The Secretary of State for Defence announced in Parliament, on 16 July, that in February 2022, a “significant data protection breach” relating to the Afghan Relocations and Assistance Policy (ARAP) had resulted in the information of 18,714 applicants - and in some cases their family members - to the ARAP and associated schemes, being mistakenly sent to multiple recipients. Some of the information ultimately ended up on Facebook. It presented such a serious threat that the Government was compelled to apply for what became a super-injunction.
ARAP is the scheme for the resettlement of certain Afghan citizens who worked for, or with, UK Armed Forces over the combat years of Afghanistan. It is evident that information about those who might apply or qualify is of the utmost sensitivity, and that if it fell into the wrong hands it could result in a risk to life. This is why, at enormous cost, as the Secretary of State explained, the UK has had to commit to a specific settlement scheme designed for people not eligible for ARAP, but judged to be at the highest risk of reprisals by the Taliban, as a result of the data breach.
The Secretary of State also told Parliament that the incident occurred when a defence official emailed an ARAP case working file outside of authorised government systems, believing it to contain the details of only 150 applicants. Instead, it contained all 18,714.
The risks of disclosure of “hidden” data in spreadsheets are something that have been known about for many years. As far back as 2013 the author wrote about it for the Guardian. However, the fact that it continues to happen suggests that it is not sufficiently widely known, and that many who use spreadsheets and share data do not have the appropriate policies and controls in place to prevent such incidents. In 2024 the Information Commissioner fined the Police Service of Northern Ireland for a worryingly similar infringement.
The Commissioner is tasked with regulating and enforcing data protection law and has powers to serve fines (to a maximum of £17.5 million, or 4% of global annual turnover, whichever is higher). In a parallel statement on 15 July, a Deputy Commissioner explained that the incident involved “hidden data in a spreadsheet”, and that it was “unacceptable”. However, the Commissioner was “satisfied that no further regulatory action is required at this time in this case”.
The Commissioner operates what it calls a “public sector approach” under which he will generally only fine a public authority if an infringement is “egregious”. In documents published earlier this year, on proposals to extend the public sector approach, the Commissioner's office explained that the non-exhaustive list of what might qualify as “egregious” included:
- Actual or potential harm to people: this could be physical or bodily harm. For example, evidence of:
- a high risk of actual or potential harm to affected people or their family members, including a threat to life following a data breach;
- where there is evidence of a high degree of negligence; and
- relevant previous infringements, or recent infringements, by the controller.
Given that this recent incident put tens of thousands of lives at risk, was (as the Secretary of State told Parliament) a “serious departmental error” and a “clear breach of strict data protection protocols”, and happened around the same time that the Commissioner was fining the Ministry of Defence for another very serious data breach involving high risk to Afghani citizens it is very difficult to understand how it did not meet the threshold for regulatory action.
But if, for whatever reason, a fine was not felt appropriate, it is worth also noting the Commissioner has various other powers available, and these include the power, under section 139(3) of the Data Protection Act 2018, to lay a report before Parliament on any matter relating to the carrying out of his functions.
This data protection issue of hidden data in spreadsheets, which has twice in recent years exposed many thousands of people to the risk of loss of life, is surely something that the ICO should consider worthy of drawing to Parliament’s attention by way of a statutory report.