Recommendation 10

In August 2023, after it discovered the data breach, the Department reported the incident to the Metropolitan Police and the Information Commissioner’s Office (ICO). The police decided that no criminal investigation was necessary. The ICO decided that it was not in a position to conduct its own investigation at that time, because of the restrictions resulting from the super-injunction and the classification of much of the relevant material as Secret or Top Secret. Instead, the ICO decided to review, oversee and propose lines of investigation to the Department’s internal investigation team.20 The ICO found that, due to the urgency with which the Department was operating, there was “inherently some risk” it was having to take by sharing data externally. It also found that, at the time of the breach, the Department’s systems were not set up for this way of working, and the Department was working at pace due to its assessment that there was a clear threat to life.21