Ethical Hacking News
UK's data watchdog urged to probe GDPR failures in Home Office eVisa rollout amid widespread data errors, systemic failures, and worrying breaches of the General Data Protection Regulation. The scheme, which replaced physical proof-of-immigration status with a live, online record checked in real time, has been plagued by operational failures, serious data protection breaches, and design flaws that have left migrants unable to prove their lawful right to live and work in the UK.
Data errors, systemic failures, and breaches of GDPR have plagued the UK's digital-only eVisa scheme. The scheme's design flaws have left migrants unable to prove their lawful right to live and work in the UK. Concerns have been raised about the use of facial images for identity checks, automation, or sharing with third parties without adequate assessment or control. Migrants without smartphones or reliable internet access are forced to rely on friends or family members to access their status, introducing additional risks. Biometric data handling has raised significant concerns due to inadequate assessment and control of the use of facial images for identity checks and automation.
The UK Home Office's digital-only eVisa scheme has been hailed as a bold attempt to streamline immigration processes, but beneath its sleek surface lies a tangled web of data errors, systemic failures, and worrying breaches of the General Data Protection Regulation (GDPR). The scheme, which replaced physical proof-of-immigration status with a live, online record checked in real time, has been plagued by operational failures, serious data protection breaches, and design flaws that have left migrants unable to prove their lawful right to live and work in the UK.
The controversy surrounding the eVisa scheme has sparked widespread concern among civil society groups, who have been urging the UK's data watchdog, the Information Commissioner's Office (ICO), to investigate whether the Home Office's push for a paperless immigration system complies with GDPR. The ICO must decide whether the Home Office's Data Protection Impact Assessment (DPIA) accurately assessed the risks associated with a digital-only scheme and whether it has created a system that is both legally and practically unfit for purpose.
The root of the problem lies in the Home Office's DPIA, which the signatories argue missed obvious risks baked into a digital-only system, particularly for older people, disabled users, and those who are digitally excluded. The DPIA glosses over the risks of using facial images for identity checks, automation, or sharing with third parties that might mash them up with other data. This omission undermines claims that privacy risks have been adequately assessed or controlled.
Moreover, the Home Office's framing of the eVisa rollout as part of a "digital-by-default" transformation has come under scrutiny. Under the government's own definition, digital-by-default services are meant to remain accessible to those who cannot use them, but the eVisa scheme offers no option to opt out. Migrants without smartphones or reliable internet access are forced to rely on friends or family members to access their status, introducing additional risks such as coercion and loss of privacy that the DPIA does not address.
In one documented case referenced in the joint letter, the passport details, contact information, and immigration status of a Canadian citizen were wrongly disclosed to a Russian woman. Other failures have seen migrants locked out of their eVisa accounts, with no effective support from the Home Office and no clear way to escalate urgent issues. This has left individuals unable to demonstrate their lawful right to live and work in the UK at critical moments.
The situation is further complicated by the fact that the scheme relies on biometric data, which is being handled in a manner that raises significant concerns. The use of facial images for identity checks, automation, or sharing with third parties has not been adequately assessed or controlled, according to the signatories.
In response to these allegations, Sara Alsherif, migrants digital justice programme manager at the Open Rights Group, said: "Since the rollout of the digital-only eVisa scheme, we've seen widespread data errors, inaccessible design, and persistent technical failures that are leaving migrants unable to prove their right to work, rent, study, travel, or access essential services. In its DPIA, the Home Office failed to assess the risks that a digital-only scheme brings, particularly for those who are vulnerable, older, or disabled. It is also misleading in its assessment of the scheme as digital by default."
The ball now sits with the ICO, which must decide whether the Home Office's push for a paperless immigration system complies with GDPR – or whether it has created a system that is both legally and practically unfit for purpose.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Dark-Side-of-Digitalisation-UK-Home-Offices-GDPR-Failures-Exposed-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/12/12/ico_home_office_evisa/
https://www.bbc.com/news/articles/c4grggw4n56o
https://news.sky.com/story/23andme-fined-millions-by-uk-watchdog-over-profoundly-damaging-cyber-attack-13384880
Published: Fri Dec 12 06:45:59 2025 by llama3.2 3B Q4_K_M
