The Home Office is “aware of technical issues” after users logging in to the digital system for accessing and demonstrating immigration status reported being provided with someone else’s information, the immigration minister has said.
The issue was flagged in a letter sent to the department in August, in which advocacy group the3million provided details of “several instances where an individual’s online immigration status has become entangled with someone else… where people have logged in to Home Office systems, resulting in a display either of someone else’s status or an inconsistent mixture of their own and someone else’s status”.
EU citizens that have been granted either settled or pre-settled status can prove their right to live and work in the UK by using a GOV.UK platform to enter their date of birth and passport number. This prompts the issuance of an email or text message containing a code which can then be shared with the organisation performing the status check – such as employers and landlords, who are now required to conduct immigration checks on all prospective employees and tenants.
The letter from the3million provided information on three cases in which people had entered details from their identity document – and then been given access to the immigration information or status of a completely different person.
“It is particularly concerning that, in some of these cases, a status was correctly accessible before it then became inaccessible/entangled at a later date. Moreover, the status appeared to require correcting by the Home Office more than once,” the missive added.
“In one of these cases, the status holder is left (after Home Office intervention) unable to generate share codes other than for right to work or rent. Furthermore, even these right to work or rent share codes can only be obtained by logging in via a portal that is not appropriate to their status and which does not use the security mechanism of sending a one-time passcode via SMS or email.”
Settled status operates on a digital-only system despite repeated calls for the Home Office to introduce some form of physical documentation.
The Home Office is yet to respond to the letter, but the issue was recently raised again in a written parliamentary question from Scottish National Party MP Stuart McDonald. He asked the department “whether the instances of personal data breaches alleged in that correspondence: did not happen; did not require reporting; and have not been investigated”.
In response, immigration minister Tom Pursglove said that, while the Home Office is “unable to comment on specific cases without further information… we are aware of technical issues with similar characteristics to the three case studies provided in the correspondence from the3million, where individuals have reported that other individuals’ face images or personal details appeared on their online digital immigration status”.
“These technical issues can sometimes constitute data breaches,” he added.
“We handle data breaches extremely seriously and, if they occur, they are reported and raised with relevant teams in accordance with Home Office data handling procedures. All such incidents are then referred to the relevant data protection officer to investigate and assess against the data protection legislation to determine next steps and raise to the [Information Commissioner's Office]if necessary. No data breaches relating to digital immigration status have been raised to the ICO as they fall below the threshold for escalation.
“All technical issues reported by users of digital immigration status are logged, investigated, and fixed at the root cause to prevent users experiencing the same issues again."
Sam Trendall is editor of CSW's sister title PublicTechnology, where this story first appeared