Question to the Home Office:

To ask the Secretary of State for the Home Department, with reference to the sharing of personal information of an EU Settlement Scheme applicant with an external organisation, if she will publish the criteria by which her Department judges whether an external organisation has taken sufficient steps to protect personal information shared with them.

The Home Office is the data controller for all data processed within the EU Settlement Scheme, this includes where organisations are contracted to act on behalf of the Home Office.

No other organisations have access to the personal information of applicants to the EU Settlement Scheme.

The Home Office may share information with an organisation an applicant has cited within their own application. This is to verify the evidence and protect against fraud and the use of counterfeit documents. Further details are set out in the following guidance and privacy information notice:

https://www.gov.uk/guidance/eu-settlement-scheme-how-we-use-your-personal-information

https://www.gov.uk/government/publications/personal-information-use-in-borders-immigration-and-citizenship.

The Home Office takes its data security and data protection obligations extremely seriously. There are processes in place in the Home Office for the capturing and mitigation of risks and vulnerabilities to ensure appropriate control of our services. I can confirm this is the case for the EU Settlement Scheme.

Our staff are security cleared and data will only be accessed by those who have a valid business reason to access it. The Home Office regularly monitors the systems for abuse and misuse.