A Ministry of Defence official accidentally shared the data of more than 18,000 Afghans seeking relocation to the UK, leading to the then-Conservative government creating a secret resettlement route for those affected by the breach.
The leak has been revealed after a high court judge lifted a super-injunction preventing any information on the data breach from being disclosed publicly.
The defence secretary, John Healey, has also announced that he has brought the scheme to support those affected by the leak to an end.
The breach occurred in February 2022, when an MoD official sent a confidential file outside of authorised government systems that contained data on 18,714 Afghans who had applied to be come to the UK under two relocation schemes: the Afghan Relocations and Assistance Policy (ARAP) and the Afghanistan Locally Employed Staff Ex-Gratia Scheme.
These schemes were set up to bring over Afghan citizens who worked for or with UK Armed Forces, and who feared reprisals from the Taliban upon their return to power.
In a statement in the House of Commons, defence secretary John Healey said the official “mistakenly believed” they had sent the names of 150 applicants to the schemes, rather than 18,714.
“This was a serious departmental error,” Healey said. “It was in clear breach of strict data protection protocols. And it was one of many data losses relating to the ARAP scheme during this period.”
The leak came to light in August 2023, when the MoD found out that part of the dataset had been published on a Facebook page. While the info was swiftly removed from the social-media platform, journalists were aware of the breach and the previous administration applied to the High Court for an injunction to prevent the data loss becoming public.
The High Court judge, Robin Knowles, went a step further and granted a super-injunction. This prevented not only information on the data breach from being disclosed, but also the existence of the injunction itself, due to the risk the data posed to thousands of Afghans if it got into the hands of the Taliban. The superinjunction was in place for nearly two years before High Court judge Martin Chamberlain lifted it yesterday.
In autumn 2023, ministers in the Rishi Sunak administration began work on establishing a secret settlement scheme for those in the compromised dataset who were not eligible for ARAP, but judged to be at the highest risk of reprisals by the Taliban.
The government initially established the Afghanistan Response Route (ARR) to resettle a target cohort of around 200 principal applicants but by early 2024, this had been extended to nearly 3,000.
Healey, who said he was informed of the scheme by then-armed forces minister James Heappey in December 2023, said the Labour administration decided to reassess the decision-making criteria for the ARR after coming to power in July last year.
In December 2024, he announced a streamlining of the range of government schemes to resettle Afghans into one single scheme. And at the beginning of this year, he commissioned Paul Rimmer – a former senior civil servant and ex-deputy director of chief of defence intelligence – to conduct an independent review. The report concluded last month and a public version has now been published.
In the report, Rimmer concludes that acquisition of the dataset by the Taliban is “unlikely to substantially change an individual’s existing exposure, given the volume of data already available”.
"The Taliban already have access to significant volumes of data which enables them to identify personnel associated with the former government," Rimmer said. The family and community-based nature of Afghan society means former roles and associations are often already well known. The dataset is unlikely to significantly shift Taliban understanding of individuals who may be of interest to them."
He also said “it appears unlikely that merely being on the dataset would be grounds for targeting” and it is “therefore also unlikely that family members – immediate or more distant – will be targeted simply because the ‘principal [applicant]’ appears in the… dataset”.
Healey said around 900 applicants have come to Britain or are in transit under the ARR scheme, alongside 3,600 family members, at a cost of £400m.
He said there will be no new ARR offers of relocation to Britain as of Tuesday, 16 July, the day the route's closure and the lifting of the super-injunction.
However, he said the government will honour the 600 invitations already made to any named person still in Afghanistan and their immediate family. “When this nation makes a promise, we should keep it,” he said.
The scheme will see a total of around 6,900 Afghans relocated and is expected to cost £850m.
Healey said he had “spent many hours thinking about this decision" to close the scheme, "thinking about the safety of and the lives of people I will never meet – in a far-off land in which 457 of our servicemen and women lost their lives”.
“So this weighs heavily on me – and it’s why no government could take such decisions lightly, without sound grounds and hard deliberation,” he said.
In a statement, Emily Keaney, deputy commissioner at the Information Commissioner's Office, said the "deeply regrettable incident" has "placed thousands of vulnerable people at risk".
"While we have been unable to comment on this matter publicly until now, I want to reassure the public that our expert team has been working behind the scenes to support and providing scrutiny to this internal investigation into what is a complex and sensitive situation," she said.
“Data protection should never be a barrier to sharing information when this is needed to prevent harm and we accept that the initial sharing of the document was intentional and considered under the circumstances. However, there were mistakes made beyond this, with hidden data in the spreadsheet."
Keaney said the ICO has been "clear with the MoD that this incident is unacceptable and should never happen again – the stakes are simply too high".
"The public must be able to trust that the government has measures in place to protect the personal information and security of the most vulnerable people," she said.
“We have supported the MoD with its internal investigation and carefully considered the specific circumstances under which the breach occurred, including the critical need to share data urgently in this situation. We’re reassured that the MoD’s investigation has resulted in taking necessary steps and minimised the risk of this happening again.
"We have also considered the proportionality of further action while the MoD rightly take steps to protect those most affected. We are satisfied that no further regulatory action is required at this time in this case.”