The Information Commissioner's Office (ICO) recently fined the Ministry of Defence (MoD) £350 000 for disclosing personal information of over 200 Afghan nationals, who were eligible for evacuation from Afghanistan and seeking relocation to the UK. The incident occurred in September 2021 when the MOD mistakenly used the 'To' field in an email, rather than putting recipients on blind copy, inadvertently disclosing the email addresses of all 245 recipients.
Among the recipients, 55 had visible thumbnail pictures on their email profiles, two individuals 'replied to all' potentially without realising it, and one person inadvertently disclosed their location. The personal data breach compromised the identity and safety of the affected individuals, who were already in a vulnerable situation, putting them at risk of serious harm if the information had fallen into the hands of the Taliban. The information commissioner, John Edwards, said the error 'let down those to whom our country owes so much'.
In response to this breach, the MoD conducted an internal investigation, made a statement in parliament, and updated their email policies and processes including implementing a policy in which an email initiated by one staff member is cross-checked by another to prevent such errors in the future.
This personal data breach is an extreme example of the significant risks that can arise when basic data protection fails due to human error. Indeed, over the past three years, from 2021 to 2023, the ICO’s Data Security Incident Trends report found that incorrectly addressed emails were the incidents most frequently reported. Failure to use blind copy when appropriate, as exemplified in this MoD case, is also an ongoing issue.
Organisations can prevent these types of basic personal data breaches by implementing proper policies and processes, particularly when sending bulk emails, and encouraging their staff to follow good email practices. Those handling sensitive personal data should prioritise integrating these foundational data security practices.
Our data protection expert Becky White provided the following perspective:
The potentially fatal consequences of this particular data breach highlight the vital importance of implementing appropriate data handling protocols, especially in terms of bulk emailing. Additionally, conducting regular staff training is critical to ensure staff understand security risks and instinctively follow correct procedures.
With so much of our lives now online and accessible, the risk of information falling into the wrong hands is increasing. The MoD incident drives home the importance of keeping personal data secure and should serve as a wakeup call to any organisation that does not take data protection seriously.
For smaller organisations, meeting training and compliance obligations can be difficult. Our data protection package delivers the essentials like staff training materials, audits and advice tailored to your needs and resources.
Related articles
How can we help?
To access legal support from just £145 per hour arrange your no-obligation consultation today. We aim to respond to all messages received within 24 hours.
Call 0800 689 1700 or email
enquiries@harperjames.co.uk.
