A watchdog has been urged to investigate the “dangerous shambles” of Afghan relocation data breaches after the Ministry of Defence reportedly admitted more than previously known.
A freedom of information request by the BBC revealed there have been 49 data breaches in the past four years, including four already known to the public.
Seven breaches were serious enough to be reported to the Information Commissioner’s Office (ICO), three of which had not been made public, the broadcaster reported.
Those three included one in 2021 and two in 2022, the same year a major leak prompted the Government to obtain an unprecedented superinjunction barring journalists from reporting it.
Sean Humber, a lawyer at Leigh Day, which acts for Afghan citizens affected by previous breaches, said the latest reports are “shocking” and confirm the MoD “appears to be institutionally incapable of keeping personal data safe”.
He said: “These data breaches betray a cavalier attitude to keeping such sensitive information safe as well as a complete disregard for the potentially life and death consequences of failing to do so.
“The Information Commissioner’s Office must now roll up its sleeves and carry out a thorough and immediate investigation of what appears to be systemic failures of data protection policies, procedures or practices by the Ministry of Defence. This dangerous shambles cannot be allowed to continue.
“All those affected must be notified of the breach of their personal data, including the personal data affected, without further delay and appropriate steps taken to ensure their safety.”
Adnan Malik, of Barings Law, which represents 1,500 affected people, said: “This represents a deeply alarming data failure and the recent 49 Ministry of Defence breaches make clear that the Afghan case was not an isolated error but part of a wider and troubling pattern of negligence.
“Transparency is not optional; it is critical for protecting individuals, maintaining public trust, and ensuring that lessons are learned to prevent future breaches.”
The MoD did not provide any details of the nature of each breach.
Last month, a High Court judge lifted the gagging order relating to the major breach, which saw the details of 18,714 applicants for the Afghan Relocations and Assistance Policy (Arap) scheme released in 2022.
When the breach was discovered more than a year later in August 2023, the MoD was granted an unprecedented gagging order amid fears the Taliban could target would-be refugees for reprisals.
It also saw the establishment of a secret £850 million scheme, the Afghanistan Response Route (ARR), to bring thousands of those affected to the UK.
Arap was responsible for relocating Afghan nationals who had worked for or with the UK Government and were therefore at risk of reprisals once the Taliban returned to power in Kabul in 2021.
An MoD spokesperson said: “We take data security extremely seriously and are committed to ensuring that any incidents are dealt with properly, and that we follow our legal duties.
“All incidents that meet the threshold under UK data protection laws are referred to the Information Commissioner’s Office and any lesser incidents are examined internally to ensure lessons are learned.”
The ICO said it continues to engage with the MoD to be “assured that they have made the required improvements”.
