The Afghan data breach that exposed the details of more than 18,000 people was a “wake-up call” for the way government handles data, a security minister has told MPs.
Dan Jarvis, who oversees hostile threats to the UK as well as cybersecurity and crime in his job as security minister, said on Tuesday that there had been “significant change” across government to make sure civil servants know how to handle personal data well and know who is responsible for oversight.
The Afghan leak, which potentially put up to 100,000 lives at risk from reprisals by the Taliban, was discovered in August 2023 and led to thousands of Afghans being secretly relocated to the UK. The breach came about when a Ministry of Defence (MoD) official emailed a spreadsheet with 33,000 rows of personal contact information to someone outside government.
The leak was hidden from the public and MPs through the use of a superinjunction and was only revealed after The Independent and other media organisations successfully fought to lift it.
Mr Jarvis told the science and technology committee on Tuesday: “I think it is right to say that the Afghan data incident was a big wake-up call and, as a consequence, we’ve seen quite significant cultural process change. But as ministers, we think it’s important to provide the leadership [on good data practice].”
The UK’s data regulator, the Information Commissioner’s Office (ICO), which was responsible for probing the MoD’s response to the leak, chose not to launch a formal investigation into what had gone wrong, a decision that was met with criticism after the breach came to light. The ICO was one of the few official bodies that knew about the leak, while the public and MPs were kept in the dark for nearly two years.
Following this breach, and another Afghan data incident involving mistakenly shared emails, the ICO signed a Memorandum of Understanding (MOU) with the government this January in an effort to scrutinise data handling.
It commits the government to greater transparency, with the regulator promising to “hold government to account” if mistakes happen again.
An assurance statement will also be published each year to show how the public’s data is being kept safe and the government will involve the ICO earlier in projects, such as digital ID, which involve new technologies and use of personal data.
A government chief data officer has also been put in place to be in charge of data practice across different departments.
Vincent Devine, the government’s chief security officer, said the MOU committed the “government to a really radically different approach” to the regulator. He said that working more closely with the ICO would lead to a “more trusting relationship” where government “share information more broadly”.
MPs previously heard how officers at the ICO took no contemporaneous notes of their decision not to launch an official investigation into the Afghan data breach, claiming they were unable to record anything due to the classification of the secret information.
Ian Murray MP, minister at the department for science and technology, said the breaches were “incredibly serious, but given that government shares and uses data billions of times a week, government data on the whole is very secure.”
He added: “These incidents, while very serious, are within the government context of data very rare. They’ve set in motion a whole series of events including the MOU, including the review”.
However he caveated his comments, saying: “It would be wrong to suggest that all data is going to be 100 per cent secure forever because human error is very difficult to take out of the system”.
