Department is hit with the first fine for a public body since the Information Commissioner’s Office began trialling an approach to only issue financial penalties for the most egregious breaches
The Ministry of Defence has been fined £350,000 over a data breach that divulged the identities of hundreds of Afghan nationals who worked for the UK government in Afghanistan.
According to data watchdog the Information Commissioner’s Office, the incident allowed 245 recipients of an email about the evacuation of eligible people to see who else the communication had been sent to and even gave thumbnail images of 55 recipients.
The email was sent by the team responsible for the UK’s Afghan Relocations and Assistance Policy on 20 September 2021, weeks after the UK and United States had left Kabul and the Taliban had regained control of Afghanistan. At the time the individuals involved were understood to be interpreters.
The ICO said the data exposed by the MoD could have resulted in a threat to life if it had fallen into the hands of the Taliban. Its investigation found that the MoD had infringed the UK General Data Protection Regulation in August and September 2021 by failing to have appropriate technical and organisational measures in place.
It said the MoD did not have operating procedures in place for the ARAP team to ensure group emails were sent securely to Afghan nationals seeking relocation and that staff joining the ARAP team were not given specific guidance about the security risks.
An internal MoD investigation found that similar data breaches – in which group emails were sent that included individuals’ addresses in the “To” field rather than the “BCC” field – had taken place on two other occasions in September 2021. It said the MoD had wrongly exposed a total of 265 email addresses across all three incidents.
Related content
- Military crime unit deploys software for ‘urgent investigations’ after Afghanistan inquiry hears of civilian murders and cover-up
- Information commissioner: ‘I want us to be for all of society – not just those with the resources to access data protection’
- Afghanistan evacuation hampered by ‘chaotic’ IT systems
ICO guidance urges organisations to use bulk email services, mail merge, or secure data transfer services when sending any sensitive personal information electronically. The ARAP team had been relying on the use of the blind carbon copy field for security, which the ICO said carries a “significant risk of human error”.
Information commissioner John Edwards said applying the highest standards of data protection was not an optional extra and the consequences of data breaches could be life-threatening.
“This deeply regrettable data breach let down those to whom our country owes so much,” he said. “This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today.
“While the situation on the ground in the summer of 2021 was very challenging and decisions were being made at pace, that is no excuse for not protecting people’s information who were vulnerable to reprisal and at risk of serious harm. When the level of risk and harm to people heightens, so must the response.”
Edwards said he welcomed remedial steps taken by the MoD, which included contacting people affected and asking them to delete the email, change their email address, and inform the ARAP team of their new contact details via a secure form.
The MoD also updated ARAP’s email policies and processes and implemented a “second pair of eyes” policy for team members sending emails to multiple recipients.
An MoD spokesperson said the department took its data-protection obligations “incredibly seriously”.
“We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened,” the spokesperson said. “We fully acknowledge today’s ruling and apologise to those affected. We have introduced a number of measures to act on the ICO’s recommendations and will share further details on these measures in due course.”
The ICO said the MoD’s fine had been reduced from a “starting amount” of £1m in recognition of the actions the department had taken after details of the breach emerged and the significant challenges the ARAP team faced. The fine was also discounted in line with the watchdog’s approach towards financially penalising public-sector organisations.
The penalty is the first time in more than 18 months that the ICO has imposed a fine – of any size – on a public body. In June 2022 commissioner John Edwards announced that the regulator would be undertaking a two-year trial of a “revised approach” to the public sector that would focus on raising standards and, generally, opt against using financial penalties.
But, in a recent interview with PublicTechnology, deputy commissioner Stephen Bonner said that the watchdog was still willing to fine government entities if the breach was particularly “egregious” – including those that may have created a risk to life.