Recommendation 16

We asked the Department about the reported 49 data breaches, which included seven which met the threshold for reporting to the ICO, and whether there were ongoing investigations relating to these. The Department said that five incidents related to the use in emails of the ‘to’ field instead of the ‘bcc’ field; one related to an incorrect link to an online portal; and one was the February 2022 data breach.37 We also asked the Department whether there were any further incidents which were not in the public domain. The Department told us that there are no further incidents which would meet the threshold for notification to the ICO, but that it is a feature of running a complex and large organisation that there will be accidental data breaches.38 In correspondence received after our evidence session the Department provided details of the 49 breaches, including clarifying that some of the incidents had been combined such that the seven incidents which met the threshold for reporting to ICO were being shown as five incidents on its list.39 34 Q 2 35 Q 3 36 Letter from Ministry of Defence, 7 October 2025 37 Qq 22–23 38 Qq 64–65 39 Letter from Ministry of Defence, 7 October 2025 12 Enabling effective scrutiny of the Afghanistan Response Route The Department’s approach to notifying Parliament