Explaining our approach to the MoD data breach
- Date 17 July 2025
- Type Blog
The ICO makes thousands of decisions every year about how to allocate our resources to get the greatest impact across the economy. Some of these involve complicated trade-offs. Some observers criticise those decisions. Some would make other decisions.
It is important that we can explain, and be accountable for, those decisions. In the last two days there has been some commentary around our response to the Ministry of Defence breach involving the accidental disclosure of personal details of thousands of Afghans who worked with British forces during the UK’s presence in Afghanistan.
Over the last two years, we have applied considerable resource to understand what has occurred, how it happened and what the Ministry of Defence was doing to ensure it would not happen again.
First, we recognise the seriousness of that breach, and the great stress and anxiety it caused those individuals. It is impossible to imagine the impact on people whose lives have been put at risk. As we said in our statement, “it is unacceptable and should never happen again – the stakes are simply too high”.
In deciding about whether to take further action, we take that impact into account.
We also think about whether the issues are ongoing, and if the organisation responsible has adequately identified the cause of the breach and has sufficiently learned the lessons. We consider whether there is value to other organisations in identifying and publicising those factors to make sure others learn the lessons too. And we ask an overarching question: “What extra can the ICO - and only the ICO - add by investigating this matter?” That question carries with it an implicit assessment of the opportunity cost of an investigation. “If we allocate our investigative resources to this matter, what can we then not do?”
In this case, the root cause was the emailing of a spreadsheet containing hidden data that was not evident to the individual sending it. We understand that person thought they were sending a limited data set to an external party for a legitimate operational reason under the pressures of a military operation. Unfortunately, a much greater data set was inadvertently shared, a section of which eventually ended up online.
Inadvertently sharing data in this way is not a new or novel issue. But it is one that organisations must guard against because the consequences, as in this case, can be severe. For many years, the ICO has identified and communicated the risks associated with storing and transmitting data in spreadsheets through guidance, commentary, advice, and in enforcement decisions. Just last year we fined the Police Service of Northern Ireland £750,000 for sending a spreadsheet to a public facing website in response to a Freedom of Information Act request.
We have also already taken action against the MoD for its poor handling of sensitive information in relation to the evacuation from Afghanistan. In 2023 we fined the MoD £350,000 for a 2021 email also related to the Afghan Relocations and Assistance Policy (ARAP) programme, in which hundreds of Afghans eligible for evacuation were identified to each other by the sender using the “cc”, rather than the “bcc” field.
Since we were notified of the spreadsheet breach in 2023, we have worked closely with the MoD, under the constraints of highly classified information, and a very strict court injunction (popularly described as a super-injunction). We ensured the causes of the breach were identified, and rectified, that lessons were learned, and everything possible was done to mitigate the effects on the affected individuals.
The mitigations have come at significant cost to the public purse, and MoD has briefed us on the measures it has adopted since the breach, which seek to mitigate risk of such an incident occurring in future.
This is the context in which we made a judgement call about whether further action was warranted at this time in this case. In determining how to proceed, we have taken into account:
- The risk of harm to the thousands of Afghans whose information was unacceptably leaked and the terrible impact on their lives. This is the type of harm we consider to be egregious when determining whether to impose a fine.
- The circumstances in which the breach occurred, namely the urgency of the situation in which the MoD found itself and the fact that sharing the intended list of names was in itself necessary to protect lives.
- The fact that we have already identified and punished failings by the MoD in relation to the way it handled information under ARAP. The spreadsheet breach took place before we imposed that fine and we are confident the MoD has learned lessons about the vital importance of data handling from its past mistakes.
- The fact that we have recently identified and punished failings in relation to the storage and transmission of hidden personal information in spreadsheets in relation to PSNI – and shared widely guidance about the importance of handling spreadsheets with care. We will be publishing further guidance on this issue in the coming weeks. While this serves as a valuable reminder of the consequences of such storage and transmission, the learnings are the same.
- The fact that MoD has responded to this issue in a timely and comprehensive way and has expended vast public resources to do so, putting in place measures to stop this happening again, tracking the information that was leaked online, and in taking steps to protect the people put at risk. The costs to the public have already been substantial.
- Much of the information relating to the operation, and the breach, relates to national security and defence and remains classified which creates an extra logistical hurdle for us and requires the diversion of a limited number of staff with the appropriate clearances, from other important work. This is why we worked closely with the MoD during its own investigation to assure ourselves that it was taking the necessary steps to address the issues and minimise the risks of it happening again.
Having considered those matters in the round, we then asked the overarching question of “what can we add to this” in circumstances when there is already a high degree of public scrutiny on what the MoD got wrong in its handling of personal information in this case.
We determined that there was little we could add in this case that would justify the further allocation of resource away from other priorities. In making that call, we have not lost sight of the fact the MoD undoubtedly got things wrong, and the consequences have been serious. Organisations must do better to ensure mistakes like this don’t happen and understand the serious implications to people’s lives if they get it wrong.
We recognise that there are issues of public confidence and accountability, and that we possess specific skills which other accountability bodies might wish to call on in order to gain the reassurance of a formal investigation. We remain willing to have those conversations with relevant stakeholders.