Transparency data

UKVI Service and Support Centres DPIA

Updated 19 April 2021

Pre-screen checklist

DPIA Stage 1

1) Does the proposal/project/activity involve processing personal data? Data protection applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier.

Yes

2) Does the processing activity include the evaluation or scoring of any of the following?

• profiling and predicting (especially from “aspects concerning the data subject’s performance at work)
• economic situation
• health
• personal preferences or interests
• reliability or behaviour
• location or movements

Yes

3) Automated decision-making with legal or similar significant effect: processing that aims at taking decisions on data subjects producing “legal effects concerning the natural person” or which “similarly significantly affects the natural person”.

No

4) Systematic monitoring: processing used to observe, monitor or control data subjects, including data collected through networks or “a systematic monitoring of a publicly accessible area” i.e. CCTV.

Yes

5) Mostly sensitive data or data of a highly personal nature: this includes special categories of personal data as well as personal data relating to criminal convictions or offences. NB: this also includes personal data with the security marking of SECRET or TOP SECRET.

Yes

6) Data processed on a large scale (in excess of 1000 records in either a single transaction or over a 12-month period)

Yes

7) Matching or combining datasets, for example originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject. (This would not apply to matching or combining datasets from different IT systems but processed for the same purpose and legal basis e.g. CID and CRS).

No

8) Mostly data concerning vulnerable data subjects including children. This only applies where the entirety (or high percentage) of the data being processed relates to this category.

Yes

9) The innovative use or applying new technological or organisational solutions, like combining use of finger print and face recognition for improved physical access control, etc.

Yes

10) When the processing in itself “prevents data subjects from exercising a right (under Data Protection Legislation and the UK GDPR) or using a service (provided by) or a contract (with) the Department”.

No

11) If you have answered yes to one or more of the above questions, then a DPIA must be completed. If you have answered no to all of the questions, but you feel the planned policy/ process/ activity is significant, or carries reputational or political risk, then please complete the DPIA. If you are unsure or have any doubts about whether a DPIA should be completed, please consult with the office of the Data Protection Officer (DPO).

Yes

DPIA Stage 2

Section 1

1.1) Proposal/ Project/Activity title:

Front End Services: Service and support centres

1.2) Information Asset title (s):

Visa and Immigration application data

1.3) Information Asset Owner/s (IAO):

Ian Martin and Neil Forshaw

1.4) Officer completing DPIA

Andrew Jones

1.5) Date completed:

12 June 2019

1.6) Data Mapping reference:

N/K

1.7) Version:

0.1

1.8) Linked DPIAs:

N/K

1.9) Publication date:

1 August 2019

Section 2 (personal data)

2.1) What personal data is being processed?

UKVI Customers will apply via Access UK and will make an appointment either via appointment booking system provided by JRNI, or over the telephone to Home Office Staff. At the appointment, home office staff at the Service and Support Centres will collect biometrics, complete an ID check and capture a photograph of the customer. Also,

• biometric data being processed – fingerprints, photographs, signature and passport tri-scan, CCTV footage of biometric capture
• documents being scanned – marriage, birth, civil partnership certificates, passports, travel documents, identity card, police registration certificate, bank statements, savings books, payslips, driving licence, income tax information, utility bills, council tax bills, tenancy agreement, mortgage statements

Once this information is processed this will be accessed by caseworkers to allow casework consideration.

2.2) Does it include any of the following special category or criminal conviction data?

• race or ethnic origin (including nationality)
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data or biometric data for the purpose of uniquely identifying individuals
• health
• sexual orientation or details of the sex life of an individual

Yes

2.3) Will any personal information be processed or collected relating to an individual age 13 years of age or younger?

Yes

2.4) What additional safeguards are necessary for this processing activity? If none, explain why.

Personal information for children is being provided by parents / guardians as part of the application process.

The child will be escorted by parent / guardian to the biometric enrolment appointment.

Sufficient evidence will need to be provided to ensure those who claim to be parents/guardians are parents/guardians.

Training in safeguarding has been provided to Home office staff at the Service and Support Centres

2.5) Will data subjects be informed of the processing? If yes move to 2.7

Yes

2.7) How will they be informed/notified?

During the application process, the customer will be signposted to the following link as part of the guidance text that they read on GOV.UK.

2.8a) Which HO staff will have access to the data?

Service and Support centre staff who are UKVI employees and caseworking staff – also UKVI employees – who need to process application data as part of the immigration decision making process. There may be a need for other areas of the HO, where it is deemed necessary, for a HO employee to have sight of the information.

2.8b) How will that access be controlled?

UKVI staff use the following systems with access controls as follows:

• CID – access can only be gained having been given a specific profile on the system. A caseworker can make a decision and a team leader would be someone who could change information on there, for example
• information is redacted when staff are not to have access to a specific profile and can only be viewed when permission is given by the Special Cases team – a proforma is required for this
• security constantly monitor who is accessing CID and what is happening on the system – we are limited as to what we can view
• there are strict disciplinary procedures in place for people who look at family or friends records on CID
• access has to be granted to Q-matic, Orchestra, Atlas and HOPs – everyone given access to these systems has a legitimate business reason for doing so and this again this should be monitored by team leaders

2.9) Where will the data be stored?

Data will be stored on the systems listed in 2.8b

2.10) If the data is being stored by electronic means - as opposed to hard copy paper records - does the system have the capacity to meet data subject rights (e.g., erasure, portability, suspension, rectification etc)?

Yes

2.11) If you have chosen yes for 2.10, provide details of how these requirements will be met

Data will be stored within the cloud, hosted by Amazon Web Services on servers in Dublin, Ireland, before being downloaded through to UKVI, once sent to UKVI the data will be held for 30 days before being permanently deleted. The data is held in line with the customers data rights and the information is only being held for the purpose for which it has been submitted.

2.12) What is the retention period, how will data be deleted in line with the retention period and how will that be monitored?

• Access UK data will be retained for 30 days after the application has been submitted.
• data received by JRNI from Access UK will be held for 6 months

Biometric capture CCTV footage will be held for 31 days on all sites with the exception of Belfast which holds onto the images for 1 year. The Belfast Security Team has examined this in the past as part of its audit and it is acceptable for footage to be retained for up to a year (so long as it is not used inappropriately) to facilitate any police queries (the CCTV also covers the front of a shared building onto a main street). 31 days is the suggested minimum but there’s no legal limits either way that the team is aware of.

HO Data Retention policy suggests review points of 5, 7 and 15 years.  2.13) If physically moving/sharing/transferring data, how will the data be moved/ shared?

• data from UKVI to JRNI will be transferred using an Application Programming Interface
• UKVI staff will access information through a secure case management system

2.14) What security measures will be put in place around the / movement/ sharing/ transfer?

The cloud storage and systems meet the ISMS criteria and meet UKVI Security Requirements for storing data. All measures will be signed off by the UKVI Accreditor.

2.15) Is there any new/additional personal data being processed (obtained from either the applicant or a third party) for this activity? (If the answer is yes, provide details)

Yes – see response to 2.1

2.16) What is the Government Security Classification marking for the data?

OFFICIAL/OFFICIAL-SENSITIVE

Section 3 (purpose)

3.1) What is the purpose for the processing? (Provide a brief description of what the purpose is for the processing activity e.g. sharing with a third party; storing data in a new way; automating a data processing activity etc.). What resources are needed to build the model? (e.g. FTEs, skills, software, external resource)

The data being collected is to allow the thorough caseworking of a customer’s application. Applicants now usually apply for a particular visa or immigration status online; their application includes biographical and identity information as well as evidence for how they meet the requirements of that particular route. On completion of their online application, they submit and pay for this. The data is then passed to caseworking systems for consideration. In the past, applicants would usually apply on a paper form; their data would then be re-entered into caseworking systems. The change to the process eliminates the need for rekeying.

The FTE for delivering this project is around 200.

3.2) What is the lawful basis for the processing?

Performance of public task

3.3) If processing special category data (see 2.3 above), what is the condition for processing?

Public interest

3.4) Is the purpose for processing the information the same as the original purpose for which it was obtained?

Yes

Section 4 (processing activity)

4.1) Is the processing replacing or enhancing an existing activity or system? If so, please provide details of what that activity or system is and why the changes are required. If the answer is yes move to 4.3.

Yes

Applicants will apply for a visa on Access UK which is a change to the current paper application process. As part of this change Service and Support Centres will provide additional help and support to customers making their application.

Customers will book a biometric enrolment appointment online or via the phone and take their supporting documents to their appointment

During this appointment the applicant will be required to have their biometric data captured. Once the applicant has completed this process a member of staff will scan all the supporting documents that are provided as part of their application process and check the biometric information has captured correctly. The customer will be advised of any missing documentation and will subsequently post in any missing documentation to the casework unit. If that happens, the documentation digitised, added to the data storage, linked to the appropriate case for consideration and returned to the customer. There will be a few variations on this process: e.g. paper-based routes will get all the docs posted in the first instance to digitise (for example fee waiver applications, family reunion etc). There is also the scenario where the caseworker will decide they need further evidence and write out, but this should become less given most of the routes are on access and list docs requires and we have the SSC conversation at the beginning.

The changes being implemented will create benefits for the Home Office and customers as there will be no requirement to for applicants to send in physical documentation (bar exceptional cases) to UKVI and will reduce the volume of documents being held which will help to reduce the potential for lost documents. Customers will also benefit from the change as many of them will be able to keep important documents in their possession and not have to submit them to UKVI for a period of time. UKVI are aware customers may wish to travel during this time and as such will advise customers that they should check they are eligible to travel before doing so.

4.3) How many individual records or transactions will be processed (annually) as a result of this activity?

The forecast is that around 100 000 applications will be processed through SSCs annually

4.4) Is this a one-off activity, or will it be frequent, or regular?

Regular

4.5) Does the processing activity involve another party? This includes another internal HO Directorate, as well external HO parties both public and private sector.

Yes

4.6) Is the other party another part of the HO Group for which the Home Secretary is the data controller?

Yes

4.7) Is the other party another public authority in the UK? If so, provides details and complete questions in Section 6.

No

4.8) Is the other party a private sector organisation in the UK? If so, provide details and complete questions in Section 6

Yes. Data will be passed to JRNI who, under a new contract are providing and appointment booking system which will enable the customer to make a biometric enrolment appointment online

4.9) Will the handling of data involve transfer of data to public bodies or private organisations outside the EEA? If no move to 4.10.

No

4.10) Is the processing for law enforcement purposes? If the answer is yes, you will need to complete Section 5.

No

4.11) Does the proposal involve profiling operations likely to significantly affect individuals?

No

4.12) Does the proposal involve automated decision making?

No

4.13) Does the processing involve using new technology?

Yes

4.14) Describe the new technology being used including who is supplying and supporting it.

New technology is the appointment booking system provided by JRNI

4.15) Are the views of impacted data subjects and/ or their representatives being sought directly in relation to this processing activity? If yes, explain how that is being achieved and move to 4.16

Yes. As part of the development of the overall Front-End Services UK changes, user research was being carried out to gain information on customer experience and develop the solution.

Benefits

4.16) List the benefits of undertaking the processing activity, including named business owner of the benefits and how they will be measured. If the beneficiaries include those outside the HO these must be listed as well.

Benefit(s): Reduction in the amount of compensation paid as a result of lost documents whilst cases move through the system.

How will they be measured? A reduction in lost document compensation claims

Benefit(s) Owner (in HO): FES UK workstreams

Beneficiaries: HO and UKVI Customers

Risks

4.17) Are there any other known, or anticipated risks associated with the processing of personal data that have been identified by the project/ programme/ initiative owner, which have not been captured in this document?

No

Section 5 (processing for law enforcement purposes)

Not required

Section 6 (data sharing)

6.1) External contact details for data exchange

Name: JRNI

Organisation: JRNI

Contact email: https://www.jrni.com/contact

Contact telephone: +44 (0)333 212 5884

6.2) How long will the data be retained by the receiving organisation?

Data collected by JRNI will be deleted after 6 months, CCTV footage will be deleted after 31 days for all sites with the exception of Belfast where images are kept for 1 year.

6.3) How will it be destroyed by the receiving organisation once it is no longer required?

Electronic records are purged from the database by scripts after the 30 days in line with the data retention policy.

6.4) Does the arrangement require a data sharing agreement (MoU)?

No. There is a contract with JRNI.

6.5) Provide details of the proposed HO MoU signatory and confirm they have agreed to be responsible for the data sharing arrangement detailed in this document.

N/A

6.6) Will the recipient share any HO data with a third party including any ‘processors’ they may use?

No

Technical impact and viability

6.7) Which of the following reflects the data exchange?

Data extract No

Data matching No

Data reporting No

Data exchange/feed Yes

Direct access No

6.8) Has any analysis or feasibility testing been carried out?

Yes. The new online application system has been subject to intensive testing cycles both in terms of user experience as well as technical testing prior to agreement to go live.

6.9) Please confirm whether

a) development work is required

Yes. The software will continue to be iterated in response to feedback from operations and customers. There is a maintenance fee in the contract for the purpose.

b) there will be a fiscal cost?

Yes, as per answer a.

6.10) Would the increased volumes result in any degradation of an existing service?

No

Section 7 (international transfers)

7.1) Does the activity involve transferring data to a country outside of the EEA? If yes, specify the country and continue with this section. If no, do not complete the rest of this section, and go to Section 8.

No

Section 8

8.1) Date referred to the DPO

26 July 2019

8.2) Comments/recommendations

Please address the comments above and resubmit

8.3) Completed by

Ian Morris

8.4) Date returned to the business owner listed in Section 1

29 July 2019

8.5) Date re-referred to the DPO

30 July 2019

8.6) Comments/ recommendations

Review now complete; no further comment

8.7) Completed by

Ian Morris

8.8) Date returned to the business owner listed in Section 1

30 July 2019

Any suggestions for improvements or comments should be directed to KIMDirection@homeoffice.gov.uk

Effective Date: 30 July 2019