hassle."

            "If". Big word for only two letters.

          2. Roland6 Silver badge

            Re: Not just immigrants

            >I love the uk, but it seems to be one the best countries at using the manual called "1984".

            You've got the sequence wrong, "1984" wasn't a manual, it was (just like much software documentation) written after the event and so documented what the system did as opposed to what it was supposed to do. It is only in comparatively recent times that it has been elevated to a manual.

        2. MonkeyCee Silver badge

          Re: Not just immigrants

          "a previous Home Sec wanted to introduce ID cards it very quickly became clear that this was politically unpopular"

          The UK has a massive aversion to an ID card scheme.

          But the PTB have pushed through a "papers please" situation anyway, without producing an ID card scheme.

          Some of this was already in place, with legal access to cars, booze, fags and guns requiring an ID. Then bank accounts and benefits. Now jobs and accommodation.

          Papers please without issuing the papers...

    3. Jane Fae

      Re: Not just immigrants

      This is a growing issue and one i collided with recently when trying to hire a car. They wanted printed bills from the last three months. Once upon a time i got regularly quarterly bills for most utilities. Now, if i'm lucky, i get one annual bill for water. No printed bill for gas and electric. And an annual bill for Council tax. Also printed.

      What seems to be happening is we are in the middle of a transition from a trust economy, where paper was not required, because everyone knew the local bank manager...and a digital economy in which paper will again be not required because everything is digital...by way of a bureaucratic phase when everything had to be evidenced by paper.

      Feels like something i could be writing about. Thoughts?

  7. John Smith 19 Gold badge
    Gimp

    Funny how the Home Office does it, is it not?

    Disembarkation cards. "No sorry, had to shred them. Illegal to hold them, too much space blah blah"

    DNA data "No you can't have it destroyed, even if the EU CoJ says it's illegal for the police force to hold them. Even if you are not actually guilty of a crime."

    As for Rudd going.

    No this will not leave the Department "Rudd er" less.

    They'll have another sock puppet house broken to their PoV within a week.

    1. BebopWeBop Silver badge

      Re: Funny how the Home Office does it, is it not?

      He's in place. Different gender, different colour same attitude.

  8. SVV Silver badge

    Feeble excuse

    They say that they had to throw away the records because of their age, due to the data protection act. But they haven't thrown away the records of everybody's birth certificates, passport applications, etc, which in many cases will be much older, and are of a similar importance as the immigration records for identity proof. Nor have they asked for consent to keep them under GDPR, for that matter. So it was all a convenient way of meeting their "targets" for removing people and they're in the middle of a shitstorm of their own making, now that people see that "being tough on immigration" equates to "sending home" people who have lived and worked here almost all their lives.

    "Humberside Police received a £130,000 fine for losing the details of a rape victim"

    I see the government is still spending money taking itself to court and fining itself. Presumably the fine of £130,000 for the police force will mean that future rape investigations are in no way hindered due to lack of funds?

    1. Jane Fae

      Re: Feeble excuse

      The story, as relayed to me on the journalistic grapevine, is that the records may have become contaminated with, um, rat pee.

      Cannot confirm or deny.

      But, eeeyuw!

  9. Doctor Syntax Silver badge

    It's a great pity that successive DPAs haven't included an offence of misusing data protection as a convenient excuse because this is just another attempt at it.

    GDPR allows data to be kept as long as it's required for its original use. Assuming that the records' original purpose was to prove legality of residence then they remain a required document for the life of the individual to whom they apply. If they were needed to prove that legality for a dependent then they're required for the life of that person too. There's anecdotal evidence that they were still being referred to which should have clarified the matter.

    One aspect that's not been mentioned is whether these were statutory records. If they were not only might there have been a statutory requirement to keep them but GDPR wouldn't apply, at least not until any statutory requirement had lapsed. Perhaps this aspect should be looked into further as whoever took the decision to destroy them might have committed an offence.

    1. Tom Paine Silver badge

      Er. The destruction of the landing cards had nothing to do with GDPR as it happened in 2010.

  10. Daedalus Silver badge

    Can't wait....

    ...to see exactly how far Europe is going to indulge in rectal head-insertion when GDPR takes over.

  11. Anonymous Coward
    Anonymous Coward

    I know it is not fashionable today talk about personal responsibility (everyone appears to want the state to do their thinking and hand holding for them) but for those immigrants it was their responsibility to see that their paperwork for becoming a British subject with right of abode and work in the UK was completed and registered.

    I have friends whose parents did all the necessary paperwork not long after their arrival and are wondering what all the fuss is about. Those landing cards should be irrelevant today if those arriving had taken the responsibility to complete the required paperwork.

    1. Outski

      "it was their responsibility to see that their paperwork for becoming a British subject with right of abode and work in the UK"

      It obviously needs repeating that "those immigrants" were already British subjects with the right of abode and to work in the UK.

      1. Anonymous Coward
        Anonymous Coward

        It obviously needs repeating that "those immigrants" were already British subjects with the right of abode and to work in the UK.

        If they are British subjects (not subjects of the British Empire which was disbanded), they should have birth certificates registered in their "home" British dependent territory. That should be sufficient evidence of citizenship.

        1. Jane Fae

          Yes. But millions of people don't. And it is not their fault they don't

    2. Anonymous Coward
      Anonymous Coward

      >I know it is not fashionable today talk about personal responsibility (everyone appears to want the state to do their thinking and hand holding for them) but for those immigrants it was their responsibility to see that their paperwork for becoming a British subject with right of abode and work in the UK was completed and registered.

      >I have friends whose parents did all the necessary paperwork not long after their arrival and are wondering what all the fuss is about. Those landing cards should be irrelevant today if those arriving had taken the responsibility to complete the required paperwork.

      When these people arrived, they did not need to do anything at all. As British subjects (in the 40s/50s) they had free-movement in the last days of the old Empire and were perfectly legal to settle in the UK. Like many did from the West Indies, Africa, Asian and other former colonies to help rebuild after the loss of a significant number of younger males during the war.

      In the time since they arrived, successive governments have limited the rights of people from these countries to settle in the UK, and the current lot applied some rules that retrospectively made it significantly harder for legal people to be legal *after* destroying documentary paperwork that would prove their legality very quickly.

      1. Anonymous Coward
        Anonymous Coward

        Sorry AC they were subjects of the the British Commonwealth not the United Kingdom.

        If they had been citizens of the UK then their birth certificates would say so and there would not be any problems now.

        While it is true those from the Commonwealth had right of access to the UK it did NOT automatically make them UK citizens, they had to go through a registration process to become a legal UK citizen - my Australian wife had to when we moved to back to the UK so I do know what I'm talking about.

        1. Jane Fae

          No you don't (know what you are talking about).

          You are probably spot on for your wife's case. But there are dozens of different situations where the road to legitimisation and/or confirming rights is very different.

          By the time we hit the 1983 Nationality Act there were three main categories of British Subject/Citizen...but probably at least a dozen sub-categories created by specific national circumstances.

          At the same time, there were rules governing right of abode that were separate from citizenship criteria (qv. the creation of the category known as "British Citizen without right of abode")...and these might well operate differently according to country of origin.

          For instance, Falkland Islanders got their very own special amendment in the Nationality Act.

    3. Rich 11 Silver badge

      You seem to have overlooked the fact that the people we're talking about were born British citizens (well, subjects) with the right to travel, work and live anywhere in the British Empire. When that changed in 1973, what guarantee was there that everyone affected would hear about the change in UK law and get their paperwork sorted out? And even if they did hear, kids who arrived in the late 40s and early 50s would be adults with, generally, 5-20 years of work under their belts, with all the records that entails. Who would expect that 40 years later their right to live in the UK would be questioned?

      1. Aitor 1 Silver badge

        Me

        I would expect that.. precisely becuase I saw what was being done, when the uk government said "hey, yes, you have permanent residency, dont rush in asking for paperwork, not needed" I thought, great, I need to get the paperwork and as for a british passport, if I don't want to be thrown out in my 70s..

      2. strum

        >Who would expect that 40 years later their right to live in the UK would be questioned?

        Indeed. Someone who'd spent the last 40 years in Broadmoor would have a better chance of proving his citizenship than a bloke who'd spent the same period doing a string of respectable, if unremarkable jobs.

    4. shrdlu

      "it was their responsibility to see that their paperwork for becoming a British subject with right of abode and work in the UK was completed and registered."

      But they did complete and register all of the necessary paperwork. Then the Home Office shredded it.

    5. Jane Fae

      Right of abode is a fact of who you are and not dependent on paperwork. And i am at a loss to understand what you mean by "it was their responsibility to assemble the requisite paperwork".

      The paperwork requirement, for evidence of residence in the country in every single year post 1971, was a requirement imposed retroactively. I'd love to see you not whining at all if the government now turned around and said - as it could under the law - that unless you can show paperwork proving continuous residence in the UK since 1971 or whenever you started to work, you will get a reduced pension.

      It's also an issue that has unfolded against a background of constantly changing legislation in respect of nationality and right of abode, which have been separated legally, and the fact that every single piece of legislation passed to clear it up seems to create new exceptional categories.

      Bottom line, the people concerned came here legally and continued to reside here legally for many years during which there was no requirement to provide the paperwork you now reckon they should have collected. From approx 2010 onward, the government started demanding new paperwork and new levels of proof.

      It's a bit like name change. There is NO requirement in UK law for things like a deed poll or stat dec. But over the past decade or so, the UK has drifted to a position where people believe this to be the case because of the practice of financial and other large organisations.

      Where practice changes, a humane person might say it is not the responsibility of those adversely affected to have predicted the change.

  12. Anonymous Coward
    Anonymous Coward

    You were doing so well...

    Right up until you confused 'The Police' with 'Taxpayers':

    In this case there were multiple security failings relating to a very vulnerable data subject and the ICO rightly made the police force pay.

    1. Kingstonian

      Re: You were doing so well...

      And the Police get their money from the Taxpayers - Central and Local - so any fine the police pay comes from the taxpayer anyway. Unless of course the money was taken from the responsible persons salary or pension pot.

  13. Anonymous Coward
    Meh

    Merry-go-round

    is just the paddle in the shit stirrer. It's not surprising that we never see a end to it.

  14. shrdlu

    Data Debt?

    It seems to me that the aim of data protection legislation would be furthered if destruction of personal data also required consent of the data subject. If this were so then any data controller that acquired personal data by any means would incur a liability that they would have to carry on their books as a debt. It would make companies think twice before collecting the data.

    To make it practical there would need to be a simple method of discharging the debt by sending the data subjects a copy of all of their data before deleting it. It would make sense to require that to be delivered both on paper and in machine-readable form where that is practical.

  15. Anonymous Coward
    Anonymous Coward

    DCO

    your data compliance officer should be able to...

    Sorry -- our who? We're not up to the 10k users mark yet and only made a paltry few hundred million profit last year. We can't be expected to go employing people for silly made-up job tittles like that! This is the CIty, dammit! We got away with flouting the DPA for years, why should this be any different/

    I suspect the cost/benefit calculation described in the first few pars of this piece are exactly what most organisations are doing, to some extent or other - even the ones sending people on seminars and re-papering all their marketing consents don't expect to be getting many, or any, request for individual database rows to be deleted from old backup tapes, and if they do, they expect to be able to ignore them, or just flat out lie that it's been done.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019