The third in a series. The Quiet Joining-Up showed how governments link citizens' records with Splink. Statistics or Operations? showed the same tool stepping from research into real-time operations. This piece asks the coldest question of the three: has any of it actually been ruled unlawful — and if so, where, exactly?
▶ Open the slide deck · ↓ Slides (PDF) · ↓ Slides (PowerPoint)
I wanted to be careful here, because the temptation is to overstate. So I set a deliberately high bar and graded every finding against it. Tier 1: an ICO enforcement notice, monetary penalty or formal reprimand against the named system, or a court ruling that the processing was unlawful — named, dated, citable. Tier 2: a regulator concern short of enforcement, or a judicial review that settled or was withdrawn rather than ruled. Tier 3: criticism, however serious, without an adjudication behind it.
Then I ran the search three times, independently, fact-checking every claim adversarially — a claim had to survive skeptical refutation by an independent check or it was killed. Across the three passes, roughly 300 verification agents, 99 sources, and four claims thrown out for overreach (including one of my own).
The verdict in one paragraph
No Tier-1 adjudication exists against any of the four named systems — MoJ Data First, Splink, the ONS Integrated Data Service, or ADR UK. No fine, no enforcement notice, no reprimand, no court ruling. The genuine rulings of unlawfulness are all adjacent — they hit Home Office data processing next door, using the same legal posture. So I will not tell you Data First has been found unlawful. It has not. What I will tell you, and can prove, is that the same shortcut — putting citizens' data-protection safeguards in policy instead of law — has been struck down by the courts three times running.
Per-target verdict
• MoJ Data First — nothing. No legal challenge, no ICO action, no ruling. The published Algorithmic Transparency Record documents only a DPIA, the Five Safes, identifier removal and panel oversight. (High.)
• Splink — nothing. It is the open-source linkage tool built for Data First; nothing has been adjudicated against the tool. (High.)
• ONS Integrated Data Service — nothing, and this time I searched for it directly rather than inferring it from silence. The ICO enforcement register, the National Statistician's Data Ethics Advisory Committee minutes, the Office for Statistics Regulation, and the March 2026 Public Accounts Committee report yield only Tier-3 material — the PAC's criticism is value-for-money and low adoption, with zero references to data-protection breach. NSDEC and OSR have no enforcement power; they could not produce a Tier-1 finding if they wanted to. (High.)
• ADR UK — nothing. Governance rests on the Digital Economy Act 2017, the Five Safes, and NSDEC ethics review. The ICO has endorsed the Five Safes model — the opposite of an enforcement action. (High.)
Sources: GOV.UK — MoJ Data First / Splink ATR; ADR UK governance; OSR data-sharing & linkage follow-up; PAC, Government use of data (Mar 2026); ICO enforcement register.
What WAS ruled unlawful — three times
The real adjudications are next door, in the Home Office's immigration data regime. They are not about linkage; they are about an exemption that strips migrants of the right to see and challenge their own data. But they matter to this story, because they condemn precisely the move the linkage machinery relies on: keeping the safeguards out of the statute.
Round 1 — Court of Appeal, 26 May 2021. In R (Open Rights Group & the3million) v SSHD the Court of Appeal held the Data Protection Act 2018 immigration exemption unlawful — an "unauthorised derogation from the fundamental rights conferred by the GDPR" — because the safeguards mandated by Article 23(2) were nowhere in the legislation. Relief was suspended; the government re-legislated (SI 2022/76).
Round 2 — High Court, 29 March 2023. Saini J held the revised exemption still unlawful: safeguards "must appear on the face of the legislation or in a binding code (approved by Parliament) and with statutory force" — they cannot be parked in a policy document.
Round 3 — Court of Appeal, 11 December 2023. The Court of Appeal again confirmed the exemption breached Article 23(2). It is this ruling the government's second fix was made in answer to.
Citations: [2023] EWHC 713 (Admin) · judgment PDF; [2021] EWCA Civ 800 and [2023] EWCA Civ 1474 (Court of Appeal). Background: House of Lords Library briefing; Open Rights Group campaign.
Where it stands now (2026): the exemption is back in force in amended form. The second remedial instrument — The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024, SI 2024/342 — was made on 7 March 2024 and came into force on 8 March 2024, finally putting case-by-case decision-making, a necessity-and-proportionality test, and vulnerability and Convention-rights safeguards on the face of the statute. Its successor data-protection statute, the Data (Use and Access) Act 2025 (Royal Assent 19 June 2025), left the immigration exemption untouched — it amends only the separate crime exemption. As of mid-2026 a dedicated search found no fourth round of litigation.
Sources: SI 2024/342 (legislation.gov.uk) · Explanatory Memorandum; Data (Use and Access) Act 2025 · gov.uk summary; ICO immigration-exemption guide.
The line I will not cross
Here is the part that keeps this honest. The immigration rulings are Tier-1 and unshakeable — but they are about an exemption from people's own data-subject rights, not about linking or sharing datasets. The defect the courts struck down was procedural: safeguards belong in law, not policy. None of the three judgments discusses inter-departmental sharing, record linkage, or bulk matching.
So the fair claim is: the same department, using the same trick of keeping safeguards out of the statute, was ruled unlawful three times. The unfair claim — the one I will not make, and you should not either — is that the courts have condemned government data-linkage. They have not. Accuracy is the weapon here; an opponent who catches one overstatement discredits everything true that sits beside it.
The closest thing to a linkage adjudication
There is one finding that lands nearer the linkage machinery than the immigration cases do — and it is Tier 2, not Tier 1. On 26 March 2021 the Information Commissioner formally responded to the Cabinet Office's plan to expand the National Fraud Initiative's data-matching purposes. The regulator warned, in writing, that the Cabinet Office "has not yet undertaken a DPIA" and should do so before any processing, that necessity and proportionality were not demonstrated, and that on-demand matching "could potentially allow participants to conduct disproportionate searches for information about particular individuals across a wide range of sources without lawful cause."
That is a regulator, on the record, warning that a government data-matching programme risks unlawful, disproportionate processing without a completed impact assessment. It is the single most on-point item in the whole investigation for the question this series asks — but it is a consultation response, not enforcement. No Tier-1 enforcement notice or court ruling on inter-departmental government data-matching was found.
Source: ICO consultation response on the NFI (26 Mar 2021) · full PDF. Related: ICO response on the Eligibility Verification Measure.
Four items that look stronger than they are
Because these recur in coverage, and because getting one wrong is how the whole argument gets dismissed:
• Royal Free–DeepMind (ICO, 3 July 2017). The ICO found the trust breached the Data Protection Act 1998 in sharing ~1.6 million patient records — but the remedy was a voluntary undertaking, not a fine or an enforcement notice. Cite it as "a finding via undertaking," never as a penalty. ICO record ↗
• Home Office visa-streaming algorithm (2020). Withdrawn before any hearing after a judicial review by JCWI and Foxglove. Tier 2 — a climbdown with no admission and no ruling. "Successful judicial review" is press shorthand. Foxglove ↗
• DWP Universal Credit, [2020] EWCA Civ 778. A real ruling against DWP — but on irrationality over salary-payment timing. Zero data-protection holding. Irrelevant to linkage. BAILII ↗
• Home Office GPS tagging of migrants (ICO, 1 March 2024). A genuine Tier-1 enforcement notice and warning — but about intrusive surveillance and DPIA failure, not data-matching. The strongest available Tier-1 hit against the Home Office is about surveillance, not linkage. ICO record ↗
What I could not close
• Whether the Cabinet Office ever completed the DPIA the ICO demanded in 2021, and whether the ICO followed up once the expanded matching went live.
• Whether any Tier-1 action exists against the other big sharing regimes — DWP fraud matching, HMRC bulk sharing, the Digital Economy Act 2017 public-service-delivery powers — beyond the NFI consultation. Not yet searched to exhaustion.
• The ICO enforcement register renders dynamically; the ONS "none found" rests on converging searches rather than a single authoritative query. An unreported or very recent filing cannot be fully excluded.
Read the rest of the series
→ The Quiet Joining-Up — how the linkage works, and why citizens were never really told. Includes the full evidence locker: every government source archived, screenshotted and saved. ↓ evidence bundle.
→ Statistics or Operations? — the same tool crossing from research into real-time operations, in the government's own words.
↗ Full repository, evidence & supporting investigations (GitHub)
Third pass methodology: three independent research runs, ~300 adversarial verification agents, 99 sources, 75 claims verified, 4 killed for overreach. Every legislative fact in the "where it stands now" section was confirmed verbatim against legislation.gov.uk; every court holding against the primary judgment or the National Archives caselaw record. Public sources only; no non-public system was accessed. Confidence levels are stated; what was not checked is marked as not checked.