News link - https://www.bbc.co.uk/news/articles/cj4ek9njknvo
In February 2022, a British official mistakenly leaked a spreadsheet containing the personal data of 19,000 Afghans. These individuals had worked with the British during the 20-year war in Afghanistan and had applied for relocation to the UK under the Afghan Relocations and Assistance Policy.
The breach occurred at the UK Special Forces headquarters in London. An official, who intended to send the data of 150 specific individuals to a third party for a legitimate operational reason, accidentally emailed a spreadsheet containing over 30,000 resettlement applications.
According to the Secretary of State for Defence, the leaked spreadsheet included names, contact details, and in some cases, information about applicants’ family members. He also confirmed that in a small number of cases the names of members of parliament, senior military officers and government officials who endorsed Afghan applications were also leaked.
The former conservative government became aware of the breach in August 2023, over a year after the initial incident, when an individual posted nine names from the spreadsheet on Facebook.
In September 2023, the current Ministry of Defence applied for the court to issue an injunction to prevent further dissemination of the leaked data. The court subsequently issued a super-injunction, citing the significant risk to the lives of thousands of individuals if the information were to fall into the hands of the Taliban. A super-injunction is a special injunction that not only prohibits the disclosure of the sensitive information itself but also prohibits any mention of the existence of the order. The super-injunction was extended twice due to the ongoing threat.
The super-injunction was lifted in May 2024. This month, with the final lapse of the super-injunction, the details of the data breach have become public.
In April 2024, the UK Government introduced a new resettlement scheme specifically for those named in the leaked spreadsheet.
The Information Commissioner’s Office (ICO) confirmed that it had applied significant resources to investigating the incident. Since being notified in 2023, the ICO has worked closely with the Ministry of Defence, operating within the constraints of highly classified information and the strict terms of the superinjunction. Its focus was to ensure that the causes of the breach were identified and addressed, that lessons were learned, and that every possible measure was taken to mitigate the impact on affected individuals. The ICO ultimately concluded that, in light of the substantial costs already borne by the public purse, issuing a fine would not be appropriate in this case.
Parliament’s Intelligence and Security Committee, which monitors UK intelligence agencies, has also since committed to scrutinising the affair, following an inquiry launched by the Commons Defence Select Committee.
While the Taliban has issued a statement claiming that it has not arrested or monitored any of the affected Afghans, many individuals named in the spreadsheet continue to express grave concerns for the safety of their families still residing in Afghanistan.
This breach underscores the catastrophic consequences of failing to assess risk and implement robust safeguards when handling personal data, particularly data of a highly sensitive nature.
If you are unsure whether your data protection practices meet your obligations under the UK data protection regime, especially when dealing with sensitive or high-risk information, please contact Samantha McManus in our Data Protection and Privacy team on +44 (0)204 600 9907 or email info@culbertellis.com.
