Government Actors


(Information services)

GCHQ is the Government Communications Headquarters and one of the UK’s intelligence agencies. It works mostly on combating threats, such as cyberwarfare or it can intercept information in line with legislation to thwart such threats. Its work is done in secret and little is known about its activities. It has been known to access bulk information, however, as a method on surveillance, which is a human rights concern in terms of privacy. In fact the The European Court of Human Rights said it was a fundamental breach of Article 8 and Article 10 rights to privacy and freedom of expression respectively.

The National Cybersecurity Centre (NCSC)


The NCSC is the UK's technical authority for cyber threats ad sits under GCHQ. It’s the early warning mechanism for threats and can give authorities technical info. As. As ingle point of contact for NIS incidents (network and information systems); it also coordinates with its counterparts in Member States. Its functions where cyber breaches occur overlap with the ICO’s GDPR remit in that the UK GDPR was said to be the primary way “cyber hygiene” in the UK economy would be improved, with NIS. A government review has shown intent for the ICO and the NCSC to collaborate.

Investigatory Powers Commissioner’s Office (IPCO)

(overseeing information services)

IPCO oversees the use of covert investigatory powers by more than 600 public authorities,

including the UK’s intelligence agencies, law enforcement agencies, police, councils and prisons. It reviews their applications to use the most intrusive of these powers and check they are used in accordance with the law. Its purported mission to understand and ensure new and developing technologies, operations and legislation is safeguarded against potential privacy issues.

There is a double lock system where IPCO along with a cabinet minister must approve the most intrusive surveillance requests. The IPCO also investigates non-compliance and it loops back its finding to inform policy changes, national training and product development to reduce or eliminate future risks. Notably, it has oversight over the UK-US Data Access Agreement.

Office for Communications Data Authorisations

OCDA’s remit was established in the Investigatory Powers Act (IPA) 2016 and overseas communications data – the who, where, when and how of a communication but not the content.

The IPA has granted law enforcement and public authorities updated powers to access communications data for legitimate purposes. OCDA safeguards an individual’s right to privacy under the Human Rights Act 1998. But is considers requests for communications data from law enforcement and public authorities and makes independent decisions on whether to grant or refuse communications data requests, ensuring that all requests are lawful, necessary and proportionate.

NHS Digital

(public health digital transformation)

There is a memorandum of understanding between the NHS and the Home Office to share

confidential patient information for immigration enforcement purposes including deportation as part of the hostile environment policy. Opponents say this violates the right to healthcare.

The data sharing arrangement extended to NHS Digital, which facilitated tracing people for immigration control. This is now being amended.

Joint Biosecurity Centre (JBC)

(coronavirus response)

The JBC was set up as part of the NHS test and trace service under the Department of Health and Social Care for evidence-based analysis to inform COVID-19 response decision making.

It has a monitoring programme designed to understand the rate of infection and its spread. It works with a range of partners, including private industry, working closely with research groups and utilises qualitative data for behavioural insights. It notes privacy notices and Data Protection Impact Assessments (DPIAs) are applied when accessing personal data.

The JBC weighed in after a COVID-19 outbreak during the pandemic on repopulating Napier Barracks with asylum seekers as an FOI release revealed in an internal document, which said: “Clearly repopulating to its full capacity is a nonsensical approach.”

Biometrics and Surveillance Camera Commissioner (BSCC)

(police use of CCTVs and biometrics)

The BSCC replaced the Biometrics Commissioner (BC) and Surveillance Camera Commissioner

(SCC). Some are concerned this might mean a reduction of oversight when there is increasing and extensive use of biometrics and surveillance in public and private and when industry-wide standards are not set in stone. The Protection of Freedoms Act 2012 set up the BCC andd SCC roles. The BC oversees the retention and use of DNA samples, DNA profiles and fingerprints by law enforcement agencies. They report to the Home Office; its scope has evolved as biometric technologies e.g voice recognition, gait analysis. The SCC oversees compliance with the Surveillance Camera Code of Practice and reviews the efficacy of the Code and it advises on standards although it can’t enforce them.

The roles merged because of the “confluence” regarding automated facial recognition but there is some scepticism around the capacity of the new position to cover both roles adequately.

Government Digital Service (GDS)


The GDS builds platforms, products and services to create a “joined up” experience of government. It’s the lead behind the digitalisation of government and where answers can be found to how the government is using data, such as performance analytics and data science and its standards around algorithms, along with the Central Digital and Data Office.

Home Office

The Home Office holds various data of people who come into contact with the department for a variety of reasons. This data may be shared with other government departments and vice versa when there is a memorandum of understanding in place to govern the sharing of data.

Information Commissioners Office (ICO)

The ICO is an independent authority that uphold information rights in the public interest, promoting transparency from public bodies and data privacy for citizens. It looks at best practice around handling personal data and disseminates guidance around data protection, privacy and open government. The ICO holds certain powers in the form of information notices, forcing bodies to release information to it or enforcement notices to compel bodies to to take or refrain from taking certain actions. Its remit covers laws regulating communications, networking and data protection, including the Data Protection Act and the EU's General Data Protection Regulation (GDPR).

Department for Culture, Media and Sport (DCMS)

The Minister of State for Media, Data, and Digital Infrastructure sits under DCMS and governs the direction of information policy in the UK. Currently, the government is seeking to implement its Data: A New Direction policy that would weaken GDPR and data protections. In tandem it is pushing through the Online Safety Bill, which purports to tackle online harm but which has drawn criticism for its proposals to strip back anonymity and end-to-end encryption.

Sign up to the Migrant Digital Justice Programme

Keep in touch with the Open Rights Group and our work on the nexus of digital techology and the migrant sector.

Sign up for email updates