Afghan national’s lawyer welcomes Ministry of Defence fine for “particularly egregious” data breach of Afghan nationals’ personal data

In a series of data breaches on 7th, 13th and 20th September 2021, the team in charge of the UK's Afghan Relocations and Assistance Policy (ARAP) at Ministry of Defence sent emails to distribution lists of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 265 people being inadvertently disclosed. The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.

The ICO reduced a proposed fine of £1,000,000 to £700,000 to reflect the action the Ministry of Defence took following the incidents and recognising the significant challenges the ARAP team had faced. The proposed fine was then further reduced from £700,000 to £350,000 to reflect the ICO’s current approach of issuing lower fines to public sector organisations.

The ICO confirmed that, under data protection law, organisations must have appropriate technical and organisational measures in place to avoid disclosing people’s information inappropriately and that organisations should use bulk email services, mail merge, or secure data transfer services when sending any sensitive personal information electronically rather than, as in this case, ARAP relying on ‘blind carbon copy’ (BCC), which carries a significant risk of human error.

In response, the Ministry of Defence stated that they fully acknowledged the ICO’s ruling and apologised to those affected. The Ministry of Defence also confirmed that, following the data breach incidents, they had updated the ARAP’s email policies and processes, including implementing a ‘second pair of eyes’ policy for the ARAP team when sending emails to multiple external recipients.

Leigh Day is currently pursuing a claim for compensation by a client, an Afghan national who had previously assisted UK forces, whose personal details were affected by one of the data breaches. He and his family have now relocated to the UK. However, he remained in Afghanistan between September 2021, the time of the data breach, until February 2022, when he and his family managed to travel to Pakistan. During this time, he was extremely scared for his and his family’s safety and was aware that the Taliban were searching for him. We are currently awaiting a response to a detailed letter of claim first sent to the Ministry of Defence in March 2023.

Sean Humber, a specialist data breach lawyer at Leigh Day said:

“We welcome the ICO’s findings regarding the Ministry of Defence’s failure to keep Afghan nationals’ personal data safe. The data breaches put the lives of those affected and their families at risk and made what was already a very difficult situation for them in Afghanistan even worse. The MOD must now compensate those affected for the very considerable anxiety and distress that the data breach caused without further delay.”

Anybody affected by these data breaches who wishes to discuss the matter on a confidential basis, without obligation, contact Sean Humber on 00 44 20 7650 1200 or by email at shumber@leighday.co.uk.