Source · Select Committees · Public Accounts Committee
Recommendation 3
3
Accepted
Require Department to detail data protection policies, assurance, and changes made after breaches
Conclusion
The Department did not do enough to learn the lessons from previous data breaches. Before the February 2022 data breach, the Department had policies in place to protect against the loss of personal information. After three separate data breaches in autumn 2021 relating to the ARAP, the Department reviewed its data protection policies and guidance, and it worked with the Information Commissioner’s Office (ICO) to make targeted improvements to prevent similar incidents from recurring. Despite this, the Department continued to experience data breaches, including the significant data breach in February 2022. In August 2025, the Department disclosed that there had been 49 separate data breaches to date at the unit handling applications from Afghan citizens to relocate to the UK, seven of which met the threshold for disclosure to the ICO. The Department continues to work to reduce the risk of further data breaches, but it has not given us confidence that sufficient action has yet been taken. recommendation Alongside its Treasury Minute response, the Department should write to the Committee to provide details of: • its policies, processes and guidance to prevent data protection breaches relating to personal information; • how the Department assures itself that these are being followed, including the level of attendance at related mandatory training; and • the changes to policies, processes and guidance the Department has made in response to previous data breaches.
Government Response Summary
The government commissioned an independent MOD-wide Data Protection Review (McIvor Review) in 2023, the recommendations of which were implemented and detailed in a 7 October 2025 letter, and committed to providing a report on mandatory data protection training completion in a future update.
Government Response
Accepted
HM Government
Accepted
The government agrees with the Committee’s recommendation. Recommendation implemented In 2023, the department’s Executive Committee commissioned an independent, MOD- wide Data Protection Review in response to several high-profile and sensitive data protection incidents within the department and across government. This included the discovery of the February 2022 incident. Neil McIvor, the Chief Data Officer at the Department for Education, was appointed to lead this comprehensive review. The resulting report, finalised in 2024, included a number of recommendations aimed at strengthening data protection practices across MOD. Requested details relating to the department’s data protection policies and processes are covered in the department’s response to the Committee set out in the letter dated 7 October 2025 which includes an update on how the recommendations in the McIvor Review have been implemented. In addition to the McIvor Review, the department will provide a report showing the percentage of staff who have completed the mandatory data protection and information governance training within the first six-monthly update to the Committee referenced at recommendation 1.