Afghan data breach was ‘wake-up call’ for government’s data security
The Afghan data breach that exposed details of more than 18,000 people was a “wake-up call” for the way the government handles data, a security minister has told MPs.
Dan Jarvis, who in his role as security minister oversees cybersecurity and crime as well as hostile threats to the UK, said on Tuesday there was a “significant shift” across government to ensure civil servants know how to use personal data well and who is responsible for surveillance.
The Afghan infiltration, which could potentially put up to 100,000 lives at risk due to Taliban reprisals, was discovered in August 2023 and led to thousands of Afghans being secretly moved to the UK. The breach came to light when a Ministry of Defense (MoD) official emailed a spreadsheet containing 33,000 lines of personal contact information to someone outside the government.
The leak was hidden from the public and lawmakers through an injunction and was only revealed later. Independent and other media organizations successfully fought to have it removed.
Mr Jarvis told the science and technology committee on Tuesday: “I think it’s fair to say that the Afghan data incident has been a huge wake-up call and we’ve seen quite a significant cultural process change as a result. But as ministers we think it’s important to provide leadership.” [on good data practice].”
The UK’s data regulator, the Information Commissioner’s Office (ICO), which was responsible for investigating the Ministry of Defense’s response to the leak, chose not to launch a formal investigation into what went wrong; This decision was met with criticism after the violation was revealed. The ICO was one of the few official bodies aware of the leak; The public and MPs were kept in the dark for nearly two years.
Following this breach and another Afghan data incident where emails were accidentally shared, the ICO signed a Memorandum of Understanding (MOU) with the government this January to examine data processing.
The government is being promised greater transparency, with the regulator promising to “hold the government accountable” if mistakes happen again.
An assurance statement will be published every year to show how public data is kept secure, and the government will involve the ICO earlier in projects involving new technologies such as digital identity and the use of personal data.
A government data officer has also been appointed to be responsible for data practices across different departments.
The government’s chief security officer, Vincent Devine, said the MoU committed the government to “really a radically different approach” to the regulator. He said working more closely with the ICO would lead to a “more trusting relationship” where the government “shares information more widely”.
MPs have previously heard that officers at the ICO failed to take contemporaneous notes on their decision not to launch a formal investigation into the Afghan data breach, claiming they were unable to record anything due to the classification of classified information.
Department of Science and Technology MP Ian Murray said the breaches were “incredibly serious, but overall government data is very secure, given the government shares and uses data billions of times a week.”
He added: “While these incidents are very serious, they are very rare in the context of government data. They have prompted a series of events, including the Memorandum of Understanding, including the review.”
But he cautioned his comments: “It would be wrong to suggest that all data will be 100 percent safe forever because it is very difficult to remove human error from the system.”
