Cabinet Office has published previously secret 2023 review of data security, as well as a response from the Information Commissioner, following disclosure of MoD data breach on 18,000 Afghans seeking to move to the UK

The Information Commissioner has warned the government that it needs to go “further and faster” in improving data security. This comes after the Cabinet Office published a previously secret internal review into information security, carried out by the Cabinet Office in 2023, following a series of high-profile public sector data breaches.

The review was published in response to requests from Dame Chi Onwurah, chair of the Science, Innovation and Technology Committee, for clarity about the government’s work to prevent a repeat of the 2022 Ministry of Defence Afghan data breach, which was itself revealed less than two months ago.

Writing to ministers Pat McFadden and Peter Kyle on 24 July – a week after it was revealed that an MoD official had in 2022 accidentally shared the data of more than 18,000 Afghans seeking relocation to the UK – Onwurah asked for further information on the government’s processes for handling sensitive data.

Responding on 28 August, McFadden, the chancellor of the Duchy of Lancaster, and Kyle, the science, innovation and technology secretary, said he was publishing the 2023 information security review, the existence of which was not previously public knowledge.

He added: “The review made a number of recommendations, these have been taken forward under the previous administration and under the current government. Good progress has been made, but we must guard against complacency. This is an area on which we must keep a consistent focus to ensure standards continue to improve.”

In a separate letter, senior officials told Onwurah that twelve of the review’s fourteen recommendations had been implemented.

Cat Little, the Cabinet Office permanent secretary and civil service chief operating officer, and Emran Mian, the permanent secretary at the Department for Science, Innovation and Technology, said the government has “taken concrete action to improve data security across government in a broad range of areas” including strengthening policies, creating better governance processes, enhancing technological solutions and placing greater emphasis on handling personal data securely in training and communications since the Afghan Relocations and Assistance Policy data incident.

The Science, Innovation and Technology Committee has published the exchange of letters, alongside a letter from Information Commissioner John Edwards to McFadden, sent on 25 July, in which he called on the government to fully implement the recommendations of the information security review “as a matter of urgency”. 

Edwards said the government needs to go “further and faster” to raise standards and prevent further harm, highlighting the need for a central board to assume responsibility for “establishing a strong senior leadership voice for consistent data protection practice across government”. 

“Central coordination across government is essential for avoiding further incidents of this seriousness,” he added. The Information Commissioner also issued guidance last month to help organisations disclose documents securely following the MoD Afghan security breach.

The Information Security Review looked at a series of data breaches in the public sector in 2023 and across the previous five years – at organisations including the Department for Work and Pensions, HM Revenue and Customs and the MoD  –  and found that they had three themes in common:

• A lack of sufficient controls over ad-hoc downloads/exports of aggregations of sensitive data from databases.
• The release of sensitive information via ‘wrong recipient’ emails, and the release of membership of sensitive groups through the placing of their addresses in visible fields.
• The presence of hidden personal data within spreadsheets destined for publication or release.

It found that in all the incidents, public servants “were acting in good faith in pursuit of a legitimate business objective”, and suggested a set of short and medium-term interventions “which we could make across the civil service to help reduce the risk of similar incidents occurring”.