ICO (UK) - Ministry of Defence

From GDPRhub
Revision as of 10:41, 27 February 2024 by Im (talk | contribs)
ICO - Ministry of Defence
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 5(1)(f) GDPR
Type: Investigation
Outcome: Violation Found
Started: 26.04.2023
Decided: 07.12.2023
Published: 26.02.2024
Fine: 350000 GBP
Parties: Secretary of State for Defence
National Case Number/Name: Ministry of Defence
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: im

The Information Commissioner’s Office (ICO) fined UK Ministry of Defence €409,080 (GBP 350,000) for disclosure of 265 unique email addresses of individuals seeking relocation from Afghanistan following the Taliban's ascent to power in the summer of 2021.

English Summary

Facts

On 20 September 2021, the Ministry of Defence (MoD) sent an email to a distribution list of individuals eligible for evacuation from Afghanistan using the ‘To’ field rather than the ‘blind carbon copy’ (‘Bcc’) field. Following this incident, the MOD identified that two similar incidents involving the staff in charge of the UK's Afghan Relocations and Assistance Policy had already occurred. Overall, 265 unique email addresses were disclosed. The ICO stated that the email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Additionally, MoD confirmed that two people ‘replied all’ to the entire list of recipients, with one of them providing their location.

Holding

The ICO’s investigation found that the MoD infringed Article 5(1)(f) (UK) GDPR by failing to have appropriate technical and organization measures in place compromising the security of personal data.

Further, the ICO determined that, at the time of the infringement, the MoD did not have operation procedures in place to ensure group emails were sent securely to individuals seeking relocation from Afghanistan. Instead, the staff in charge had to rely on the MoD's broader email policy and were not given specific guidance about the security risks of sending group emails when communicating sensitive information. The ICO noted that this human error led to the potential for unauthorized disclosure of sensitive information, putting the individuals’ lives at risk. Due due to the risk of Taliban reprisals against supporters of Western forces, ICO emphasized that the personal data were highly sensitive and required careful handling.

Accordingly, the ICO imposed the fine on the MoD in the amount of €409 080 (GBP 350,000). The ICO explained that the fine was reduced from an initial amount of €1,168,700 (GBP 1,000,000) to €818,090 (GBP 700,000) in recognition of the unusual and urgent circumstances of the withdrawal from Afghanistan. However, the ICO took into account the fact the MoD is a public body, and therefore decided to reduce the fine to €409 080 (GBP 350,000).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.