Committee publication · Correspondence · 16 October 2025
Letter from the Permanent Secretary of the Ministry of Defence relating to the February 2022 Afghan Data Incident follow up information, 07 October 2025
From: Public Accounts Committee
Inquiry: Afghanistan Response Route (ARR)
Summary
The Ministry of Defence Permanent Secretary responds to Public Accounts Committee follow-up questions on the February 2022 Afghan data incident. The letter details MOD's internal response to improving data protection compliance, explains the decision not to inform the Comptroller & Auditor General due to a super-injunction, provides context on the incident's causes (lack of secure casework systems, operational pressure), and outlines substantial remedial actions including deployment of the Defence Afghan Caseworking System, staff training, and implementation of McIvor Review recommendations.
Key findings
- February 2022 incident was a one-off action caused by lack of appropriate secure casework systems and urgent operational need during Afghan evacuation, not systemic non-compliance; ICO confirmed it was different from routine 2021 'blind carbon copy' incidents
- MOD has deployed Defence Afghan Caseworking System (DACS) since May 2022 with stricter access controls, audit logs, and protocols preventing insecure data sharing; further software improvements implemented since 2023 including email blocking rules and sensitive data labelling tools
- 49 data incidents related to ARAP and Afghanistan Locally Employed Staff scheme have been recorded and assessed; ICO confirmed MOD's judgement on which incidents required escalation was satisfactory
- Permanent Secretary did not brief Comptroller & Auditor General during super-injunction period, citing risk of extending knowledge circle without meaningful scrutiny and potential difficulty for C&AG's parliamentary relationship
- McIvor Review of data protection compliance (commissioned September 2023, released January 2024) has been substantially implemented; Government Internal Audit Agency found 'good progress made' on action ownership, controls and processes as of early 2025
Tone
ProceduralTopics
Key actors
David Williams (Permanent Secretary, Ministry of Defence), Sir Geoffrey Clifton-Brown (Chair, Public Accounts Committee), Information Commissioner's Office (ICO), Neil McIvor (reviewer of data protection compliance), Government Internal Audit Agency (GIAA), Comptroller & Auditor General, Defence Digital, Government Security Classifications Policy
Notable line
“The February 2022 incident was a result of a one-off action, rather than reflecting a wider culture of non-compliance.”
Key Quotes
“The February 2022 incident was a result of a one-off action, rather than reflecting a wider culture of non-compliance. It was however faciliated by the lack of appropriate systems to prevent or mitigate the error.”
“I took this decision as Accounting Officer in the knowledge of the Ministerial position on reading in Parliamentarians and because I judged it would extend the circle of knowledge without offering an opportunity for meaningful scrutiny whilst the super-injunction was in place.”
“… had recognised this issue and was taking steps to acquire new systems to securely manage casework and the sharing of personal data.”
“… it was not a result of systemic non-compliance with data protection policies or the lack of such policies”
“The DACS system that MOD now uses is considered the most appropriate software available to securely manage ARAP information for which the MOD is responsible. It includes stricter access controls and audit logs; and prevents the sharing of data outside of secure systems without appropriate protocols being adhered to …”
“… good progress has been made”
Source · parliament.uk record ↗