Personal information charter

This personal information charter explains how we look after your information.

---

The Independent Chief Inspector of Borders and Immigration (ICIBI) is an independent body that monitors and reports on the efficiency, effectiveness and consistency of border, immigration and customs functions exercised by the Secretary of State for the Home Department (the Home Secretary) or officials on their behalf. The ICIBI holds and processes personal information supplied or collected for the purposes of delivering these functions.

The ICIBI is a data controller and/or processor for data collected in the course of its statutory function as defined in the UK Borders Act 2007. This includes information collected and processed by third parties, such as the Home Office, which is provided to the ICIBI during inspection activity.

This privacy information notice contains the standards you can expect when we ask for, hold, or in any way process your personal information. It also covers:

• what we ask of you to help us keep information up to date
• how you can request a copy of the personal information we hold about you
• how you can report a concern

This notice reflects your rights under the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR), and lets you know how we will safeguard and use your personal information. It also covers what information we may share with other organisations.

The ICIBI has appointed a data protection officer (DPO) to help ensure that we fulfil our legal obligations when processing personal information. Click here to contact the ICIBI DPO.

The ICIBI is based at Clive House, 70 Petty France, London SW1H 9EX.

What data we collect

The personal data we collect includes:

• information provided by you or your representative in relation to inspection activity
• customer information accessed on Home Office systems (for which the Home Office and ICIBI are joint data controllers) in relation to immigration, border, and customs activity
• customer personal data provided to the ICIBI by the Home Office in response to inspection evidence requests
• questions, queries, or feedback you leave, including your email address if you contact the ICIBI
• your email address and subscription preferences when you sign up to our email alerts
• information on how you use our website, using cookies and page tagging techniques

The ICIBI does not currently use automation technology, such as machine learning or artificial intelligence, to process personal data.

The ICIBI may use case studies in inspection reports, but the personal data of an identifiable living individual will not be included in the final report.

When you visit our website, we also use Google Analytics software to collect information about how you use ICIBI’s website. We do this to help make sure the site is meeting the needs of its users and to help us make improvements.

Google Analytics stores information about:

• the pages you visit on the ICIBI website
• how long you spend on each ICIBI page
• how you arrived at the site
• what you click on while you are visiting the site
• your Internet Protocol (IP) address, and details of which version of web browser you used

The information we collect on Google Analytics cannot be used to identify who you are.

Personal data collected during the inspection process

The ICIBI will seek to process the minimum amount of data required to exercise its statutory functions and will seek to the best of its ability to retain this data for the least amount of time possible.

The ICIBI inspectors have access to Home Office systems containing information regarding customer applications or enforcement activity in relation to borders, immigration and customs matters. The Home Office remains the data controller for information held on these systems. The ICIBI may capture information from these systems and store it on the Home Office IT platform, to use as evidence to inform inspection activity. When information is captured and stored in this way, the ICIBI and Home Office will be joint data controllers.

In response to inspection evidence requests, the Home Office may provide inspectors with access to personal data held on internal Home Office spreadsheets or other retrieval systems. In most cases, the Home Office will redact or pseudonymise this data to limit the amount of personal data shared with the ICIBI to only that as is required to exercise our statutory functions. Where this is not possible, the amount of information processed is minimised and retained for the minimum time necessary. In most cases, the ICIBI deletes any personal data once an inspection report is published, but please see the section below on retention of data.

Why we collect it

The ICIBI collects and processes your data to carry out statutory and other functions including the following:

• where data subjects have provided their explicit consent to receive communications
• where data subjects, or a third party on their behalf, contact us directly in relation to an inspection, such as in response to a call for evidence
• for ICIBI employees, to manage employee lifecycle matters
• where the personal data of data subjects, for which the Home Office is the data controller, is provided by the Home Office to the ICIBI in response to ICIBI evidence or file sampling requests (please note that the Home Office and ICIBI hold joint responsibility as data controllers for this information)
• where data subjects contact the ICIBI directly

We also collect data to:

• improve the website by monitoring how you use it
• gather feedback to improve our services
• respond to any feedback you send us
• send email alerts to users who request them
• provide you with information about the work of ICIBI if you want it
• contribute to inspections (personal data will not be included in final reports)

If we use your data for any other purpose, we will always ensure that you understand exactly how and why your data is used, and for how long.

What we do with your data

The ICIBI is an independent body and operates on the Home Office IT platform. Access to ICIBI assets is restricted to current ICIBI staff.

We store and analyse personal data on that platform to make sure that your data is as safe as possible at every stage. Personal data stored by the ICIBI is held on UK servers and can also be securely deleted from our systems when it is no longer required.

Other than internally within the ICIBI, we might share your data with:

• the Home Office in the event of a data security breach
• the Home Office or law enforcement where we have serious concerns for the welfare or wellbeing of an individual
• partner inspectorates, where we undertake joint inspections with other statutory bodies in accordance with our memoranda of understanding

We will not:

• sell or rent your data to third parties
• share your data with third parties for marketing purposes
• share your data internationally

We will share your data if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.

How long we keep your data

We will only retain your personal data for as long as it is necessary for the purpose for which it is being processed. In the ICIBI we operate a policy of retaining personal data processed for inspection purposes until the report has been published by the Home Secretary. Information submitted via a call for evidence or in relation to a specific inspection will be retained for a longer period, but any personal data therein will be deleted at the time of publication.

We continue to keep retention periods under review to ensure we are able to meet our statutory requirements under the UK Borders Act 2007.

It should be noted that because of the Independent Inquiry into Child Sexual Abuse (IICSA), which commenced in February 2015, there was a moratorium imposed on the disposal of all records throughout the Home Office, including all operational records and case files. The ICIBI, as an independent arm’s length entity of the Home Office, elected to observe the Home Office policy on this moratorium. The moratorium was lifted by IICSA in January 2023, and the ICIBI is considering targeted measures to ensure that any information required to inform future statutory inquiries is retained.

How we protect your personal information

We have a duty to safeguard and ensure the security of your personal information. All information held by the ICIBI is stored on the Home Office IT platform, with access limited to current ICIBI employees. We have systems and policies in place to limit access to your information and prevent unauthorised disclosure. Staff who access personal information must have appropriate government security clearance and a business need for accessing the information, and their activity is subject to audit and review.

Your rights

Where you have provided your consent for the ICIBI to process your personal information, you have the right to withdraw that consent. Should you wish to withdraw your consent, please email us at chiefinspector@icibi.gov.uk.

You also have the right to:

• request details of the information the ICIBI holds about you
• request a copy of your personal information in an accessible format
• ask for your data to be corrected if you believe the information we hold is incorrect
• object to or request that we restrict the processing of your personal information

If you have any of these requests, please email us at chiefinspector@icibi.gov.uk.

Subject access request

You have the right to submit a subject access request to request the personal information ICIBI holds about you.

To submit a subject access request, you should send the following to chiefinspector@icibi.gov.uk or via post to the Data Protection Practitioner, ICIBI, Clive House, 70 Petty France, London, SW1H 9EX:

1. A statement of authority, detailing the personal data you would like to access
2. A scan or copy of a document that can be used by the ICIBI to confirm your identity. This could be a scan or copy of an identity document, such as a passport or driving licence. Please do not submit original documents
3. If you are applying on behalf of a child under 12, you must also provide a scan or copy of a document providing evidence of your relationship so that the ICIBI has evidence you have parental responsibility for submitting the request

We will provide a response to your request electronically unless you request the information in an alternative format.

The ICIBI will process your request within one month of receiving all the information required. If we require additional information to process your request, we will contact you.

In exceptional cases, complex requests may take longer to process, and we may be unable to respond within one month. If this is the case, we will write to you to explain why.

ICIBI employees should follow the internal subject access request process, which is available on the ICIBI SharePoint.

The legal basis for processing data

The ICIBI processes data in accordance with article 6(1) of the UK General Data Protection Regulations (UK GDPR). The lawful basis under which the ICIBI processes personal data in accordance with article 6(1) of the UK GDPR is as follows:

The data subject has given consent to the processing of his or her personal data for one or more specific purposes

For example, you give explicit consent for the ICIBI to contact you with updates about our work.

Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract

For example, the ICIBI processes the personal contact details of freelance trainers delivering training courses for ICIBI staff.

Processing is necessary for compliance with a legal obligation to which the controller is subject

For example, you submit a statutory subject access request or freedom of information request, and the processing of your data is necessary to comply with that request.

Processing is necessary to protect the vital interests of the data subject or of another natural person

For example, ICIBI inspectors raise concerns with the Home Office because they have welfare or wellbeing concerns about an individual in immigration detention following an interview or focus group as part of an inspection.

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

ICIBI inspectors carry out their inspection duties in the public interest in accordance with the provisions and powers set out in the UK Borders Act 2007.

Section 8 of the Data Protection Act 2018 (DPA 2018) states that the public task basis will cover processing necessary for:

• the administration of justice
• parliamentary functions
• statutory functions
• governmental functions
• activities that support or promote democratic engagement

The Chief Inspector is independent of the Home Office and appointed to undertake an explicitly defined scope in accordance with the UK Borders Act 2007. Inspections are conducted in accordance with agreed protocols with the Home Office and a set of published expectations.

In using the public task basis for data processing, the ICIBI must specify the relevant task, function or power, and its basis in common law or statute and the ICIBI is required to demonstrate there is no other reasonable and less intrusive means to achieve our purpose. Public Task processed personal data will be recorded in the ICIBI Information Asset Register.

Special category data

The ICIBI may process and store special category data in the course of inspection activity. This data may be provided:

• with consent by data subjects or their representatives or in response to a call for evidence request
• via interrogation of Home Office IT systems recording application or enforcement activity related to borders, immigration, or customs functions
• in response to evidence requests made to the Home Office during an inspection

For example, the Home Office may provide nationality, criminal record or medical information in relation to individual applicants to facilitate a random file sample during an inspection.

In processing special category data, the ICIBI is reliant on both the provisions in article 6 of the UK GDPR and:

• article 9(2)a of the UK GDPR – that the data subject has provided explicit consent to the processing of the data for a specified purpose to the ICIBI

• article 9(2)e of the UK GDPR – that the processing relates to personal data made manifestly public by the data subject. This relates principally to internal ICIBI initiatives such as equality, diversity and wellbeing events, where ICIBI employees elect to make their personal information public within the inspectorate
• article 9(2)g of the UK GDPR – that processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. For example, the Home Office and its employees may provide data held on Home Office systems to facilitate ICIBI evidence requests or file sampling, or Home Office staff, representative bodies or non-governmental organisations may identify individual immigration or customs cases of concern during the inspection process

In handling special category data, ICIBI staff will apply additional safeguards, including, but not limited to:

• minimising access to the data
• holding only that special category data required to exercise our functions
• where possible, finding alternatives to processing special category data to undertake our inspections functions
• deleting special category data when an inspection report is published

Calls for evidence and information provided to inform inspection activity

From time to time, the ICIBI may publish calls for evidence, or consult with stakeholders and other third parties to gather evidence or other information to inform inspection activity.

Any personal data provided to the ICIBI to inform our inspection activity will be processed in accordance with Article 6(1)e of the UK GDPR (processing is necessary for the performance of a task conducted in the public interest or in the exercise of official authority vested in the controller).

Links to other websites

The ICIBI website contains links to other websites. This privacy policy only applies to ICIBI, it does not cover other websites.

Review period

This privacy information notice will be subject to internal review every 12 months or upon appointment of a new Independent Chief Inspector.

Changes to this policy

We may make changes to this personal information charter. In that case, the ‘last updated’ date at the bottom of this page will also change. Any changes to this charter will apply to you and your data immediately. If these changes affect how your personal data is processed, the ICIBI will take reasonable steps to let you know. You will receive an automated notification to your email address if you have signed up for updates via the ICIBI website.

Contact us or make a complaint

Contact the ICIBI if you:

• have any questions about anything on this page
• think that your personal data has been misused or mishandled
• wish to submit a subject access request to confirm what data we hold about you

The ICIBI has a Data Protection Officer who can be contacted by:

• Email: dpo@icibi.gov.uk
• Telephone: 03000 710784
• Write to: Data Protection Officer, ICIBI, Clive House, 70 Petty France, London, SW1H 9EX

You can also make a complaint to the Information Commissioner’s Office (ICO), who is an independent regulator.

• Email: casework@ico.org.uk
• Telephone: 0303 123 1113
• If you need to contact the ICO via the phone and you are deaf or have a hearing or speech impairment, you can use the free BT service Relay UK. Install the free app, which you can access on your device’s app store, on your smartphone, tablet, or computer. Then, call the ICO advice line on 0303 123 1113
• Textphone: dial 18001 followed by 0330 123 1113
• Write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF