54th Report - Afghanistan Response Route
Select Committee
Public Accounts Committee
HC 1391
14 November 2025
Recommendations
0 resultsNo recommendations found matching the selected filters. Clear filters
Conclusions (12) Observations and findings — click to expand
10
Conclusion
Acknowledged
In August 2023, after it discovered the data breach, the Department reported the incident to the Metropolitan Police and the Information Commissioner’s Office (ICO). The police decided that no criminal investigation was necessary. The ICO decided that it was not in a position to conduct its own investigation at that …
Government Response Summary
The government commissioned an independent, MOD-wide Data Protection Review in response to several high-profile and sensitive data protection incidents.
13
Conclusion
Acknowledged
As part of its investigation into the February 2022 data breach, the Department provided to the ICO details of its data protection policies, as well as training and guidance for staff on the risks of sharing information by email, that were in place at the time of the incident. The …
Government Response Summary
The government references a letter dated 7 October 2025 which includes an update on how the recommendations in the McIvor Review have been implemented.
14
Conclusion
In August 2025, the Department reported that there had been 49 separate data breaches between 2021 and 2025 at the unit handling applications from Afghan citizens to relocate to the UK. Of these, the Department assessed that seven met the threshold for notification to the ICO, including the February 2022 …
15
Conclusion
We asked the Department about its response to a data breach which occurred in September 2021 relating to the ARAP scheme.31 The Department told us that it had engaged with the ICO in the autumn of 2021 follow multiple data breaches.32 The Department disclosed three data breaches which occurred in …
16
Conclusion
We asked the Department about the reported 49 data breaches, which included seven which met the threshold for reporting to the ICO, and whether there were ongoing investigations relating to these. The Department said that five incidents related to the use in emails of the ‘to’ field instead of the …
17
Conclusion
The Department first became aware of the data breach on 14 August 2023, 18 months after it occurred, when personal details of 10 individuals from the dataset were posted online on Facebook.40 Following its discovery of the data breach, on 25 August 2023 the MoD decided to apply to the …
18
Conclusion
The High Court and the Court of Appeal upheld the super-injunction in several subsequent private hearings and judgments between 2023 and 2025.43 The Department said that in September 2023, it expected that an injunction might be in place for at most, a few months.44 The issue could have been raised …
19
Conclusion
The data breach was also not reported in the MoD’s Annual Report and Accounts for 2023–24. The Comptroller & Auditor General, who is an officer of the House of Commons, is responsible for the audit of these accounts, which is carried out by his staff at the National Audit Office …
20
Conclusion
The C&AG told us that the first he knew about the data breach was when it became publicly known in July 2025. His audit director had been briefed at the time of auditing the 2023–24 accounts, that there was a secret matter that could not be shared, and it meant …
21
Conclusion
The C&AG highlighted to us the crucial importance to the audit opinion of being able to assess whether there was adequate provision in the accounts to cover the full costs of resettlement schemes.54 We challenged the Permanent Secretary about the decision not to make the C&AG aware of the data …
23
Conclusion
Acknowledged
The Department is not able to determine exactly what it has spent on resettling people through the ARR scheme, because it did not separately identify the costs in its accounting system. The Department told us that it did this because reporting the costs separately would breach the super-injunction and because …
Government Response Summary
The government states that capturing costs for the ARR scheme separately would be disproportionately complex and resource intensive, and proposes an alternative approach for allocating costs.
24
Conclusion
At the time of publication of the NAO’s report, the Department had not provided the NAO with enough evidence to have confidence in the completeness and accuracy of the Department’s cost estimates.62 The Department estimates the total cost of the ARR to be £850 million, of which about £400 million …