ICO (UK) - Ministry of Defence
| ICO - Ministry of Defence | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 5(1)(f) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 26.04.2023 |
| Decided: | 07.12.2023 |
| Published: | 26.02.2024 |
| Fine: | 350,000 GBP |
| Parties: | Secretary of State for Defence |
| National Case Number/Name: | Ministry of Defence |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | im |
The DPA fined UK Ministry of Defence €409,080 (GBP 350,000) for disclosure of 265 unique email addresses of individuals seeking relocation from Afghanistan following the Taliban's ascent to power in the summer of 2021.
English Summary
Facts
On 20 September 2021, following the Taliban's ascent to power, the Ministry of Defence (MoD) sent an email to a list of individuals eligible for evacuation from Afghanistan using the ‘To’ field rather than the ‘blind carbon copy’ (‘Bcc’) field. Following this incident, the MoD identified that two similar incidents involving the staff in charge of the UK's Afghan Relocations and Assistance Policy had already occurred. Overall, 265 unique email addresses were disclosed.
The UK DPA (Information Commissioner's Office, ICO) started and investigation and found that the email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Additionally, MoD confirmed that two people ‘replied all’ to the entire list of recipients, with one of them providing their location.
Holding
The ICO’s investigation found that the MoD infringed Article 5(1)(f) (UK) GDPR by failing to have appropriate technical and organization measures in place compromising the security of personal data. This Article is substantially equivalent to the duty of integrity and confidentiality under Article 5(1)(f) GDPR.
The ICO determined that, at the time of the infringement, the MoD did not have operation procedures in place to ensure group emails were sent securely to individuals seeking relocation from Afghanistan. Instead, the staff in charge had to rely on the MoD's broader email policy and were not given specific guidance about the security risks of sending group emails when communicating sensitive information. The ICO noted that this human error led to the potential for unauthorized disclosure of sensitive information, putting the individuals’ lives at risk. Due to the risk of Taliban reprisals against supporters of Western forces, ICO emphasized that the personal data were highly sensitive and required careful handling.
Accordingly, the ICO imposed the fine on the MoD in the amount of €409,080 (GBP 350,000). The ICO explained that the fine was reduced from an initial amount of €1,168,700 (GBP 1,000,000) to €818,090 (GBP 700,000) in recognition of the unusual and urgent circumstances of the withdrawal from Afghanistan. Further, the ICO took into account the fact the MoD is a public body, and therefore decided to reduce the fine to €409,080 (GBP 350,000).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
