10
Acknowledged
ICO unable to conduct full data breach investigation due to classified information.
Conclusion
In August 2023, after it discovered the data breach, the Department reported the incident to the Metropolitan Police and the Information Commissioner’s Office (ICO). The police decided that no criminal investigation was necessary. The ICO decided that it was not in a position to conduct its own investigation at that time, because of the restrictions resulting from the super-injunction and the classification of much of the relevant material as Secret or Top Secret. Instead, the ICO decided to review, oversee and propose lines of investigation to the Department’s internal investigation team.20 The ICO found that, due to the urgency with which the Department was operating, there was “inherently some risk” it was having to take by sharing data externally. It also found that, at the time of the breach, the Department’s systems were not set up for this way of working, and the Department was working at pace due to its assessment that there was a clear threat to life.21
Government Response Summary
The government commissioned an independent, MOD-wide Data Protection Review in response to several high-profile and sensitive data protection incidents.
Government Response
Acknowledged
Government Response
Acknowledged
HM Government
Acknowledged
3.2 In 2023, the department’s Executive Committee commissioned an independent, MOD- wide Data Protection Review in response to several high-profile and sensitive data protection incidents within the department and across government. This included the discovery of the February 2022 incident. Neil McIvor, the Chief Data Officer at the Department for Education, was appointed to lead this comprehensive review.
Source
Committee
Public Accounts Committee
Inquiry
Afghanistan Response Route (ARR)
Report
54th Report - Afghanistan Response Route
14 Nov 2025
HC 1391
Addressee Bodies
HM Treasury
Timeline
Recommendation age
0.5 yr
Report published
14 Nov 2025