Source · Select Committees · Public Accounts Committee
Recommendation 12
12
Accepted
New casework system DACS implemented with enhanced controls to protect information.
Conclusion
The Department told us that it has since implemented a new system which has embedded controls to allow the Department to protect information more effectively, and that this meant that it is no longer using embedded or hidden data in spreadsheets.26 The Department 20 C&AG’s Report, para 11 21 C&AG’s Report, para 12 22 Qq 1, 10 23 Q 1 24 Q 13 25 Letter from Ministry of Defence, 7 October 2025 26 Q 10 10 introduced its new casework management system, known as the Defence Afghan Casework System (DACS), in May 2022, after the February 2022 data breach occurred but before it was discovered.27 In correspondence received after our evidence session, the Department said that the DACS includes stricter access controls and audit logs, and prevents the sharing of data outside secure systems without appropriate protocols being adhered to.28 Learning lessons from previous data breaches
Government Response Summary
The government states that it implemented the Defence Afghan Relocations Assistance Policy (ARAP) Casework System (DACS) in May 2022, which addressed vulnerabilities such as stricter access controls and audit logs.
Government Response
Accepted
HM Government
Accepted
2.1 The government agrees with the Committee’s recommendation. Recommendation implemented 2.2 The Defence Afghan Relocations Assistance Policy (ARAP) Casework System (DACS) was introduced in May 2022. It is used for ARAP and Afghan Response Route eligibility case- working. DARR have recently included a limited number of ACRS details into DACS to assist with cross-government resettlement work however the majority of ACRS data is managed on Home Office systems. 2.3 The introduction of DACS addressed many of the vulnerabilities, including stricter access controls, audit logs, and protocols to limit data sharing outside secure systems. DACS undergoes maintenance and improvements on a regular basis to mitigate against the risk of a future data incident. 2.4 While sharing personal data with trusted third parties outside of central Government remains crucial in verifying applications, the completion of data sharing agreements and data protection impact assessments enables the department to manage the associated risks. There are numerous data sharing agreements in place to facilitate this and in January 2025, the department introduced new software that enhances our ability to securely share data with partners for the purposes of administering the ARP. 2.5 The department continues to enhance technical controls that seek to address the likely causes of a data incident as part of its cyber security programme. Through these technical improvements, the department is equipped with the right tools to minimise the risk of a recurrence of the February 2022 data incident or similar.