Home Office contractor collecting data on UK citizens while checking migrants’ finances | Data protection

The Home Office has been accused of collecting data on “hundreds of thousands of unsuspecting British citizens” while conducting financial checks on migrants.

A report by a private contractor for a routine immigration application was mistakenly sent to a charity by a government official, and contained information on more than 260 people including their names, dates of birth and electoral roll data.

Their only connection to the applicant appears to be that they previously lived or worked in the same address or postcode area, but some of the people listed had left as far back as 1986. The document, seen by the Observer, was generated by the credit reporting firm Equifax on 25 June 2024 and was emailed to a caseworker from the Refugee and Migrant Forum of Essex and London (Ramfel) later the same day.

It was drawn up for an immigration fee waiver application, which requires financial checks to verify that people cannot afford to pay the normal fee for their visa, immigration or nationality applications. More than 80,000 of these applications were lodged in the year to September.

Nick Beales, Ramfel’s head of campaigning, said the number of people named in the single report suggested that the Home Office could have been “collecting financial data on hundreds of thousands of unsuspecting British citizens”.

Equifax, which was subject to one of the largest cybersecurity breaches in history in 2017, included a disclaimer in the report, which read: “The volume and nature of the information available on this service makes it impractical for Equifax Ltd to verify it … This service is made available only for your own private or in-house purposes.”

Beales said the Home Office did not respond to an initial email flagging the data breach, and the charity wrote to Matthew Rycroft, permanent secretary at the Home Office, in November.

The letter said: “This raises serious questions about transparency, privacy, and potentially non-consensual data collection, as we cannot imagine any of these people, the majority of whom are likely British citizens with no prior engagement with the Home Office, have ever knowingly consented to the Home Office receiving and storing their data.”

Ramfel asked whether data on third parties was destroyed after use and what measures were in place to minimise unnecessary information collection and sharing, but a response received in December did not answer the questions.

A letter from Joanna Rowland, director general of the Home Office’s customer services group, said: “I cannot comment on individual processes in detail, but I note your suggestions and have asked officials in the relevant departments to consider them. The Home Office works hard to ensure the UK General Data Protection Regulations and Data Protection legislation is fully complied with. This means processing and securely storing the minimal amount of personal data necessary to execute our functions, lawfully and effectively, and deleting data which is not necessary.”

The Home Office told the Observer it was investigating whether a data breach had taken place. It no longer used Equifax for visa fee waiver processing.

Government statistics show a steep rise in the number of fee waiver applications since the Conservative government increased the immigration health surcharge from £624 to £1,035 a year for most adult visa applicants in February 2024.

The number of people declaring they could not afford the fees jumped from 13,600 in the last three months of 2023 to 18,500 in the first quarter of 2024, 22,800 in the second quarter and 25,600 between July and September, and backlogs are growing.

Beales said: “With applications for leave to remain already costing nearly £4,000, additional intrusive checks on a person’s finances are clearly unnecessary for those on low incomes or receiving disability benefits.

“Removing these checks would help the Labour government streamline visa processing, reduce extensive delays that see people waiting over a year for their visas to be issued and stop the mass collection of data of non-consenting third parties.”

Equifax provides services to government departments and public bodies including the Department for Work and Pensions, HM Revenue & Customs, the Ministry of Defence, Student Loans Company, the Ministry of Justice and NHS Business Services Authority. In 2023, the firm was fined £11m by the Financial Conduct Authority over a data breach in which hackers accessed information on almost 14 million UK consumers because of data protection failures.

A spokesperson for Equifax UK declined to comment but pointed to legal guidance stating that credit reference agencies do not require consent for data collection and instead rely on “legitimate interest” under data protection laws. A Home Office spokesperson said: “Any data breach is a matter of serious concern, and we ensure they are fully investigated. We continue to take robust action by continually monitoring training and safeguards to protect personal data.”