On 17 August 2023 the Ministry of Defence (MoD) put the Information Commissioner’s Office (ICO) on broad notice about the devastating failure of data protection that is now generally known as the Afghan data breach (although sadly there have been many others).
This involved the illegal release of some 33,000 lines of gravely sensitive personal spreadsheet data which put almost 100,000 people – up to 25,000 Afghans applying for relocation to the UK as well as their family members, many of whom were also identified in the data – at grave risk of harm and may even have resulted in some of their deaths.
However, despite details of this egregious and illegal exposure of data subjects being immediately required by law and subsequently coming into view, the ICO decided not to carry out any investigation and therefore not to take any enforcement action, such as issuing a fine, enforcement notice or even a mere reprimand.
Astonishingly, the ICO also made no contemporaneous record whatsoever of the rationale for these critical decisions or even the bare fact that they had been made. Given the exacting supervisory requirements set down in the UK General Data Protection Regulation (GDPR), these subsequent (in)actions expose further serious failings in UK data protection. These failings point to the need for an in-depth independent investigation of UK data protection regulation, which should also explore the serious gap between the UK GDPR’s promises and the ICO’s hyper-discretionary and hyper-selective track-record and approach and what might be done to address this. What follows merely provides a partial indication of some of the particular issues which arise in relation to Afghan spreadsheet data breach itself. It is based on the (still very limited) information which has come into public view so far and builds on a previous blog post on the same subject posted last month.
Lack of Contemporaneous Record Keeping
This post draws primarily on an ICO memorandum which seeks to summarise the ICO’s involvement with the Afghan spreadsheet data breach and to provide a justification for the various decisions made between 17 August 2023 and 15 July 2025. However, it is vital to emphasise that the memorandum in question is completely post-hoc. It was entirely written after 15 July 2025 and was not able to draw on any “internal record of the ICO’s actions and decision making regarding this data breach” as there is none. Ab initio, this complete lack of contemporaneous documentation constitutes a significant failure of demonstrable compliance with the data protection framework (in this case, the duties of the regulator as opposed to those of controllers and processors) and is particularly problematic given both the seriousness of the breaches requiring attention and the legally aberrant decision not to take any regulatory action. Moreover, no reasonable justification is provided for it even post-hoc.
Thus, although the memorandum invokes the super-injunction which the MoD obtained on 1 September 2023, this is contradicted by its acknowledgment that the super-injunction expressly made clear that it “did not prevent the ICO from taking any steps in private that the ICO consider[ed] appropriate”. Similarly, although it is argued that any “written notes” would have “likely necessitated the inclusion of information which was classified as Secret or Top Secret”, its statement that this rendered the ICO “unable” to take such notes is again contradicted by its express acknowledgment that this would merely have created “additional handling difficulties”. Any such difficulties must be considered part of the ICO’s normal terrain given its legal mandate to ensure independent supervision even in highly sensitive contexts, such as those involving national security, which are also precisely the contexts that often raise the most serious data protection concerns. It is also striking that the memorandum clearly reveals that these sorts of concerns did not prevent the MoD responding to enquiries on this matter to ICO email addresses.
Failure to Notify within 72 Hours and Effect of Super-Injunction
At least parts of the memorandum’s analysis of the substance of the matter are unfortunately also misleading. Thus, although it states that the MoD did tell the ICO on 17 August 2023 that it had experienced a “serious data breach”, which was two days after it itself became aware of the February 2022 loss of the Afghan spreadsheet data, the memorandum goes on to incorrectly claim that the ICO was therefore “notified within 72 hours”, “as required by Article 33(1) of the UKGDPR”. The same claim was made by the ICO in its initial statement on the data breach released on 15 July 2025. Although breach notification is certainly mandated under Article 33(1), Article 33(3) explicitly states that such notification must “at least”:
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
In contrast, the memorandum is clear that on 17 August 2023 the MoD merely communicated the fact that a serious breach had occurred, made clear that “sensitivity” prevented any further information being provided at this time and stated that a face-to-face meeting was necessary. Three weeks passed until an (unnamed) ICO official attended an 8 September 2023 meeting where he was served with the 1 September 2023 super-injunction and, according to the memorandum, provided with “an overview of what was known by MoD at that time”. However, even this failed to constitute an (albeit delayed) Article 33 breach notification as it is also explicitly stated that the “rationale” for “obtaining the injunction was not shared” and yet we now know that the MoD had already offered express justification to the court that the super-injunction was a critical measure to mitigate the breach’s adverse effects on the data subjects. Unfortunately, it remains unclear when a full Article 33(1) notification was carried out, if at all.
The super-injunction itself prevented discharge of the default obligation to notify the breach to any affected individual data subject (under Article 34) and was cited by the ICO as a central reason for it holding itself unable to investigate the incident or to keep internal records. This stark reality, alongside the clarity of the Article 33 requirements (as well as the fact that the proceedings did include two representatives of media organisations), renders it hugely problematic that the MoD did not inform the ICO in advance of its intention to seek the super-injunction (or explain its rationale even well after it had been granted), that the ICO did not object to this and, assuming the super-injunction really was an impediment to the demonstrable performance of its regulatory functions, that the ICO did not seek any variation of it from the court.
Lack of any ICO Investigation
The ICO’s lack of forensic engagement must be related to a decision made on 5 December 2023 – apparently after just one further meeting with the MoD – that it was not “in a position to independently investigate the incident”. This decision was by made by Stephen Bonner, Deputy Commissioner (Regulatory Supervision), and was briefed “at a high level” to the Information Commissioner John Edwards who apparently did not demur or seek further information. The twin justifications proffered, namely the super-injunction and the Secret or Top Secret information classification, mirror those for failing to keep any internal records and are similarly problematic. As regards the security classification, the memorandum is clear that it merely created “additional handling difficulties”. Meanwhile, the super-injunction explicitly stated that the ICO remained free to take “any steps in private” that it considered “appropriate” and this fact is clearly integral to the justification of the ICO not seeking any alternation of its terms. If the ICO understood the super-injunction differently, then it was manifestly incumbent on it to approach the court for an amendment.
As has been clear at least since C-311/18 Schrems (2020), the ICO’s “primary responsibility is to monitor the application of the [UK] GDPR and to ensure its enforcement” (at [108]). The ICO is not permitted to delegate this twin responsibility or tasks to the very controller under scrutiny as it is statutorily obliged to ensure that it “act with complete independence in performing [its] tasks” (UK GDPR, art 52). It is also “required to execute its responsibility for ensuring that the GDPR is fully enforced for all due diligence” (at [112]) and it therefore follows that it must intervene when put on notice about a prima facie “clear breach” of data protection of a serious nature. Alongside other enforcement action, the ICO is explicitly required under Article 83 of the UK GDPR to “ensure that the imposition of administrative fines” is “effective, proportionate and dissuasive” and Recital 148 authoritatively specifies that it should impose a fine on organisations (whether public or private) for any data protection breach which is not “minor”. Given the overarching requirement for “strong enforcement” (UK GDPR, Recital 7), Recital 148’s interpretation is particularly imperative when other measures such as an enforcement notice is not forthcoming. Moreover, in December 2023 when handing down a £350k fine for a worryingly similar (although considerably less far-reaching) MoD data breach in 2021 (also involving Afghan relocations data), the Commissioner himself acknowledged that in relation to “breaches of data protection that are so egregious that they put people’s lives at risk” it was “necessary for us at the ICO to apply the full sanctions of the law”. It is manifest, however, that the application of any, let alone full, legal sanctions is impossible if prima facie serious breaches of the law are not even subject to ICO investigation.
No Further Action (NFA) Decision and ICO-MoD Interactions
The ICO’s 5 December 2023 decision not to investigate resulted in it only taking part in meetings (including reviewing documentation) coordinated by the data controller itself and giving input at and around these. However, no evidence is provided of any such meeting taking place between 5 December 2023 and 26 June 2024. Moreover, following that latter meeting, Stephen Bonner made (but did not record) another critical decision which was that “no further action (‘NFA’) was required at this time”. John Edwards was subsequently informed (although not until 19 September 2024) “at a high level” and “had no objection with the approach”. It is difficult to see how sufficient lines of inquiry could possibly have been pursued by this point to justify such an outcome and the memorandum anyway presents no evidence to suggest that this was anything other than a very serious breach which positively required action on the part of ICO. Nevertheless, approximately a third of the memorandum (pp. 11-15) seeks post-hoc to set out such a justification.
Some of this merely repeat claims relating to the super-injunction and the information classification which have been considered and rejected above. Other parts are both counter-intuitive and contradictory. Thus, it claims as an argument against regulatory action that the ICO was “already investigating and taking regulatory action against the MoD for a separate data breach” which resulted in the December 2023 £350k fine. However, as explicitly specified in Article 83(2)(e) of the UKGDPR and in the ICO’s own guidance, “relevant previous infringements by the controller” (or, in the Information Commissioner’s words “a similar breach”) are peremptorily established as an aggravating rather than a mitigating factor for regulatory action. The memorandum also seeks to assert that the ICO had formed an understanding that the spreadsheet failure was “a one-off occurrence following a failure to following [sic] usual checks, rather than reflecting a wider culture of non-compliance”. However, this patently clashes with positive knowledge of the other egregious data breach (also involving Afghan relocation application data) and information which has subsequently become available through a freedom of information request showing there have been 49 separate data breaches at this MoD unit over the past four years including seven which were serious enough to be notified to ICO.
The memorandum briefly summarises four further meetings at the MoD after 26 June 2024 involving ICO as well as related MoD-ICO interactions. It is clear from this that a range of relevant matters concerning both the breach itself and changes to data practices were discussed and explored. Nevertheless, none of this appears to have involved a forensic investigation by the ICO itself of the actual breach (including whether even the intended release – which involved the unencrypted permanent disclosure of highly sensitive personal data about 150 individuals to a number of third parties – was itself lawful). There was also no suggestion of any potential regulatory sanction for the manifest serious failures (which is unsurprising given the No Further Action decision already made) and it is clear that the MoD itself were far from always being promptly forthcoming. For example, enquiries made at the 26 June 2024 meeting remained unanswered until an email on 8 October 2024 and certain queries raised at the 6 May 2025 meeting remained unanswered until 10 July 2025 (just 5 days before the super-injunction was lifted). It is also clear that following the 26 June 2024 No Further Action decision, the focus increasingly turned to plans for joint MoD-ICO management of public relations communications once the super-injunction was lifted. Thus, as early as 3 July 2024 the MoD sent the ICO “an initial comms and engagement pack” and such joint work continued (including at, and after, meetings) over the subsequent months.
Conclusions
As a result of both its scale and acute sensitivity (which involved risks to life and perhaps even death), the MoD’s Afghan spreadsheet data breach was one of the most egregious in UK history. The lifting of the 1 September 2023 super-injunction which took place on 15 June 2025 exposed this to the world. This event also exposed acute failings in UK data protection supervision. The ICO’s failure to engage in any enforcement action in response to such an egregious breach is impossible to square with its duty (which has been acknowledged by the Information Commissioner himself) “to apply the full sanctions of the law” in such cases. However, beyond even this, it is now clear that the ICO did not mount any independent investigation into this matter and that it did not maintain any contemporaneous record of its decisions. Whilst undoubtedly posing weighty challenges, neither the high classification of the information at issue nor the super-injunction itself provides a good justification for this. The absence of an ICO investigation and contemporaneous record-keeping is at even greater variance with its obligation to demonstrably discharge its “responsibility for ensuring that the [UK] GDPR is fully enforced for all due diligence” (at [112]).
Although aberrant from the perspective of UK GDPR standards, this outcome is sadly consonant with the accelerating trends towards hyper-discretion and hyper-selection in UK data protection regulation. Other major data breaches, such as the 2023 one which continues to impact the British Library (much less serious but also raising far few complexities in terms of investigation), have also not been fully investigated or sanctioned. Moreover, the ICO’s Annual Report 2024/25 revealed that the ICO carried out only 43 UK GDPR investigations in the past year (an 85% reduction on 2023-24), issued just 2 UK GDPR fines (compared to >250 in both Germany and Spain) and served no UK GDPR enforcement notices at all. These facts expose the need for an in-depth, thorough and independent investigation into the state of UK data protection regulation, including an examination of what might be done to reverse its current lack of consistent and robust results for data subjects and the public at large.
David Erdos is Professor of Law and the Open Society and Co-Director of the Centre for Intellectual Property and Information Law in the Faculty of Law and WYNG Fellow at Trinity Hall, University of Cambridge. He is also an associate member of Matrix Chambers.
This blog was originally posted on the UK Constitutional Law Blog and is reproduced with permission and thanks.
Leave a Reply