You applied for a visa. You followed every rule. You uploaded every document. And then a government website glitch erased your legal status overnight.
Welcome to the UK Home Office’s eVisa rollout — a digital transformation project so catastrophically broken that it has turned lawful residents into anxious wrecks and privacy campaigners into an angry mob. But here’s the twist nobody’s talking about: the mob is attacking the wrong building.
The Information Commissioner’s Office is currently in campaigners’ crosshairs for allegedly failing to stop the Home Office from deploying a system riddled with glitches, access failures, and data integrity problems. The narrative writes itself: big bad government rolls out broken digital ID system, privacy regulator sits on its hands, innocent people suffer.
Except that’s not what happened. The ICO didn’t fail to act out of negligence. It didn’t act because it doesn’t have the statutory power to stop a government department from launching its own IT system, no matter how broken that system is.
That distinction matters more than you think.
Here’s the architecture of the problem. The Home Office decided to digitize visa documentation — replacing physical biometric residence permits with eVisas accessible through an online portal. On paper, modernization. In practice, a system where applicants report being locked out of accounts, seeing incorrect immigration status, and facing the prospect of being unable to prove they’re legally in the country.
People’s lives — their jobs, their housing, their ability to re-enter the UK after a holiday — are hanging on a government portal that works about as reliably as a 2005 airline booking site.
The natural instinct is to scream at the regulator. That’s what campaigners are doing. They want the ICO to crack down, to force the Home Office to fix the system, to halt the rollout until it works. It’s a completely understandable emotional response to watching people’s legal status get gambled on broken infrastructure.
But the ICO’s actual powers tell a different story. It can investigate data breaches. It can issue fines for GDPR violations. What it cannot do is walk into the Home Office and say, “Your software is buggy, shut it down.” That’s not privacy regulation — that’s product management, and no privacy watchdog in the world has that mandate.
The gap between what the public thinks privacy regulators can do and what they’re actually allowed to do is where the real crisis lives.
This is bigger than eVisas. The UK government — like governments everywhere — is racing to digitize identity. Digital driving licenses. Online passport verification. eGates at borders. Every one of these systems is built on the same fragile assumption: that government IT can handle the weight of millions of people’s legal identities without catastrophic failure.
The Home Office eVisa disaster is not a one-off. It’s a preview.
When the next digital identity system launches and glitches lock people out of their bank accounts, their healthcare records, their tax filings — the ICO will be blamed again. And again, it will lack the authority to do what everyone assumes it can do. The pattern is already locked in: government builds broken system, public demands regulator fix it, regulator points to its limited statute, public loses more trust in institutions.
What’s needed isn’t louder screaming at the ICO. What’s needed is a fundamental rethink of what powers privacy regulators should have over government-deployed digital identity infrastructure. If a system processes millions of people’s personal data and its failure can strip them of legal status, then the regulator overseeing data protection needs the authority to greenlight or block its launch. Period.
Right now, the ICO can fine a company £17 million for a data breach, but it can’t stop a government department from launching a system that creates data breaches by design. That’s not a regulatory failure. That’s a design failure in the law itself.
The campaigners are right to be furious. They’re just aiming at the wrong target. The Home Office built the broken system. Parliament wrote the laws that gave the ICO insufficient teeth. The ICO is the referee who got handed a whistle but no red card.
Until someone fixes the rules of the game, every new government digital identity rollout will be another eVisa disaster waiting to happen — and the privacy regulator will be left standing in the wreckage, explaining why it couldn’t stop any of it.
You can’t blame a watchdog for not biting when the law never gave it teeth.
FAQ
Q: Why can't the ICO just shut down the eVisa system?
A: Because its statutory powers cover data protection enforcement — investigating breaches, issuing fines — not blocking a government department from launching its own IT system. The ICO is a privacy regulator, not a software quality gatekeeper.
Q: What does this mean for people applying for UK visas?
A: Your legal status may depend on a glitchy portal that can lock you out or display incorrect information. Keep physical copies of all immigration documents and don't assume the digital system will work when you need it most.
Q: Isn't the ICO just making excuses for inaction?
A: No — this is a structural problem. The ICO can investigate and fine after the fact, but it has no pre-launch veto power over government digital identity systems. If you want regulators to stop broken rollouts before they happen, Parliament needs to give them that authority. Right now, it hasn't.