Information Commissioner's Office

3. Mr E complains the ICO is not fulfilling its regulatory responsibilities in relation to the identified risks related to the use of ANPR surveillance infrastructure.

4. Mr E complains the ICO is failing to address risks caused by false recording on the ANPR system. He says some of the data the ANPR records (number plates for members of the public) is inaccurate in cases where individuals have applied fake number plates to their vehicles, or the technology does not read the number plate correctly. Mr E believes the ICO has failed to act on its responsibility to ensure data should be kept up to date as well as take every reasonable step to ensure its accuracy.

5. Mr E also believes the ICO failed to scrutinise the National Data Protection Impact Assessment (DPIA) produced by the Home Office to ensure it is robust and fit for purpose.

6. Mr E has told us ICO’s failings could result in wrongful criminal or civil action against an innocent motorist. For example, a motorist being prosecuted for a driving offence which did not involve their vehicle. Mr E also told us he believes public interest, public confidence, and national security remain at risk by the hands-off attitude of the regulator who has responsibility to act.

7. Mr E believes the ICO should acknowledge its role in these issues and issue an apology. He would also like it to make systematic improvements to ensure all agencies involved take action to address the risks posed by the collection of false data by ANPR. He would also like the ICO to consider taking enforcement action against bodies not fulfilling their roles to address the risks identified.

8. The ICO is an independent body, set up to uphold information rights in the public interest. Its goals include increasing public trust and confidence in how data is used or made available and improving standards of information rights practices. Part of the ICO’s role is to improve the information rights practices of organisations by gathering and dealing with concerns and complaints from members of the public.

9. ANPR is a technology that uses cameras and software to read vehicle registration plates. This system captures images of number plates and uses technology to convert the images into machine-readable text. It then cross-references this information with databases for various traffic, parking, and law enforcement purposes. For example, facilitating penalty notices for speeding or parking infringements.

10. Mr E raised his concerns with the ICO in January 2023. Mr E told it the current ANPR system was being undermined as it collects false data. He believes there is an absence of effective safeguards in the UK. Mr E also said he believes there should be more safeguards to ensure that the number plates displayed on vehicles using public roads are only those which have been lawfully allocated to them.

11. As Mr E was not satisfied with the ICO’s response to his concerns, he raised a further complaint in relation to the same issues in March 2024. In his complaint Mr E set out that he believed the ICO is not doing enough to protect the public from risks which arise from the processing of personal data captured on the UK ANPR system.

12. In its complaint response the ICO set out that the use of fraudulent vehicle number plates was a criminal offence. It told Mr E that as this was the case other agencies were better placed to deal with these instances of fraud. It told Mr E fraudulent alteration and use of vehicle registration marks is a criminal offence it would be for the police and Driver and Vehicle Licensing Agency (DVLA) to take the appropriate action for these crimes.

13. Its response also explained that in relation to data the DVLA are the controller with responsibility for the registered keeper database. Chief Officers of police forces in England and Wales are a joint controller of the National ANPR Service (NAS) where Vehicle Registration Number (VRN) data is stored, with the National Policing Chief’s Council designated as the lead controller.

14. It told Mr E that the police, as a controller of Vehicle Plate Number (VPN) data must take reasonable steps to ensure that the data it processes is accurate. It also said the Police deploy technical and organisational approaches to ensure the provenance of an ANPR alert.

15. A VRN is the unique identifier assigned to a vehicle by the DVLA. A VPN is the physical number displayed on the licence plate. A VRN and VPN are usually the same. However, they may vary if the official recorded VRN does not match the number displayed on the vehicle.

16. The ICO concluded that despite the severity of the issue Mr E raised, it did not see a way for the data protection framework as currently configured to act as a meaningful and effective control measure in response to the issue he identified.

17. As Mr E remained dissatisfied with how the ICO had dealt with his complaint he approached our office via his MP.

The ICO is not fulfilling its regulatory responsibilities to address the risks related to the use of ANPR

21. Before we decide if we should conduct a detailed investigation of a complaint, we look at whether there are signs the organisation has got something wrong. We do this by comparing what should have happened with what did happen. We have done this and have not found any indications that something has gone wrong in this case.

22. Mr E told us: ‘The problem in the context of this complaint is the attitude and negligent regulatory approach adopted of the ICO by failing to accept any responsibility to act (whether by regulation or lobbying government and other agencies) in support of the public interest. This is in regard to a matter whereby innocent people are at risk of becoming wrongfully embroiled in judicial or other enforcement processes due to the processing of unlawfully replicated personal data by the UK ANPR surveillance infrastructure’.

23. Mr E also told us: ‘Since 2018, the ICO, Home Office and the UK government have been alerted by a number of strategic stakeholders including myself as to the inadequacies of safeguards which govern the integrity of UK VNP’s. Those inadequacies are directly responsible for the ease by which VPN’s can be cloned and placed upon vehicles to which they are not lawfully attributed, with little risk of detection by the authorities. The UK ANPR infrastructure records the movement of VNP’s and those VPN’s which are not lawfully affixed to vehicles do in essence, result in personal data (which the ICO contends a VNP is for the purpose of UK GDPR and DPA 2018) being processed and therefore which is wrongly illustrative a person’s movements’.

24. In its complaint responses the ICO told Mr E: ‘As you are aware, Controllers of personal data are required to process this data lawfully, fairly and in a transparent manner. They are also under an obligation to keep that data accurate and up to date. However, the issue of a fraudulently fitted VRN being read by an ANPR camera is not due to an error or inaccuracy of the content of the ANPR database itself and so this will not in itself be a contravention of the accuracy principle under data protection legislation’.

25. We understand that Mr E feels very strongly about this issue and clearly believes the ICO should do more to regulate the way data is collected, stored and used in relation to the current ANPR system in the UK.

26. To see if this is the case we have considered the guidance set out in the ICO ‘Regulatory Action Policy’ (RAP). The RAP sets out a risk-based approach to taking regulatory action against organisations and individuals that have breached the provisions of the data protection legislation, freedom of information law, and other legislation.

27. The RAP sets out how the ICO will use its statutory powers and says: ‘We will take action proportionately, we will exercise discretion as to when, in what manner, and to what extent enforcement is required. We will be selective when exercising this discretion, looking at the features and context of each case, as well as applying our resources more broadly to the areas of greatest risk and potential or actual harm to the community. We will apply our fining and other enforcement powers where they are effective, proportionate and dissuasive (to both the individual or organisation receiving the fine and more generally to those processing personal data)’.

28. Under its powers the ICO has a regulatory role rather than an adjudicative role. Its decisions are not legally binding. It has no obligation in legislation or guidance to investigate every aspect of a complaint, and it is not obliged to take specific action.

29. When we look at a complaint about an ICO decision, we need to consider whether there was has been maladministration by the ICO. In doing so we are effectively looking at whether the ICO handled a complaint, investigated it to the extent appropriate and informed the complainant about progress and the outcome.

30. In this case the ICO have addressed the issues Mr E brought to its attention. We can see in response to his complaint the ICO sets out its position in relation to: • fraudulent use of Vehicle Number Plates • personal Data and controllership • the Accuracy principle • integrity of the ANPR system.

31. As this is the case we can see the ICO has fulfilled its responsibility to handle Mr E’s complaint, investigated it to the extent appropriate and informed the complainant about the outcome. These responsibilities are set out in Section 165 of the ‘Data Protection Act 2018’ (DPA 2018).

32. Section 165 of the DPA 2018 grants individuals the right to file complaints with the ICO concerning the handling of their personal data under both UK GDPR and the DPA 2018. The section outlines the process for complaints about infringements of both the UK GDPR and specific parts of the DPA 2018, places a duty on the ICO to facilitate complaints, and requires the ICO to keep complainants informed about the progress of their case.

33. The ICO’s view on what constitutes an ‘appropriate extent’ is that it is not its role is not to investigate or adjudicate on every aspect of a complaint. It is not obliged to take specific action, even if the complainant requests this.

34. When a complainant raises an issue with the ICO, it will usually consider the complaint in the context of improving the data practices of the organisation. The ICO’s approach to acting against an organisation is set out in its RAP. This policy outlines how the ICO takes relevant factors into account when it decides if it should act.

35. In its response the ICO sets out its position on each of the issues highlighted above. We know Mr E does not agree with its conclusions so have considered how the ICO applied its RAP approach.

36. From the ICO complaint replies we can see that it considered the impact on the authorised keeper of a vehicle if somebody attaches their VPN to another vehicle. The ICO set out that it would investigate any complaints it receives from an individual affected this way. It also confirmed the police must take reasonable steps to ensure any data they are acting on is accurate before it acts.

37. The ICO also set out that it will continue to monitor the situation and participate in any future consultations or discussion if the home office requires its input. We can see the ICO have given its consideration to Mr E’s complaint and set out its position on each issue.

38. The ICO has taken the position that as Mr E has not brought it specific complaints from people affected by data issues he raised, it does not believe further action is necessary at this time. It has however agreed it would investigate any complaints it does receive and to continue to monitor the situation.

39. The RAP sets out that the ICO will take action proportionately. It also says the ICO will be selective when exercising discretion, looking at the features and context of each case, as well as applying resources to the areas of greatest risk and potential or actual harm to the community. As we can see the ICO have considered the risk in relation to Mr E’s complaint we can see it took the decision that it did not need to take any further action at this time in line with its RAP.

40. We know Mr E was not satisfied with how the ICO dealt with his initial complaint so escalated it through the ICO complaints process. We can see the ICO properly considered his complaint in line with its service complaints policy.

41. For these reasons we cannot say there are indications of maladministration in how the ICO have carried out its regulatory duties in relation to the current UK ANPR system. As such, we will take no further action.

Whether the ICO are fulfilling its duties to properly scrutinise the relevant DPIA

42. In the UK, a DPIA is a process used to systematically identify, assess, and minimise the data protection risks of a project or plan. Under UK GDPR and the DPA 2018, organisations must conduct a DPIA before carrying out any type of data processing that is likely to result in a "high risk" to individuals' rights and freedoms.

43. Mr E told us: ‘There is no evidence that ICO examined the National DPIA and determined if the risks to the data citizen were adequately managed under DPA 2018. This is an obligation, given the circumstances at the centre of this, is a bare minimum requirement. Had this properly been assessed the extrapolation of this failing would be clear and present to ICO -that there is a risk to the data citizen through inadequate management of processing of number plates against which they have obligations’.

44. In relation to the DPIA the ICO told us: ‘It is not our role as a regulator to review all organisations’ DPIAs. We rely on organisations to consult with us where appropriate as stipulated in the legislation. We confirm we have not received a formal request to consult upon the DPIA for the national ANPR system prepared by the Home Office. A controller is only obliged to submit a DPIA for prior consultation if the DPIA indicates that the processing would result in a residual high risk after mitigating measures have been implemented by the controller to reduce the risk or if no measures to reduce the risk are available. Although we have not carried out a detailed analysis, looking at the DPIA which is currently published online, this does not list any residual high-risk processing and so the controller is not required to consult us under the legislation’.

45. To consider if the ICO should have done more to consider the DPIA as Mr E thinks it should we have measured its response against the published ICO guidance on DPIA’s. The guidance under the section ‘Do we need to consult the ICO’ says: ‘If you have carried out a DPIA that identifies a high risk and you cannot do anything to reduce it, prior consultation with the ICO is required under UK GDPR. You cannot go ahead with the processing until you have consulted us’.

46. For most organisations, the DPIA is an internal process. An organisation is required to perform a DPIA for any new project or activity involving a high risk to personal data, but you only need to send it to the ICO if you cannot successfully reduce that risk. There is nothing in legislation or guidance that sets out ICO must assess every DPIA, and you only need to consult the ICO in a high-risk situation.

47. The relevant legislation that covers this aspect of the ICO’s work is set out in Article 36 of the UK GDPR. Article 36 mandates that data controllers consult with the ICO before processing data in high-risk scenarios identified by a DPIA where residual risks cannot be mitigated. Article 36(2) requires the ICO to provide written advice to a data controller who initiates a prior consultation. Article 36(2) also grants the ICO the power to intervene during this consultation process. If the ICO believes the planned processing would infringe the UK GDPR, it can use its corrective powers to prevent or alter the processing.

48. The UK GDPR is a UK law that took effect on 1 January 2021 and sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies.

49. After considering the above legislation we can see there is a duty on an organisation to consult the ICO if any aspect of the DPIA remains high risk after mitigation. However, the relevant DPIA in this case has no high-risk sections once mitigation has been completed. As this is the case there is no duty placed on the organisation to consult the ICO.

50. We know Mr E believes there are aspects of the DPIA that need to be improved. However, it is not for us to make a finding on the effectiveness of the DPIA. What we are considering is if the legislation or guidance as it stands indicates the ICO should have done more as Mr E believes it should.

51. The ICO have told us it considered the contents of DPIA when a Police force approached it in 2019 and gave some guidance at the time. The relevant DPIA was published in January 2020, this suggests the ICO were approached as the DPIA was being produced or relates to the previous DPIA. As this is the case we can see the ICO have had some oversight of a previous version of the DPIA, and at the time gave some guidance of what could be improved.

52. If the ICO investigates an organisation due to a data breach or a complaint from a member of the public, they may demand to see relevant documentation, including any DPIAs. The DPIA serves as evidence of the steps taken to assess and mitigate risk.

53. In this case it is important to note that Mr E did not approach the ICO with a relevant data protection complaint. In his complaint he did not site a specific data protection breach that had affected either himself or a specific member of the public. This means in dealing with his complaint the ICO did not scrutinise the DPIA. In its complaint replies the ICO told Mr E that should the issues he has complained about give rise to a complaint to the ICO from an individual who these issues affected, it will investigate and respond to that complaint.

54. After considering all the relevant legislation, we have not found that the ICO have a duty to consider the DPIA in the way Mr E wants it to. Further, the ICO has offered to consider the matter Mr E has raised further should it receive a complaint from someone who is directly affected. Therefore, our view is ICO’s response is consistent with the Central Government Complaint Standards, which say organisations should provide a fair and balanced account when responding to complaints.

55. As this is the case we have found no indications of maladministration in how the ICO have acted in relation to the DPIA Mr E complains about. As such we will take no further action.

56. We understand this will not be the decision Mr E was hoping for, and we know he would like us to go further than we have in considering his complaint. We are sorry to hear Mr E remains frustrated at the stance of the ICO, so hope our decision and explanation of how we have considered his complaint is helpful to him.

1. We have carefully considered Mr E’s complaint about the Information Commissioner’s Office (ICO). We understand Mr E brought his complaint to us as he remained dissatisfied with how the ICO dealt with the issues he raised with it. It is clear Mr E remains very frustrated and believes the ICO should be doing more to ensure the UK Automatic Number Plate Recognition (ANPR) system is fit for purpose and is not producing large amounts of false data. He also believes as the data regulator the ICO should be doing more to address significant risks to the public.

2. After carefully considering all the evidence available to us, we have seen no indication that the ICO made mistakes in the way it dealt with Mr E’s complaint. The evidence indicates the ICO took account of the relevant legislation and its published policy and guidance when dealing with the issues Mr E complained to it about. Therefore, we will take no further action, and we explain our decision in more detail.