Dozens more Afghan relocation data breaches uncovered by BBC

Seven of the 49 data breaches were sufficiently serious to require MoD officials to notify data watchdog the Information Commissioner’s Office (ICO).

This includes three breaches – one in 2021, and two in 2022 – that have not been made public before.

The ICO said it was limited in the amount of information it still held on those breaches and why it didn’t take further action but that its work with the MoD was “ongoing”.

“We continue to engage with the MoD, so we can be assured that they have made the required improvements,” a spokeswoman said.

The watchdog has not taken any action against the MoD over the large spreadsheet data breach which was previously subject to court-imposed reporting restrictions, arguing “there was little we could add in this case that would justify the further allocation of resource away from other priorities”.

Jon Baines said there were “serious questions firstly as to whether the ICO should have conducted more in-depth investigations previously, and secondly, whether there is now an urgent need for more investigation.

“What assurance can we all have now that the MoD are properly protecting the highly sensitive personal data it is often entrusted with?”, he added.

A Labour government source blamed previous Conservative administrations for inadequate data protection measures and said new software has been introduced and other changes made since Labour came to power last year.

“Current ministers repeatedly highlighted the Tory mismanagement of data around the ARAP scheme while in opposition,” the source said.

“Since last July, we’ve brought in a host of new measures to improve data security and we’ve made public the largest Afghan data breach which occurred under the previous government, to allow for parliamentary scrutiny and accountability.”

A Conservative Party spokesman said: “This data leak should never have happened and was an unacceptable breach of data protection protocols.

The secretary of state for defence has issued an apology on behalf of the government, and Conservatives joined in that apology.

“When this breach came to light, the immediate priority of the then-government was to protect persons in the dataset.”

An MoD spokesperson said: “We take data security extremely seriously and are committed to ensuring that any incidents are dealt with properly, and that we follow our legal duties.

“All incidents that meet the threshold under UK data protection laws are referred to the Information Commissioner’s Office, and any lesser incidents are examined internally to ensure lessons are learned.”

If you have any information on stories you would like to share with the BBC Politics Investigations team, please get in touch at politicsinvestigations@bbc.co.uk