The Ministry of Defence has admitted there have been dozens more data breaches relating to Afghan relocation cases than publicly known, according to a report.
A Freedom of Information request by the BBC revealed there had been 49 data breaches in the past four years, including four already known to the public.
Seven breaches were serious enough to be reported to the UK’s data watchdog, the Information Commissioner’s Office (ICO), three of which had not been made public, the broadcaster reported.
Those three included one in 2021 and two in 2022, the same year a major leak prompted the Government to obtain an unprecedented superinjunction barring journalists from reporting it.
The Ministry of Defence (MOD) did not provide any details of the nature of each breach.
Adnan Malik, of Barings Law, which represents 1,500 affected people, said: “This represents a deeply alarming data failure and the recent 49 Ministry of Defence breaches make clear that the Afghan case was not an isolated error but part of a wider and troubling pattern of negligence.”
Last month, a High Court judge lifted the gagging order relating to the major breach, which saw the details of 18,714 applicants for the Afghan Relocations and Assistance Policy (Arap) scheme released in 2022.
When the breach was discovered more than a year later in August 2023, the MoD were granted an unprecedented gagging order amid fears the Taliban could target would-be refugees for reprisals.
It also saw the establishment of a secret £850 million scheme, the Afghanistan Response Route (ARR), to bring thousands of those affected to the UK.
Arap was responsible for relocating Afghan nationals who had worked for or with the UK Government and were therefore at risk of reprisals once the Taliban returned to power in Kabul in 2021.
An MOD spokesperson said: “We take data security extremely seriously and are committed to ensuring that any incidents are dealt with properly, and that we follow our legal duties.
“All incidents that meet the threshold under UK data protection laws are referred to the Information Commissioner’s Office and any lesser incidents are examined internally to ensure lessons are learned.”
The ICO said it continues to engage with the MoD and “can be assured that they have made the required improvements”.
