The UK Home Office is facing accusations of collecting data on “hundreds of thousands of unsuspecting British citizens” while performing financial checks on migrants.

A report from a private contractor related to a routine immigration application was accidentally sent to a charity by a government official. The document contained information on over 260 individuals, including their names, dates of birth, and electoral roll data.

The only link between these individuals and the applicant appeared to be shared addresses or postcodes, with some of those listed having moved as far back as 1986. The report, generated by credit reporting firm Equifax on June 25, 2024, was sent to a caseworker from the Refugee and Migrant Forum of Essex and London (Ramfel) later that same day.

The document was created for an immigration fee waiver application, which requires financial checks to confirm that applicants are unable to pay the regular visa, immigration, or nationality fees. Over 80,000 such applications were made in the year to September.

No response from Home Office

Nick Beales, head of campaigning at Ramfel (Refugee and Migrant Forum Of Essex & London), commented that the number of individuals named in the report suggests the Home Office may be collecting financial data on “hundreds of thousands of unsuspecting British citizens.”

Equifax included a disclaimer in the report, noting, “The volume and nature of the information available on this service makes it impractical for Equifax Ltd to verify it … This service is made available only for your own private or in-house purposes.”

Beales added that the Home Office did not respond to an initial email flagging the data breach, prompting the charity to write to Matthew Rycroft, permanent secretary at the Home Office, in November.

The letter raised concerns about transparency, privacy, and possibly non-consensual data collection, stating, “We cannot imagine any of these people, the majority of whom are likely British citizens with no prior engagement with the Home Office, have ever knowingly consented to the Home Office receiving and storing their data.”

Ramfel also questioned whether data on third parties was destroyed after use and what measures were in place to prevent unnecessary data collection and sharing. A December response failed to address these concerns.

Joanna Rowland, director general of the Home Office’s customer services group, wrote, “I cannot comment on individual processes in detail, but I note your suggestions and have asked officials in the relevant departments to consider them. The Home Office works hard to ensure the UK General Data Protection Regulations and Data Protection legislation is fully complied with. This means processing and securely storing the minimal amount of personal data necessary to execute our functions, lawfully and effectively, and deleting data which is not necessary.”

The Home Office stated it is investigating whether a data breach occurred and confirmed that it no longer uses Equifax for visa fee waiver processing.

Why it matters

Government data also shows a significant increase in the number of fee waiver applications since the Conservative government raised the immigration health surcharge from £624 to £1,035 per year for most adult visa applicants in February 2024.

The number of individuals declaring an inability to afford immigration fees increased significantly, rising from 13,600 in the final quarter of 2023 to 18,500 in early 2024, 22,800 in the second quarter, and 25,600 between July and September, with growing backlogs.

Ramfel's Beales remarked, “With applications for leave to remain already costing nearly £4,000, additional intrusive checks on a person’s finances are clearly unnecessary for those on low incomes or receiving disability benefits.”

He added that removing these checks would “help the Labour government streamline visa processing, reduce extensive delays that see people waiting over a year for their visas to be issued, and stop the mass collection of data of non-consenting third parties.”

Equifax provides services to several government departments and public bodies, including the Department for Work and Pensions, HM Revenue & Customs, the Ministry of Defense, Student Loans Company, the Ministry of Justice, and NHS Business Services Authority. In 2023, Equifax was fined £11 million by the Financial Conduct Authority for a data breach where hackers accessed information on nearly 14 million UK consumers due to data protection failures.

An Equifax UK spokesperson declined to comment but referred to legal guidance stating that credit reference agencies do not need consent for data collection and instead rely on “legitimate interest” under data protection laws.

A Home Office spokesperson said, “Any data breach is a matter of serious concern, and we ensure they are fully investigated. We continue to take robust action by continually monitoring training and safeguards to protect personal data.”