Recommendation 11

We asked the Department to outline how the February 2022 data breach had occurred. The Department told us that the systems it used to manage case work for the ARAP scheme—a Sharepoint site and Excel spreadsheets—were not appropriate for handling many thousands of lines of personal data.22 The Department said that the context for this was that it built up the ARAP scheme at pace throughout 2021 as it became clear that the situation in Afghanistan was deteriorating rapidly.23 The Department also told us that the individual who sent the email which caused the data breach had asked for data on 150 individuals, but that the underlying data was hidden and that they emailed the data out, not knowing the underlying database was there.24 In correspondence received after our evidence session, the Department stated that the February 2022 incident was a result of a one-off action, rather than reflecting a wider culture of non-compliance, but that it was facilitated by the lack of appropriate systems to prevent or mitigate the error.25