Source · Select Committees · Public Accounts Committee
Recommendation 2
2
Accepted
Require assurance that new casework system prevents recurrence of Afghan resettlement data breaches
Conclusion
The Department did not have appropriate systems and controls in place at the time of the February 2022 breach to manage personal data in a high-risk environment. The Department did not use a caseworking system designed to hold and process high volumes of sensitive personal information relating to the government’s Afghan resettlement schemes until May 2022, when it introduced the Defence Afghan Casework System. Instead, the Department relied on Excel spreadsheets stored in a Sharepoint site, which was neither appropriate nor adequate for handling thousands of lines of personal data. The Department was still managing its data in this way when it launched the ARAP in April 2021, amidst a rapidly deteriorating security situation in Afghanistan. The manner in which the Department was storing and accessing this data contributed to the February 2022 data breach. This is because the individual who sent the email inadvertently shared data on 18,700 people without knowing it was included in 3 the spreadsheet. They thought they were sharing only information relating to 150 people, for a legitimate purpose to gather information about applicants’ eligibility. recommendation The Department should provide confirmation to the Committee that it is now managing all Afghan resettlement schemes through its new caseworking system and provide us with assurance that this would prevent a recurrence of the February 2022 breach or similar.
Government Response Summary
The government confirmed the Defence Afghan Relocations Assistance Policy Casework System (DACS) was implemented in May 2022, addressing vulnerabilities with stricter controls, audit logs, and secure data sharing protocols, and undergoes regular maintenance to prevent future data breaches.
Government Response
Accepted
HM Government
Accepted
The government agrees with the Committee’s recommendation. Recommendation implemented The Defence Afghan Relocations Assistance Policy (ARAP) Casework System (DACS) was introduced in May 2022. It is used for ARAP and Afghan Response Route eligibility case- working. DARR have recently included a limited number of ACRS details into DACS to assist with cross-government resettlement work however the majority of ACRS data is managed on Home Office systems. The introduction of DACS addressed many of the vulnerabilities, including stricter access controls, audit logs, and protocols to limit data sharing outside secure systems. DACS undergoes maintenance and improvements on a regular basis to mitigate against the risk of a future data incident. While sharing personal data with trusted third parties outside of central Government remains crucial in verifying applications, the completion of data sharing agreements and data protection impact assessments enables the department to manage the associated risks. There are numerous data sharing agreements in place to facilitate this and in January 2025, the department introduced new software that enhances our ability to securely share data with partners for the purposes of administering the ARP. The department continues to enhance technical controls that seek to address the likely causes of a data incident as part of its cyber security programme. Through these technical improvements, the department is equipped with the right tools to minimise the risk of a recurrence of the February 2022 data incident or similar.