The Ministry of Defence (MoD) is facing a £350,000 fine for disclosing the personal information of people seeking relocation to the UK after the Taliban took control of Afghanistan in 2021.

The Information Commissioner’s Office (ICO), which issued the fine, said that on 20 September 2021 the MoD sent an email to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 people being inadvertently disclosed.

The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.

The ICO warned that if the data had fallen into the hands of the Taliban, the breach could have resulted in a threat to life.

Under UK data protection law, organisations must have appropriate technical and organisational measures in place to avoid disclosing people’s information inappropriately.

The ICO says its guidance makes it clear that organisations should use bulk email services, mail merge, or secure data transfer services when sending any sensitive personal information electronically.

The team in charge of the UK's Afghan Relocations and Assistance Policy (ARAP), which sent the email, did not have these measures in place at the time of the incident and was relying on ‘blind carbon copy’ (BCC), which carries a "significant risk of human error".

"This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today," said John Edwards, UK information commissioner. “While the situation on the ground in the summer of 2021 was very challenging and decisions were being made at pace, that is no excuse for not protecting people's information who were vulnerable to reprisal and at risk of serious harm.

"When the level of risk and harm to people heightens, so must the response."

Soon after the data breach, the MoD contacted the people affected asking them to delete the email, change their email address, and inform the ARAP team of their new contact details via a secure form.

The MoD also conducted an internal investigation, made a statement in Parliament about the data breach, and updated the ARAP’s email policies and processes. This included implementing a ‘second pair of eyes’ policy for the ARAP team when sending emails to multiple external recipients.

“The Ministry of Defence takes its data protection obligations incredibly seriously," said a ministry of defence spokesperson. "We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened. We fully acknowledge today's ruling and apologise to those affected.

“We have introduced a number of measures to act on the ICO's recommendations and will share further details on these measures in due course.”

The fine issued by the ICO was reduced from a starting amount of £1,000,000 to £700,000 to reflect the action the MoD took following the incidents and recognising the significant challenges the ARAP team faced. Under the ICO's public sector approach, the fine was further reduced to £350,000.

---