ICO Fines Government Department for Data Security Breach
Published: January 23rd, 2024
7 min read
The Information Commissioner's Office (ICO) recently announced its decision to fine the Ministry of Defence (MoD) for an "egregious breach" of the personal data of 265 potential Afghan evacuees.
Background
In September 2021, shortly after the Taliban took control of Afghanistan, the UK's Afghan Relocations and Assistance Policy (ARAP) sent an email to a distribution list compromising of Afghan nationals eligible for evacuation. ARAP was responsible for assisting the relocation of Afghan citizens who worked for, or with, the UK Government in Afghanistan. Each eligible individual was listed as a recipient in the 'To' field of the email, meaning they could each see the email addresses of one another, with 55 of those people having thumbnail pictures on their email profiles. In addition to this, two recipients replied to the email from ARAP using the 'Reply All' function, with one of those individuals also providing their location.
In its statement, the ICO surmised that had this data been disclosed and become known to the Taliban, it could quite conceivably have resulted in a threat to life.
After the breach occurred, the MoD contacted affected individuals, asking them to delete the email, change their email address and inform the ARAP team of their new contact details via a secure form.
The fine and reasons given
The ICO's announcement confirmed that it had fined the MoD £350,000 for the breaching the data security principle. This figure was reduced from the starting figure of £1,000,000 - £700,000 to reflect the actions MoD took in response to the breach, which will be considered in more detail below, and to reflect the significant challenge facing the ARAP team at the time. The fine was further reduced in accordance with the ICO's 'public sector approach.'
In support of its rationale, the ICO outlined the legal requirement for data controllers to have in place appropriate technical and organisational measures, in accordance with the data security principle, to avoid disclosing personal information inadvertently/ inappropriately. Moreover, the ICO referred to its own 'Email and Security' guidance, encouraging organisations to use bulk email services, mail merge or secure data transfer services when sending large amounts of personal/ sensitive data.
From the information the ICO was provided with, it was identified that the ARAP team did not implement these measures and instead tried to rely on inputting individuals as in the 'Blind Carbon Copy' field of the email, which the ICO determined "carries a significant risk of human error." Staff were not found to have been given specific guidance about the security risks associated with sending emails in sensitive circumstances.
In commenting on the decision, Information Commissioner John Edwards shared:
"By issuing this fine and sharing the lessons from this breach, I want to make clear to all organisations that there is no substitute for being prepared. As we have seen here, the consequences of data breaches could be life-threatening. My office will continue to act where we find poor compliance with the law that puts people at risk of harm."
Lessons learned
In response to the breach, the MoD conducted an internal investigation, identifying a further two data breaches, including on 7 September 2021 involving 13 individual email addresses, and on 13 September 2021 involving 55 individual email addresses. This brought the number of unique email addresses involved in the data breach to 265.
Following its internal investigation, the MoD updated the ARAP email policies and procedures, including implementing a 'double check' policy, requiring another member of staff to cross check an email, where the team proposed to send emails to multiple external recipients. In acknowledging the ICO's response, a spokesperson for the MoD said:
"We recognise the severity of what has happened. We fully acknowledge today's ruling and apologise to those affected."
Whilst the ICO has undoubtedly acknowledged the extremity of the situation the ARAP team faced and has shown concession to account for the pressures faced by them, this decision marks one of the ICO's most severe sanctions in recent months.
This decision highlights further the ICO's commitment to holding public bodies to account for inadequate policies and procedures. The recommendations referred within the ICO's decision publication are not only applicable to the MoD, but all organisations handling large amounts of personal and more sensitive data, particularly those in the public sector. Organisations that regularly communicate with vulnerable and young people, such as social housing providers, should exercise due care and attention developing policies and procedures for staff to implement, taking into account both legal obligation and regulatory guidance.
Conclusion
This decision also serves as a stark reminder of the wide fining powers of the ICO and its mandate to sanction and exemplify organisations that do not comply with the data protection legislation and its own guidance. Public sector organisations are continually being held to account for poor data protection practices, as these actions directly conflict with their role in maintaining public trust and confidence.
A key learning point from this decision is that all organisations, but particularly public sector bodies, must demonstrate their compliance with the data security principle via clearly documented, robust policies and procedures, which should take into account legal obligation, as well as any specific guidance issued by the ICO. Moreover, organisations must continue to train and advise staff in relation to the risks associated with data security breaches. In doing so, organisations provide themselves with added safeguards to avoid and minimise incidents and account to the ICO for their actions, where incidents do occur.
For further information please contact Laura Rae