In the digital age, governments across the world are building technologically integrated programmes to allow citizens to access welfare payments. While smart and digital technologies hold the potential to streamline administrative processes and reach millions, they can also have adverse effects on those they should be supporting.
Social protection systems around the world are increasingly ‘conditional’, meaning that aspects of state support, usually financial or practical, are dependent on claimants complying with a set of rules or conditions. These processes are increasingly tied to rigid identification systems and determined by algorithmic and Automated Decision Making (ADM) processes. Those who fail to comply with the rules can find themselves automatically cut-off, have their assistance reduced or are subject to sanctions and fines.
As Privacy International has argued, the discrimination inherent in certain conditional welfare systems does not affect everyone equally. There is increasing evidence that welfare systems are driven by racialised and gendered assumptions about people in need that also perpetuate baseless societal tropes to the effect that mothers, people of colour and migrants are undeserving abusers of social protection and welfare.
The global drive to streamline and automate welfare systems also lines the pockets of private sector companies. Many government agencies in charge of administering welfare choose to outsource the design and management of their technological infrastructure to private sector partners or corporations, instead of managing the system internally.
The companies which provide tech solutions to governments also begin to play a role in supplying services and products that can enable surveillance, and in the monitoring of those receiving welfare support.
The introduction of Smart (Debit) Cards is one of many other ways that governments are attempting to streamline the distribution and management of public benefits. These programmes provide social assistance through Smart (Debit) Cards, provided and administrated by corporations. In 2012 a partnership was formed between the South African Social Security Agency, Grinrod Bank and MasterCard aiming to expand access to social protection through a smartcard. The programme was discontinued after the South African Supreme court argued that there was a fault in the tender process.
But in 2017, the government of Bangladesh, in cooperation with USAID and the Bill and Melinda Gates Foundation, created a similar programme known as ‘a2i’ (Access to Information) that built a system for citizens to receive social assistance on a pre-paid debit card. Access to the programme requires people to register with their biometric data.
In Australia, a Cashless Debit Card programme in partnership with Indue Ltd. aimed to reduce fraud and streamline welfare administration in the poorest region of the country. However, it soon came to light that the Department of Social Services was disproportionately targeting areas inhabited by indigenous Australians and using cashless debit cards to institute the further surveillance and income management of these communities.
The ASPEN Card for asylum seekers in the UK
People seeking asylum in the UK, as in many other countries, are excluded from claiming support from the welfare state and in most cases they are also not allowed to work whilst their asylum application is being reviewed. But in some countries like the UK they can access support in the form of housing and also receive a minimal allowance while in the UK through a scheme administered by the Home Office.
In the past, asylum seekers collected this small sum of money from a Post Office with their Asylum Registration Card or through a prepaid payment card known as the AZURE Card. But the process of withdrawing money at a Post Office was sometimes cumbersome, requiring people to travel long distances and tying them to a single Post Office location. The Azure Card was also only accepted in selected stores.
In May 2017, the Asylum Support Enablement (ASPEN) Card was rolled-out nationally, replacing cash payments previously given to asylum seekers whose application had been refused, and to asylum seekers with an on-going application.
When asked by a Member of Parliament on 4 June 2019 for what reason the Home Department had decided to move the provision of financial support to asylum seekers from post offices to ASPEN cards, the Minister for Immigration responded:
“Primarily, the sub-contractual arrangements were coming to an end, and the Asylum Registration Card (ARC) used for identification and payment purposes was being upgraded. Other factors included improved convenience and accessibility for service users, and a reduction in processing costs associated with reduced cash handling.”
Who receives support through the ASPEN card, and how does it work?
The ASPEN Card operates differently depending on whether the recipient of the assistance is an asylum seeker whose application has been refused, or an asylum seeker with an on-going application.
Section 4 of the Immigration and Asylum Act 1999 provides for support to asylum seekers whose applications have been refused (known as Section 4 support) and includes provision of accommodation and £35.39 a week via a payment card, which at the moment is the ASPEN card. They can only make chip and pin payments, i.e. no card withdrawals are permitted.
Those whose asylum claims are on-going can apply for ‘section 95 support’ under the Immigration and Asylum Act 1999. The purpose of this support is to assist those who are destitute or about to become destitute and their dependents, whilst their asylum claim is pending. Those seeking assistance under section 95 must demonstrate that they meet ‘the destitution test’ which means that they must provide evidence that they do not have adequate accommodation or enough money to meet living expenses for themselves and any dependants.
‘Section 95 support’ provides for housing as well as £37.75 per week (current rate) for each person. The subsistence support is provided through a debit card, which is currently the ASPEN Card, which allows the withdrawal of cash and direct card payments.
These situations are far from temporary. Asylum seekers are forced to live off this menial stipend while the Home Office processes their application, which can take years. During this time whole families are left to struggle to make ends meet, unable to work or settle.
So… what’s the problem?
In April 2017, The Unity Centre in Glasgow sounded the alarm that the ASPEN cards were being used by the Home Office to monitor the expenses of cardholders and track the locations where they were used. According to The Unity Centre, the Home Office explicitly said that they were “analysing card usage data”. This surveillance was largely possible because Asylum seekers eligible for Section 4 support were also not able to withdraw cash from ATMs. This restrictive way of providing support created the conditions of heightened surveillance of Asylum seekers on Section 4 support, whose every purchase are monitored and partial surveillance of asylum seekers on Section 95 support, who could still withdraw their allowance in cash.
In January 2019, reports by The Sunday Times and The Independent provided more evidence that the Home Office was monitoring ASPEN cards. In particular, Home Office officials were reported as monitoring purchases made outside a person’s ‘authorised’ city where they are given temporary housing, in order to make a case that the person was fraudulently living elsewhere or did not qualify as destitute, making them ineligible for financial support and shelter.
The Sunday Times, also notes that one leaked letter seen by The Sunday Times stated, “It is observed from your ASPEN transactions that you have been spending your support out of area . . . you are now required to provide all information and evidence requested within five working days.”.
A closer look at Home Office policy from their “Breach of conditions instruction”, addressed to their members of staff, reveals that the procedures for establishing whether or not fraud has been committed are vague and seem to be largely at the discretion of the individual caseworker. The policy states that if there is a suspicion of fraudulent activity, the person in question will be required to justify to the caseworker what happened and “should the explanation lead a caseworker to believe that the breach of condition was unavoidable the explanation may be deemed a ‘Reasonable Excuse’.” If, however, the caseworker finds that there are ‘reasonable grounds’ to believe that the supported person has failed to comply with the conditions, their support will be suspended or discontinued.
When asked on 6 February 2019 by a Member of Parliament about “ how many asylum seekers have had their asylum support (a) suspended and (b) discontinued as a result of information obtained by the monitoring of the usage of an ASPEN card”, the Minister for Immigration at the time, responded:
“Where evidence comes to light that would suggest a supported asylum applicant has access to alternative accommodation and support, we would invite the applicant to give an account of their activity. Evidence can come from a number of sources, including ASPEN usage data. Suspension and any subsequent discontinuation of support due to a breach of conditions carries a right of appeal. Data is not held in a publishable format.”
A source at Asylum Matters told Privacy International that caseworkers have access to the card data and it is believed that an automated system flags locations and certain retailers. The source was also told by the Home Office that monitoring through the ASPEN Card is justified on the grounds that patterns of transactions that take place a significant distance away from the person’s address can indicate that the person is not complying with their accommodation agreement or that they may have fallen victim to trafficking. The source also explained that the ASPEN Card program was expanding to include provisions for its use for transport costs of asylum seekers.
Some of the people reported by The Sunday Times as being punished for making trips included a teenage schoolgirl who bought a train ticket using a donation from a local church to attend her father’s wake and a Sudanese man living in the Midlands who had his benefits withdrawn after attending a court hearing in London. The Sunday Times reported that the Home Office confirmed that 186 people had their support stopped in 2018 ‘as a result of a referral regarding the ASPEN card usage’
People reported by The Sunday Times as being punished for making trips included a teenage schoolgirl who bought a train ticket using a donation from a local church to attend her father’s wake…
The surveillance of asylum seekers: lucrative business for Sodexo
But there is more to the ASPEN Card than meets the eye. To date, investigative reports have highlighted some of the harrowing effects of Home Office surveillance on asylum seekers but have paid less attention to how and by whom the programme is run.
The administration service around the ASPEN card is provided by Sodexo, a global outsourcing company, which has a contract with the Home Office for the operation of the system. In the UK alone Sodexo employs 34 000 people. The company has a global annual revenue of around 20 billion euros and are the world’s 19th largest employer. The company delivers the total operation of five prisons in England and Scotland, managing over 5,000 prisoners in high and medium security facilities. Sodexo also manage a large number of public facilities including schools, NHS facilities and universities. According to the company’s UK website, Sodexo provides and manages prepaid cards, vouchers and online payment platforms with more than 500,000 users across the UK, with over £1 billion loaded onto the cards or spent using their solutions.
Sodexo’s partnership with the Home Office dates back to the year 2000, when they first helped to introduce the Azure card – as noted above, the first debit card created for asylum seekers in the UK on Section 4 support and the litmus test for the ASPEN card.
This paved the way to rolling out pre-paid cards to all asylum seekers and eliminated any other form of paying support. Sodexo’s website hails the partnership, explaining that the system allows the Home Office to “ring-fence certain funds for specific purposes; for example, to be used only to pay for transport services”, and to configure “whether cards are ATM enabled or not, and if so to set the limit of funds that can be withdrawn”.
On the 3 September 2019, when asked by a Member of Parliament how much the Home Department paid to Sodexo to provide the Aspen card service in each year for which data is available; and what estimate her Department has made of the future costs of that service, the Government responded that: “The Home Office does not publish data on the costs of the Sodexo contract as it is considered commercially sensitive.”, and “As we [the Home Office] are in the process of retendering for the payment card we are unable to provide any information on future costs”. A manual informal calculation of reported monthly expenditure provides a rough estimation that the Home Office may have sent around £ 84,000,000 of taxpayer’s money to SODEXO MOTIVATION SOLUTIONS UK LTD for services under the line items, ‘Voluntary Assisted Returns’, ‘Asylum Provision & Services and Public Order’, ‘Security & Safety’.
The Home Office website that provides information to asylum seekers, refers to the ASPEN Card as a payment mechanism but as far as we are aware it does not mention who administers it. Migrant Help, an organisation sub-contracted by the Home Office to deal with asylum claims, also appears to have no available information online concerning the ASPEN Card.
The Home Office does state in a letter sent out to ASPEN Card users and obtained by Privacy International, from a source we will refer to as Mishka, that by enrolling in the programme they are agreeing to, “the Home Office and authorised contractors collecting and storing information about card usage for the purposes of fraud prevention and ensuring compliance”. They do not, however, as far as we are aware, provide a way of opting-out of the system, making the allowance conditional on this Home Office monitoring.
A data protection and human rights lens: the ASPEN Card
Digital technology has created what can be described as a ‘government-industry complex’ that manages and regulates social protection programmes. Concerning features of this ‘government-industry complex’ around the world include poor governance of social protection policies, a lack of open, inclusive and transparent decision-making processes and limited transparency and accountability of the systems and infrastructure.
Information published by the Home Office on the ASPEN Card provides details on what the card can and can’t be used for, and where it can and can’t be used, i.e. selected shops, not abroad, etc. This is an example of how such a programme creates a system which enables the monitoring, tracking and general exertion of control over recipients, while directly undermining asylum seekers’ autonomy and dignity.
Making surveillance and income management a condition of access to support leaves Asylum Seekers who are unable to work with no choice but to submit to Home Office scrutiny. This means that asylum seekers are currently having to accept a trade-off between accessing support and their fundamental right to privacy but also non-discrimination, amongst others. Given the time it takes to process an asylum application, entire families seeking refuge from conflict or disaster can be subjected to income management and degrading surveillance for years. Considering this invasive monitoring and recording of asylum seekers’ intimate details of their lives, questions remain about the proportionality of such practices , and to how and if safeguards are integrated into the system to ensure compliance with the UK’s national and international human rights obligations, and data protection standards.
Data protection and privacy obligations
Systems such as the ASPEN card highlight some key concerns in relation to the protection, respect and promotion of the right to privacy as protected by the UK’s international human rights commitments, Article 7 of the EU Charter of Fundamental Rights and Article 8 of the European Convention on Human Rights enshrined in national law through the Human Rights Act 1998.
Any interference with the right to privacy must meet the following standards: be in accordance with the law, and pursuant to a legitimate aim, in a democratic society. Furthermore, it is essential that social protection systems are not exempt from data protection laws. Rather they must build in and respect safeguards including the principles of transparency, lawfulness, fairness, data minimisation, accuracy, storage limitation, integrity and confidentiality of data and significantly accountability. Each of these principles is extremely pertinent in the context of a social protection system such as the support systems provided to asylum seekers.
Documentation published by the Home Office on the ASPEN Card indicates that “the Home Office and our providers will protect and keep your personal information confidential.”
In response to a written question submitted by a Member of Parliament on 6 February 2019 the Government claimed that “The terms and conditions relating to Aspen usage received appropriate legal scrutiny prior to being published and make it clear that personal data will be used only for the prevention of fraud and to preserve the integrity of the scheme which includes ensuring the welfare of card user”.
But it is not clear what safeguards, such as privacy policies, agreements, impact assessments are in place or have been carried out in relation to the processing activities of both the Home Office and partners, i.e. such as Sodexo or agencies with whom the Home Office may share this information.
In response to another questioned submitted by a Member of Parliament which asked whether the Home Officer had undertaken “a Data protection impact assessment (a) or (b) after the introduction of the Aspen card in asylum support arrangements”, the Government responded that: “The introduction of Aspen (2016) pre-dates the requirement for a data protection impact assessment (DPIA), which was introduced as part of the General Data Protection Regulation (GDPR). Appropriate legal advice was nevertheless obtained prior to the scheme being launched. In line with good practice, a review of current practice is being conducted to ensure that it is compliant with the GDPR, which will include the completion of a DPIA.”
Whilst undertaking a DPIA is a new obligation under GDPR, such assessments (also referred to previously as Privacy Impact Assessments, PIAs) “have been used for many years as a good practice measure to identify and minimise privacy risks associated with new projects” as noted by the UK Information Commissioner’s Office. That in spite of such guidance and what is now a legal requirement to carry out a DPIA for this type of processing, no such assessment has been carried out, is deeply concerning. Given the rights implications of this programme it is imperative that if not done already a DPIA, as well as an Equality and Human Rights Impact Assessment, be carried out and made public.
The “immigration enforcement” exemption
It is unclear how the collection, use and sharing of ASPEN Card data is impacted by the exemption in paragraph 4 of Schedule 2 to the Data Protection Act 2018, which provides broad exemption for “the maintenance of effective immigration control” or “the investigation or detection of activities that would undermine the maintenance of immigration control.”
Privacy International together with others has raised significant human rights concerns about the inclusion of this exemption during the passage of the Data Protection Act 2018. It is currently the subject of a legal challenge and a complaint. In the meantime, this exemption renders the use of data, such as through the ASPEN card, even more problematic and worrisome for the protection of asylum seekers who already find themselves in vulnerable and precarious situations with limited avenues of redress.
This exemption renders the use of data, such as through the ASPEN card, even more problematic and worrisome for the protection of asylum seekers who already find themselves in vulnerable and precarious situations with limited avenues of redress.
Scrutinising and regulating public-private partnerships
Concerns around the partnership between the Home Office’s ASPEN card programme, and Sodexo are exacerbated by lack of transparency, as highlighted by the refusal of the Home Office to comment on the current and future contract with Sodexo as recently as September 2019. As noted above, it is also unclear what data protection and privacy policies, agreements and impact assessments (if any) govern this partnership between the Home Office and Sodexo.
Inviting corporate partners like Sodexo to manage smart (debit) card systems for welfare management has had consequences in other contexts and Sodexo has been at the centre of a fair few controversies. For example, in 2016, privacy advocates raised concerns after the Rio Tinto mining company contracted Sodexo to create a surveillance system of staff in mining camps in Western Australia. It was reported that the contract was for ten years of facilities management and included a plan to dramatically increase surveillance of the Rio Tinto assets via a platform that live-streamed information to a monitoring station in Perth staffed by 50 people.
In the UK, Sodexo came under fierce criticism back in 2016 for their management of the outsourced probation service, and in particular for the company’s disregard for the privacy and wellbeing of service users. A separate incident surfaced in June 2019, as United Voices of the World (UVW), a trade union which supports precarious, low-paid and predominantly migrant workers in the UK, initiated a campaign to fight against the poor treatment and unequal pay of Sodexo employees at Saint Mary’s Hospital, London the majority of whom are migrant workers.
Going back to the Aspen Card contract, in response to questions submitted by a Member of Parliament in June 2019, the Government responded that “The Home Office’s contract to provide financial support to asylum seekers through an Aspen Card will expire on 27 November 2019 (with the option to extend for a further 6 months to 27 May 2020).” When asked in early September 2019 by a Member of Parliament as to whether the contract between Sodexo and the Home Office would be extended, the answer given by the Government was that “The Home Office intend to extend the contract for three months but reserve the right to extend for a further three months if required.”
The imposition of the ASPEN Card on those who are marginalised and unable to resist is no accident. It enables the Home Office and those they work with (in this case Sodexo) to test and develop new forms of surveillance, relying on the general public to turn a blind-eye to deeply concerning practices, because they seemingly only affect people on the margins. The Home Office gathers information about asylum seekers under the pretext of streamlining administrative processes. But as the ASPEN programme gradually expands, it would be short sighted not to wonder whether similar systems may be rolled out to other benefit claimants in the UK in the future.
Systems designed to support asylum seekers must be designed to protect rights from the onset and where they fail to do so, human rights, data protection and other legal tools should and must be used to scrutinise and where necessary challenge them. “All human rights are universal, indivisible and interdependent and interrelated", and so asylum seekers should not have to trade off their right to privacy to enjoy their right to asylum and to social protection and their ability to live in dignity. Current practices in the UK, as highlighted by the ASPEN Card programme, risk doing just the opposite.
This piece was co-authored between Grace Tillyard and Privacy International on the basis of research conducted while the author was working for them.
The article was first published by Privacy International on October 16, 2019.