The Home Office is under scrutiny after it was revealed that a contractor accidentally sent data on hundreds of unsuspecting British citizens while conducting financial checks for immigration applications. The report, which contained personal information about more than 260 people, was mistakenly emailed to a charity. This has raised concerns over privacy and non-consensual data collection practices.
The report, which was generated by the credit reporting firm Equifax, included sensitive details such as names, dates of birth, and electoral roll information of individuals who had a past connection to an immigration applicant. The connection was typically that these people had once lived or worked in the same address or postcode area as the applicant. However, some individuals listed had moved away as far back as 1986.
The document was sent on June 25, 2024, to a caseworker at the Refugee and Migrant Forum of Essex and London (Ramfel), a charity that helps migrants. It was related to an immigration fee waiver application, which includes financial checks to determine whether an applicant can afford to pay the standard visa, immigration, or nationality application fees. More than 80,000 such applications were filed in the year leading up to September 2024.
Nick Beales, head of campaigning at Ramfel, said that the scale of the report suggests that the Home Office may be collecting financial data on hundreds of thousands of British citizens without their knowledge or consent. He questioned whether this practice could have serious implications for transparency, privacy, and data protection.
The report, which was part of a service provided by Equifax, came with a disclaimer noting that the volume of information available through the service makes it “impractical” for the company to verify all of it. Beales pointed out that the Home Office did not respond to an initial email about the data breach and that Ramfel had to escalate the issue by writing to Matthew Rycroft, permanent secretary at the Home Office, in November 2024.
Ramfel’s letter raised critical concerns about the potential for non-consensual data collection and the handling of personal information. The charity also asked whether the data on third parties, such as the unsuspecting British citizens, had been destroyed after use and requested further clarification on what measures were in place to limit unnecessary data collection.
In December, the Home Office responded with a letter from Joanna Rowland, the director-general of the Home Office’s customer services group, stating that while the department could not provide detailed comments on specific processes, it worked to ensure compliance with UK data protection laws. The letter reassured that personal data was stored securely and that only the minimum necessary data was processed.
The Home Office confirmed it was investigating whether a data breach had occurred, but the contractor, Equifax, no longer provides services related to visa fee waivers.
This incident comes amidst a surge in the number of fee waiver applications, following a substantial increase in the immigration health surcharge, which rose from £624 to £1,035 a year for most adult visa applicants in February 2024. Government statistics show that the number of applicants declaring they cannot afford the fees has been steadily increasing, putting additional pressure on visa processing systems and leading to growing backlogs.
Beales also argued that these financial checks, which often focus on low-income individuals or those receiving disability benefits, are unnecessarily intrusive. He suggested that eliminating these checks could help reduce delays and streamline the visa process while also preventing the mass collection of data on non-consenting individuals.
Equifax, which provides services to several government departments, including the Department for Work and Pensions, HM Revenue & Customs, and the Ministry of Defence, has previously faced scrutiny over data breaches. In 2023, the company was fined £11 million by the Financial Conduct Authority for a breach in which hackers accessed the personal information of nearly 14 million UK consumers.
While Equifax declined to comment on the incident, a spokesperson pointed to legal guidelines indicating that credit reference agencies do not need consent for data collection under data protection laws, relying instead on the “legitimate interest” basis.
A spokesperson for the Home Office assured that any data breaches would be thoroughly investigated, with ongoing monitoring, training, and safeguards in place to protect personal data.
Stay tuned to London Pulse News for updates on this developing story and the ongoing investigation into the Home Office’s handling of the data breach.
