The Government has been urged to “go further and faster” on efforts to prevent data breaches such as the 2022 leak of the details of thousands of Afghans applying to move to the UK to flee the Taliban.
The UK Information Commissioner said ministers should “as a matter of urgency” fully implement the recommendations of an information security review carried out in the wake of a string of public sector data breaches.
The review, undertaken in 2023 by the previous Tory government, was made public for the first time on Thursday after pressure from Dame Chi Onwurah, chairwoman of the Science, Innovation and Technology Committee.
She said the Government “still has questions to answer” about the review, including why it was kept under wraps for so long, and why only 12 of its 14 recommendations have been implemented.
Without further transparency, the public may not “trust that it can keep their data secure” as the Government pursues a digital transformation of public services, Dame Chi said.
Last month it emerged that the details of 18,714 applicants for the Afghan Relocations and Assistance Policy (Arap) scheme were accidentally leaked in an email spreadsheet by a defence official in 2022.
When the blunder was discovered more than a year later in August 2023, the Ministry of Defence (MoD) was granted an unprecedented gagging order amid fears the Taliban could target would-be refugees for reprisals.
It also saw the establishment of a secret scheme, the Afghanistan Response Route (ARR), to bring some of those affected to the UK at a projected final cost of about £850 million.
Incidents examined in the newly published review by the Cabinet Office include a similar breach by the MoD in 2021 when 245 Arap scheme applicants who had provided services for British forces in Afghanistan were emailed in copy rather than in blind copy, raising fears that Taliban authorities gaining access to the email could seek reprisals against them.
“These breaches have real world consequences including putting lives at risk and undermining public trust in government,” Information Commissioner John Edwards warned in a letter to Chancellor of the Duchy of Lancaster Pat McFadden.
He said that while “some progress has been made” on using the incidents to learn lessons and prevent future harm, “the Government needs to go further and faster to ensure Whitehall, and the wider public sector put their practices in order”.
“As a matter of urgency, the Government should fully implement the recommendations of the Information Security Review,” he said.
Dame Chi said: “I’m glad that this information security review has finally been made public, but it’s concerning that it took an intervention from my committee and the Information Commissioner to make this happen.
“The Government still has questions to answer about the review. Why have only 12 of the 14 recommendations been implemented? And why has it kept the very existence of this review a secret for so long, even after the 2022 Afghan Breach became public?
“I have asked Minister Pat McFadden and Information Commissioner John Edwards to appear before my committee to explain the circumstances around this review and how far its recommendations have been implemented.
“Proper scrutiny on this is desperately needed, and it’s crucial we have a better understanding of how the Government plans to stop these dangerous data breaches.
“For the Government to fulfil its ambitions of using tech to boost the economy and transform our public sector, it needs the public to trust that it can keep their data secure. If it can’t, how can anyone be comfortable handing over their personal information?”
A Government spokesperson said: “This review concluded in 2023 under the previous government.
“Protecting national security, including the security of government data, is one of our primary responsibilities.
“Since taking power, we have strengthened security guidance across departments, updated mandatory training for civil servants, and announced plans to upgrade digital infrastructure across the public sector as set out in our Blueprint for Modern Digital Government.”
