The Home Office is facing accusations of gathering data on "hundreds of thousands of unsuspecting British citizens" as part of financial background checks on migrants.

The controversy arose after a government official mistakenly sent a confidential report—prepared by a private contractor for an immigration application—to a charity. The document, reviewed by The Observer, contained the names, birth dates, and electoral roll details of over 260 individuals. Their only apparent link to the applicant was having previously lived or worked at the same address or in the same postcode, with some having moved away as far back as 1986.

The report was generated by credit reporting firm Equifax on June 25, 2024, for an immigration fee waiver application, which requires financial assessments to confirm that an applicant cannot afford standard visa, immigration, or nationality fees. More than 80,000 such applications were submitted in the year leading up to September.

Nick Beales, head of campaigning at the Refugee and Migrant Forum of Essex and London (Ramfel), noted that the scale of names in this single report suggested the Home Office might have been “gathering financial data on hundreds of thousands of British citizens” without their knowledge.

Equifax, which suffered a major cybersecurity breach in 2017, included a disclaimer stating that due to the large volume and nature of the data, it was impractical for the company to verify all information. The disclaimer also specified that the data was meant only for private or internal use.

Ramfel initially flagged the potential data breach to the Home Office but received no response. In November, the charity escalated the issue to Matthew Rycroft, the department’s permanent secretary, raising concerns about transparency, privacy, and the possible unauthorized collection of citizens’ data. The charity questioned whether third-party data was deleted after use and what safeguards were in place to prevent excessive information collection and sharing.

However, the Home Office’s response in December did not directly address these queries. In a letter, Joanna Rowland, director general of customer services, stated: “I cannot comment on individual processes in detail, but I note your suggestions and have asked officials in the relevant departments to consider them. The Home Office works hard to ensure compliance with UK General Data Protection Regulations and Data Protection legislation, processing only the minimal necessary personal data and deleting information that is not required.”

The Home Office confirmed to The Observer that it was investigating whether a data breach had occurred and that it no longer used Equifax for visa fee waiver processing.

Government figures show a sharp increase in fee waiver applications following a rise in the immigration health surcharge, which jumped from £624 to £1,035 per year for most adult visa applicants in February 2024. The number of individuals declaring they could not afford visa fees rose from 13,600 in the final quarter of 2023 to 18,500 in early 2024, then to 22,800 in the second quarter, and 25,600 between July and September, leading to growing backlogs.

Beales criticized the additional financial scrutiny imposed on low-income applicants and those receiving disability benefits, arguing that these checks were unnecessary given the high cost of leave-to-remain applications, which now exceed £4,000. He suggested that removing such checks would help the Labour government streamline visa processing, reduce extensive delays—often over a year—and prevent the mass collection of data from uninvolved third parties.

Equifax provides services to various government agencies, including the Department for Work and Pensions, HM Revenue & Customs, the Ministry of Defence, the Student Loans Company, the Ministry of Justice, and the NHS Business Services Authority. In 2023, the Financial Conduct Authority fined the company £11 million for a data breach that exposed information on nearly 14 million UK consumers.

An Equifax UK spokesperson declined to comment but pointed to legal guidance indicating that credit reference agencies rely on "legitimate interest" under data protection laws rather than obtaining direct consent for data collection.

A Home Office spokesperson stated: “Any data breach is a matter of serious concern, and we ensure they are fully investigated. We continue to take robust action by continually monitoring training and safeguards to protect personal data.”