Could the MoD’s recent ICO fine happen to your business?

Could the MoD’s recent ICO fine happen to your business?

The Information Commissioner's Office (ICO) recently fined the Ministry of Defence (MoD) £350 000 for disclosing personal information of over 200 Afghan nationals, who were eligible for evacuation from Afghanistan and seeking relocation to the UK. The incident occurred in September 2021 when the MOD mistakenly used the 'To' field in an email, rather than putting recipients on blind copy, inadvertently disclosing the email addresses of all 245 recipients. 

Among the recipients, 55 had visible thumbnail pictures on their email profiles, two individuals 'replied to all' potentially without realising it, and one person inadvertently disclosed their location. The personal data breach compromised the identity and safety of the affected individuals, who were already in a vulnerable situation, putting them at risk of serious harm if the information had fallen into the hands of the Taliban. The information commissioner, John Edwards, said the error 'let down those to whom our country owes so much'.

In response to this breach, the MoD conducted an internal investigation, made a statement in parliament, and updated their email policies and processes including implementing a policy in which an email initiated by one staff member is cross-checked by another to prevent such errors in the future.

This personal data breach is an extreme example of the significant risks that can arise when basic data protection fails due to human error. Indeed, over the past three years, from 2021 to 2023, the ICO’s Data Security Incident Trends report found that incorrectly addressed emails were the incidents most frequently reported. Failure to use blind copy when appropriate, as exemplified in this MoD case, is also an ongoing issue.

Organisations can prevent these types of basic personal data breaches by implementing proper policies and processes, particularly when sending bulk emails, and encouraging their staff to follow good email practices. Those handling sensitive personal data should prioritise integrating these foundational data security practices.

Our data protection expert Becky White provided the following perspective:

The potentially fatal consequences of this particular data breach highlight the vital importance of implementing appropriate data handling protocols, especially in terms of bulk emailing. Additionally, conducting regular staff training is critical to ensure staff understand security risks and instinctively follow correct procedures.

With so much of our lives now online and accessible, the risk of information falling into the wrong hands is increasing.  The MoD incident drives home the importance of keeping personal data secure and should serve as a wakeup call to any organisation that does not take data protection seriously.

For smaller organisations, meeting training and compliance obligations can be difficult. Our data protection package delivers the essentials like staff training materials, audits and advice tailored to your needs and resources.

About our expert

Becky White

Becky White

Senior Data Protection & Privacy Solicitor
Becky is an experienced data protection and privacy lawyer who qualified in 2002. She supports clients with navigating data protection compliance and provides practical commercial advice related to privacy laws.  

What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry