Afghan national’s lawyer condemns unacceptable delay by Ministry of Defence in reporting breach of Afghan nationals’ personal data to Information Commissioner’s Office

The Notice from the ICO, the independent body responsible for upholding information rights and data privacy, identified a failure to report the first breach until after they were contacted by this firm.

In data breaches on 7, 13 and 20 September 2021, the team in charge of the UK's Afghan Relocations and Assistance Policy (ARAP) at Ministry of Defence sent emails to Afghan nationals eligible for evacuation using the ‘To’ field rather than the ‘Blind copy (BCC)’ field, with personal information relating to 265 people being inadvertently disclosed. The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.

Leigh Day is currently pursuing a claim for compensation by a client, an Afghan national who had previously assisted UK forces, whose personal details were affected by one of the data breaches. He and his family have now relocated to the UK.

However, he remained in Afghanistan from September 2021, the time of the data breach, until February 2022, when he and his family managed to travel to Pakistan. During this time, he was extremely scared for his and his family’s safety and was aware that the Taliban were searching for him. We are currently awaiting a response to a detailed letter of claim first sent to the Ministry of Defence in March 2023.

On 13 December 2023, the ICO fined the MOD £350,000 saying that “this deeply regrettable data breach let down those to whom our country owes so much.  This was a particularly egregious data breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today".

The ICO reduced a proposed fine of £1,000,000 to £700,000 to reflect the action the MOD took following the incidents and recognising the significant challenges the ARAP team had faced. The proposed fine was then further reduced from £700,000 to £350,000 to reflect the ICO’s current approach of issuing lower fines to public sector organisations.

The ICO has today published the 73-page Penalty Notice setting out its investigations and findings in more detail, and the basis for imposing the large fine. In finding the MOD’s actions negligent and in breach of the UK General Data Protection Regulation, the ICO’s Penalty Notice states “the infringement involved serious deficiencies in the technical and organisational measures used by the MOD’s Afghan Relocations and Assistance Policy (ARAP) team in processing the personal data of individuals seeking relocation from Afghanistan. The failure left the security of personal data processed by the ARAP team at significant risk, in particular by way of human error”.

The Penalty Notice also states that “the Commissioner considers that poor security measures leading to the disclosure of sensitive information about those seeking evacuation from Afghanistan could also, and indeed did in practice, put lives at risk”, and “the data subjects involved were 'in a vulnerable situation in Afghanistan' and 'were at extreme risk of reprisal from the Taliban' because of their affiliation with British Armed Forces or the UK Government within the contact of the conflict in Afghanistan”.

The UK GDPR places a duty on all organisations to report serious personal data breaches to the ICO within 72 hours of becoming aware of the breach.

Despite this, the Penalty Notice also details that the first data breach of 7 September 2021 was only reported to the ICO on 19 October 2021 after the MOD were contacted by this firm.  Specifically, the Notice stated “The MOD informed the Commissioner that the 7 September Incident had been detected locally (within the ARAP team) on 21 September 2021, but was not reported to the MOD’s Data Protection Officer ('DPO') at that time. The MOD discovered the 7 September Incident on 14 October 2021, when the MOD was contacted by a lawyer representing one of the affected individuals, and the MOD reported the breach to the Commissioner on 19 October 2021”.

The ICO also stated “if the MOD had had appropriate technical and organisational measures in place then it may have identified the 7 September Incident, which involved the disclosure of personal data to fewer recipients than either the 13 September Incident or the 20 September Incident, and would have been able to implement steps to avoid the same thing happening twice more in September 2021”.

Sean Humber, a specialist data breach lawyer at Leigh Day commented:

“The ICO’s report graphically sets out the seriousness of the data breaches, including the risks posed by the Taliban to the lives of those whose personal details had been disclosed.

“In this context it is extremely worrying to now discover that the first of the data breaches, which occurred on 7 September 2021, was only reported to the ICO on 19 October 2021 and, not within the 72 hours required from when it was discovered on 21 September 2021, and then only reported after we had contacted the MOD to bring the data breach of our client’s personal data to its attention. If we had not contacted the MOD in relation to this data breach, one can only speculate as to whether it would have been reported at all.

“Sadly, as the ICO make clear, if the MOD had identified and dealt with the first data breach more appropriately, this may well have prevented the unnecessary further disclosures of the personal data of hundreds of Afghan nationals in later data breaches.”

Anybody affected by these data breaches who wishes to discuss the matter on a confidential basis, without obligation, contact Sean Humber on 00 44 20 7650 1200 or by email at shumber@leighday.co.uk.