UK Government Data-Linkage:
Where has it actually been
ruled unlawful?
A primary-source hunt for Tier-1 adjudications — an ICO enforcement notice, penalty or reprimand, or a court ruling of unlawful processing — against Data First, Splink, ONS IDS and ADR UK, with everything else graded down to regulator concern or criticism.
One person. Every dataset. No shared ID.
ONE PROFILE OF YOU at the centre; separate records splinter off across departments — matched by Splink (UK MoJ) with no shared ID, no consent, no opt-out.
No Tier-1 adjudication exists against any named target.
Every genuine ruling of unlawfulness sits adjacent — in Home Office immigration data — not on the data-linkage systems themselves.
The honest, defensible frame: the same shortcut — keeping citizens' data-protection safeguards in policy instead of law — has been struck down by the courts three times. Not an asserted violation against Data First, which has never been adjudicated.
Evidence standard
Three independent deep-research passes. Each claim extracted from fetched primary sources, then put through adversarial verification — a claim is killed unless it survives skeptical refutation. Tiering applied strictly; my own overreach killed too.
The four named systems
| System | Highest tier | Adjudication found | Basis |
|---|---|---|---|
| MoJ Data First | None | No legal challenge, ICO action, or court ruling | Transparency record shows only DPIA + Five Safes + panel oversight |
| Splink | None | None | Open-source record-linkage tool built for Data First |
| ONS IDS / IDP | None | None — now searched, not inferred | Highest adverse material is Tier 3 only (next slide) |
| ADR UK | None | None | Statutory safeguards. ICO has endorsed Five Safes |
ONS IDS: searched directly — still nothing above Tier 3
An earlier pass only inferred “none” from absence. A dedicated sweep of the ICO register, NSDEC minutes, OSR reports and the March 2026 PAC report confirms it.
PAC, “Government use of data” (Mar 2026)
Criticism is value-for-money and adoption only. Zero references to ICO, GDPR, or unlawful processing.
OSR (statistics regulator)
Engaged with IDS only at recommendation level. No enforcement power — structurally cannot reach Tier 1/2.
NSDEC ethics committee
Names IDS positively as a strategic project to prioritise for ethics review. Prospective assurance, not censure.
ICO / Courts
No enforcement notice, penalty, reprimand, audit or opinion; no judicial review touching IDS/IDP linkage.
The immigration exemption — 2021, 2023, 2023
| Round | Court | Citation | Holding |
|---|---|---|---|
| R1 · 26 May 2021 | Court of Appeal | [2021] EWCA Civ 800 | Original exemption unlawful — “unauthorised derogation from the GDPR” |
| R2 · 29 Mar 2023 | High Court (Saini J) | [2023] EWHC 713 (Admin) | Revised exemption still unlawful — safeguards can’t live in policy |
| R3 · 11 Dec 2023 | Court of Appeal | [2023] EWCA Civ 1474 | Confirmed breach of Art 23(2). The ruling the 2024 fix answered |
Struck down three times — then legislated back into force
The exemption was never struck down outright: each ruling used a suspended declaration, then the government re-legislated.
Operative text today: SI 2024/342 — The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024 — made 7 Mar 2024, in force 8 Mar 2024. It finally put case-by-case decision-making, a necessity/proportionality test, and vulnerability + Convention-rights safeguards on the face of the statute.
The successor statute, the Data (Use and Access) Act 2025 (Royal Assent 19 Jun 2025), left the immigration exemption untouched — it amends only the separate crime exemption. A dedicated search found no fourth round of litigation as of mid-2026.
Does the immigration ruling touch data-linkage?
Not directly. The unlawfulness is about an exemption from individuals’ own data-subject rights — not about linking or sharing datasets.
The defect was procedural: Art 23(2) safeguards must live in legislation, not policy. The judgments contain no discussion of inter-departmental sharing, record linkage, or bulk matching.
So the framing must be careful
✓ Fair: the same department, the same trick of keeping safeguards out of the statute, ruled unlawful three times.
✗ Overreach: claiming the courts have condemned government data-linkage. They have not.
The National Fraud Initiative — a Tier-2 warning
On 26 March 2021 the ICO formally responded to the Cabinet Office’s plan to expand the National Fraud Initiative’s data-matching purposes. The most on-point item in the whole investigation — but a consultation response, not enforcement.
The ICO also warned the Cabinet Office “has not yet undertaken a DPIA” and should do so before any processing, and that necessity/proportionality were not demonstrated. No Tier-1 enforcement or court ruling on inter-departmental data-matching was found.
Source: ICO consultation response on the NFI (26 Mar 2021), full PDF · related: ICO response on the Eligibility Verification MeasureFour items that look stronger than they are
Royal Free–DeepMind (3 Jul 2017)
ICO found DPA 1998 non-compliance over ~1.6M records — but via a voluntary undertaking. No fine, no notice. Cite as “finding via undertaking,” never a penalty.
Visa-streaming algorithm (2020)
Withdrawn before any hearing after the JCWI/Foxglove JR. No ruling, no admission. “Successful JR” is press shorthand.
DWP Universal Credit [2020] EWCA Civ 778
Real ruling against DWP — but irrationality over salary timing. Zero data-protection holding.
Home Office GPS tagging (1 Mar 2024)
Genuine ICO enforcement notice + warning — but DPIA/surveillance failure, not data-matching. Strongest Home Office Tier-1 is surveillance, not linkage.
Positioning
- Lead with the adjacency, not a fabricated violation. The Tier-1 facts are next door, named and dated — the spine of the argument, not a claim that Data First itself was condemned.
- The pattern is the argument. Three times the Home Office put data-protection safeguards in policy rather than law; three times the courts ruled that unlawful. The same governance-by-assurance posture runs through Data First / ONS IDS.
- Be precise on Royal Free and the visa tool. An opponent who catches “fine” (it was an undertaking) or “struck down” (it was a withdrawal) discredits the whole brief. Accuracy is the weapon.
- State plainly the on-target verdict is “none found.” That is a strength — the honest, searched result — and it pre-empts the “you’re exaggerating” rebuttal.
What still needs nailing down
- Whether the Cabinet Office ever completed the DPIA the ICO demanded in 2021, and whether the ICO followed up once expanded NFI matching went live.
- Any Tier-1 action on the other big sharing regimes — DWP fraud matching, HMRC bulk sharing, Digital Economy Act 2017 powers — beyond the NFI consultation. Not yet searched to exhaustion.
- The ICO enforcement register renders dynamically; the ONS “none found” rests on converging searches, not a single authoritative query.
- An unreported or very recent filing against SI 2024/342 cannot be fully excluded.
Citations
• caselaw.nationalarchives.gov.uk / BAILII — [2023] EWHC 713 (Admin); [2020] EWCA Civ 778
• [2021] EWCA Civ 800 · [2023] EWCA Civ 1474 (Court of Appeal)
• legislation.gov.uk — SI 2024/342 + Explanatory Memorandum
• legislation.gov.uk — Data (Use and Access) Act 2025 (c.18)
• lordslibrary.parliament.uk — immigration-exemption briefing
• ico.org.uk — Royal Free; GPS tagging; immigration-exemption guide
• gov.uk — Data First / Splink algorithmic transparency record
• adruk.org — governance & ethics
• committees.parliament.uk/52403 — PAC, Government use of data (2026)
• osr.statisticsauthority.gov.uk — data-sharing & linkage review
• ico.org.uk — National Fraud Initiative consultation response (2021)
• foxglove.org.uk — visa-streaming algorithm withdrawal (2020)
Full series at brandonmyers.net/writing — The Quiet Joining-Up (with archived evidence locker), Statistics or Operations?, and this report. Repository & evidence: github.com/btmaffiliate/uk-data-linkage-disclosure