Article Details

UK watchdog urged to probe GDPR failures in Home Office eVisa rollout. Rights groups say digital-only record is leaking data and courting trouble. Civil society groups are urging the UK's data watchdog to investigate whether the Home Office's digital-only eVisa scheme is breaching GDPR, sounding the alarm about systemic data errors and design failures that are exposing sensitive personal information while leaving migrants unable to prove their lawful status. In a joint letter [PDF] to the Information Commissioner's Office (ICO), coordinated by the Open Rights Group, the signatories argue that the Home Office has failed to meet its data protection and equality obligations, despite rolling out a system that replaces physical proof-of-immigration status with a live, online record checked in real time. When that system breaks, they say, people are locked out of work, housing, travel, education, and essential services, with no meaningful fallback. Home Office staff still leaning on 25-year-old asylum case management system The groups cite a "high volume" of data errors linked to the eVisa scheme, which they say amount to both operational failures and serious data protection breaches. In one documented case referenced in the letter, the passport details, contact information, and immigration status of a Canadian citizen were wrongly disclosed to a Russian woman. Other failures have seen migrants locked out of their eVisa accounts, with no effective support from the Home Office and no clear way to escalate urgent issues. Because the scheme is digital-only, there is no physical document to fall back on when errors occur, leaving individuals unable to demonstrate their lawful right to live and work in the UK at critical moments. At the heart of the complaint is the Home Office's Data Protection Impact Assessment (DPIA), which the signatories describe as incomplete and misleading. The groups argue it misses obvious risks baked into a digital-only system, especially for older people, disabled users, and those who are digitally excluded, while brushing off the impact of stripping away all physical proof-of-immigration status in favor of real-time online checks. The letter also takes aim at how biometric data is being handled, arguing that the DPIA glosses over the risks of using facial images for identity checks, automation, or sharing with third parties that might mash them up with other data. According to the groups, this omission undermines claims that privacy risks have been adequately assessed or controlled. Campaigners also challenge the Home Office's framing of the eVisa rollout as part of a "digital-by-default" transformation. Under the government's own definition, digital-by-default services are meant to remain accessible to those who cannot use them, but the eVisa scheme offers no option to opt out. Migrants without smartphones or reliable internet access are forced to rely on friends or family members to access their status, introducing additional risks such as coercion and loss of privacy that the DPIA does not address. Sara Alsherif, migrants digital justice programme manager at the Open Rights Group, said: "Since the rollout of the digital-only eVisa scheme, we've seen widespread data errors, inaccessible design, and persistent technical failures that are leaving migrants unable to prove their right to work, rent, study, travel, or access essential services. "In its DPIA, the Home Office failed to assess the risks that a digital-only scheme brings, particularly for those who are vulnerable, older, or disabled. It is also misleading in its assessment of the scheme as digital by default. If the Home Office had identified some of these risks, migrants may not have experienced the same levels of distress and hardship that we have seen over the last year. The ICO must investigate." The ball now sits with the ICO, which must decide whether the Home Office's push for a paperless immigration system complies with GDPR – or whether it has created a system that is both legally and practically unfit for purpose. The Register has asked the ICO and the Home Office to comment.