13
Acknowledged
Department had data protection policies but improved systems since February 2022 breach.
Conclusion
As part of its investigation into the February 2022 data breach, the Department provided to the ICO details of its data protection policies, as well as training and guidance for staff on the risks of sharing information by email, that were in place at the time of the incident. The ICO found that, in its view, the Department did have policies and processes in place designed to address the risks of sharing information externally when the data breach took place, and that it had taken steps to implement improved systems and processes since then.29
Government Response Summary
The government references a letter dated 7 October 2025 which includes an update on how the recommendations in the McIvor Review have been implemented.
Government Response
Acknowledged
Government Response
Acknowledged
HM Government
Acknowledged
3.3 The resulting report, finalised in 2024, included a number of recommendations aimed at strengthening data protection practices across MOD. Requested details relating to the department’s data protection policies and processes are covered in the department’s response to the Committee set out in the letter dated 7 October 2025 which includes an update on how the recommendations in the McIvor Review have been implemented.
Source
Committee
Public Accounts Committee
Inquiry
Afghanistan Response Route (ARR)
Report
54th Report - Afghanistan Response Route
14 Nov 2025
HC 1391
Addressee Bodies
HM Treasury
Timeline
Recommendation age
0.5 yr
Report published
14 Nov 2025