MoD fined 350k over data breach that endangered lives of Afghan interpreters PublicTechnology

pThe Ministry of Defence has been fined 350000 over a data breach that divulged the identities of hundreds of Afghan nationals who worked for the UK government in AfghanistanppAccording to data watchdog the Information Commissioners Office the incident allowed 245 recipients of an email about the evacuation of eligible people to see who else the communication had been sent to and even gave thumbnail images of 55 recipientsppThe email was sent by the team responsible for the UKs Afghan Relocations and Assistance Policy on 20 September 2021 weeks after the UK and United States had left Kabul and the Taliban had regained control of Afghanistan  At the time the individuals involved were understood to be interpretersppThe ICO said the data exposed by the MoD could have resulted in a threat to life if it had fallen into the hands of the Taliban Its investigation found that the MoD had infringed the UK General Data Protection Regulation in August and September 2021 by failing to have appropriate technical and organisational measures in placeppIt said the MoD did not have operating procedures in place for the ARAP team to ensure group emails were sent securely to Afghan nationals seeking relocation and that staff joining the ARAP team were not given specific guidance about the security risksppAn internal MoD investigation found that similar data breaches in which group emails were sent that included individuals addresses in the To field rather than the BCC field had taken place on two other occasions in September 2021 It said the MoD had wrongly exposed a total of 265 email addresses across all three incidentsppICO guidance urges organisations to use bulk email services mail merge or secure data transfer services when sending any sensitive personal information electronically The ARAP team had been relying on the use of the blind carbon copy field for security which the ICO said carries a significant risk of human errorppInformation commissioner John Edwards said applying the highest standards of data protection was not an optional extra and the consequences of data breaches could be lifethreateningppThis deeply regrettable data breach let down those to whom our country owes so much he said This was a particularly egregious breach of the obligation of security owed to these people thus warranting the financial penalty my office imposes todayppWhile the situation on the ground in the summer of 2021 was very challenging and decisions were being made at pace that is no excuse for not protecting peoples information who were vulnerable to reprisal and at risk of serious harm When the level of risk and harm to people heightens so must the responseppEdwards said he welcomed remedial steps taken by the MoD which included contacting people affected and asking them to delete the email change their email address and inform the ARAP team of their new contact details via a secure formppThe MoD also updated ARAPs email policies and processes and implemented a second pair of eyes policy for team members sending emails to multiple recipientsppAn MoD spokesperson said the department took its dataprotection obligations incredibly seriouslyppWe have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution and we recognise the severity of what has happened the spokesperson said We fully acknowledge todays ruling and apologise to those affected We have introduced a number of measures to act on the ICOs recommendations and will share further details on these measures in due courseppThe ICO said the MoDs fine had been reduced from a starting amount of 1m in recognition of the actions the department had taken after details of the breach emerged and the significant challenges the ARAP team faced The fine was also discounted in line with the watchdogs approach towards financially penalising publicsector organisationsppThe penalty is the first time in more than 18 months that the ICO has imposed a fine of any size on a public body In June 2022 commissioner John Edwards announced that the regulator would be undertaking a twoyear trial of a revised approach to the public sector that would focus on raising standards and generally opt against using financial penaltiesppBut in a recent interview with PublicTechnology deputy commissioner Stephen Bonner said that the watchdog was still willing to fine government entities if the breach was particularly egregious including those that may have created a risk to lifeppppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp Save my name email and website in this browser for the next time I commentpp

ppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppRead More Government puts 7m into project to detect signals from the very edge of the universeppRead More GDS seeks leaders for development of Android and iOS appsppRead More SME body praises HMRC engagement on Making Tax Digital but warns many challenges remainppRead More General election Manifestos must take account of digital deliverabilityppRead More MoJ cyber strategy sets plan to appoint security SRO for all IT systems and create unified staff identity systemppRead More Government has spent 25bn on AI in past decadepp
PublicTechnology


Follow
pp
The latest on public sector IT and digital DMs open for news tips Sign up for our free daily newsletter httpstcodE73n5xUWb pp
DWP expects proposed powers to access benefit claimants bank data will lead to 7400 fraud prosecutions a year up from current tally of about 400 But caseworkers will consider circumstances and vulnerabilities of individuals
DWP benefits
Story
pp
NHS Scotland invests in online cognitive behavioural therapy software
CBT therapy NHS mentalhealth
Read more

pp
CCS rethinks 400m electronics framework and ditches exclusive lots to increase competition and encourage SME bidders
SME procurement officesupplies
Story

pp
Home Office signs 400m AWS deal as new public sectorwide discount scheme takes effect Department also signs 30m contract for Microsoft Azure
AmazonWebServices AWS Azure Microsoft cloud
Story

ppCopyright 2022 Political Holdings Limited Registered in England Wales under No 07291783p