Source · Select Committees · Public Accounts Committee
54th Report - Afghanistan Response Route
Public Accounts Committee
HC 1391
Published 14 November 2025
Conclusions (26)
2
Conclusion
Accepted
The Department did not have appropriate systems and controls in place at the time of the February 2022 breach to manage personal data in a high-risk environment. The Department did not use a caseworking system designed to hold and process high volumes of sensitive personal information relating to the government’s …
Government Response Summary
The government confirmed the Defence Afghan Relocations Assistance Policy Casework System (DACS) was implemented in May 2022, addressing vulnerabilities with stricter controls, audit logs, and secure data sharing protocols, and undergoes regular maintenance to prevent future data breaches.
3
Conclusion
Accepted
The Department did not do enough to learn the lessons from previous data breaches. Before the February 2022 data breach, the Department had policies in place to protect against the loss of personal information. After three separate data breaches in autumn 2021 relating to the ARAP, the Department reviewed its …
Government Response Summary
The government commissioned an independent MOD-wide Data Protection Review (McIvor Review) in 2023, the recommendations of which were implemented and detailed in a 7 October 2025 letter, and committed to providing a report on mandatory data protection training completion in a future update.
4
Conclusion
Deferred
The Department failed in its responsibility to enable effective scrutiny by the Public Accounts Committee and the National Audit Office. Ministers decided who should be informed about, or ‘read in to’, the super- injunction, balancing the need to know against further increasing the risk to the lives of those affected. …
Government Response Summary
The government's response is irrelevant, discussing BBC Studios' content production and intellectual property targets, and completely fails to address the recommendation regarding information sharing with the Committee and Comptroller and Auditor General on super-injunctions or new guidance from the Treasury.
5
Conclusion
Rejected
The Department did not put in place a mechanism to accurately identify and account for the costs of resettling individuals who were at high risk due to the data breach. The Department accounted for the costs of the ARR within its total spending on Afghan resettlement schemes, rather than identifying …
Government Response Summary
The government rejected the recommendation to capture Afghanistan Response Route (ARR) costs separately due to complexity, proposing instead to provide an indicative cost allocation for both schemes at the end of each financial year via an average cost per person calculation.
1
Conclusion
Accepted
On the basis of a report by the Comptroller and Auditor General (C&AG), we took evidence from the Ministry of Defence (the Department) on the circumstances surrounding the February 2022 data breach and the Department’s subsequent response, including setting up the Afghanistan Response Route (ARR) to relocate affected individuals.1 Since …
Government Response Summary
The government agreed to the conclusion, stating it will signpost to Home Office's quarterly immigration statistics on GOV.UK for Afghan Resettlement Programme data and provide broader updates on MOD's ARR relocation and resettlement activity where possible.
6
Conclusion
Deferred
We received a written submission from the Treasury Officer of Accounts at HM Treasury (the Treasury). This letter, which is published on the Committee’s inquiry page, set out:10 • the Treasury’s understanding of the reporting rules and expectations related to spending following the Afghan data protection breach and in relation …
Government Response Summary
The government's response is irrelevant, discussing the BBC's 'Across the UK programme' and content commissioning, and completely fails to address the conclusion regarding the Treasury Officer of Accounts' submission on reporting rules and guidance for the Public Accounts Committee and NAO.
7
Conclusion
Deferred
At the end of July 2025, the Department estimated that it would resettle 7,355 people through the ARR scheme as a direct result of the February 2022 data breach. This included 1,531 ‘principals’ (initial applicants) 6 C&AG’s Report, para 8 7 C&AG’s Report, para 22 8 C&AG’s Report, paras 9, …
Government Response Summary
The government agrees with the recommendation but then provides a response entirely focused on measures to tackle illegal meat imports, including stepping up communications, developing a strategic approach with Dover Port Health Authority, and considering increased funding for them.
8
Conclusion
Deferred
We asked the Department how it obtained assurance that those put at the highest risk from the data breach were identified and contacted.14 The Department told us that it undertook a risk assessment almost immediately after the breach was discovered, to understand which individuals were at highest risk, what that …
Government Response Summary
The government agrees with the recommendation but then details its work on animal vaccine availability and supply, including plans for a five-year multi-stakeholder Action Plan in late 2026, and efforts related to Bluetongue 3, avian influenza, and Bovine TB vaccines.
9
Conclusion
Deferred
We asked the Department how confident it was that it would be able to resettle all those individuals, and how long it would take. The Department said that the estimate of 7,355 was a “maximalist projection” because it expected that around 80% of eligible principals would take up the offer …
Government Response Summary
The government agrees with the recommendation but then provides details about ongoing work related to a Sanitary and Phytosanitary (SPS) agreement with the EU, strengthening animal disease resilience, and integrating various biosecurity and veterinary strategies.
10
Conclusion
In August 2023, after it discovered the data breach, the Department reported the incident to the Metropolitan Police and the Information Commissioner’s Office (ICO). The police decided that no criminal investigation was necessary. The ICO decided that it was not in a position to conduct its own investigation at that …
11
Conclusion
We asked the Department to outline how the February 2022 data breach had occurred. The Department told us that the systems it used to manage case work for the ARAP scheme—a Sharepoint site and Excel spreadsheets—were not appropriate for handling many thousands of lines of personal data.22 The Department said …
12
Conclusion
Accepted
The Department told us that it has since implemented a new system which has embedded controls to allow the Department to protect information more effectively, and that this meant that it is no longer using embedded or hidden data in spreadsheets.26 The Department 20 C&AG’s Report, para 11 21 C&AG’s …
Government Response Summary
The government states that it implemented the Defence Afghan Relocations Assistance Policy (ARAP) Casework System (DACS) in May 2022, which addressed vulnerabilities such as stricter access controls and audit logs.
13
Conclusion
As part of its investigation into the February 2022 data breach, the Department provided to the ICO details of its data protection policies, as well as training and guidance for staff on the risks of sharing information by email, that were in place at the time of the incident. The …
14
Conclusion
In August 2025, the Department reported that there had been 49 separate data breaches between 2021 and 2025 at the unit handling applications from Afghan citizens to relocate to the UK. Of these, the Department assessed that seven met the threshold for notification to the ICO, including the February 2022 …
15
Conclusion
We asked the Department about its response to a data breach which occurred in September 2021 relating to the ARAP scheme.31 The Department told us that it had engaged with the ICO in the autumn of 2021 follow multiple data breaches.32 The Department disclosed three data breaches which occurred in …
16
Conclusion
We asked the Department about the reported 49 data breaches, which included seven which met the threshold for reporting to the ICO, and whether there were ongoing investigations relating to these. The Department said that five incidents related to the use in emails of the ‘to’ field instead of the …
17
Conclusion
The Department first became aware of the data breach on 14 August 2023, 18 months after it occurred, when personal details of 10 individuals from the dataset were posted online on Facebook.40 Following its discovery of the data breach, on 25 August 2023 the MoD decided to apply to the …
18
Conclusion
The High Court and the Court of Appeal upheld the super-injunction in several subsequent private hearings and judgments between 2023 and 2025.43 The Department said that in September 2023, it expected that an injunction might be in place for at most, a few months.44 The issue could have been raised …
19
Conclusion
The data breach was also not reported in the MoD’s Annual Report and Accounts for 2023–24. The Comptroller & Auditor General, who is an officer of the House of Commons, is responsible for the audit of these accounts, which is carried out by his staff at the National Audit Office …
20
Conclusion
The C&AG told us that the first he knew about the data breach was when it became publicly known in July 2025. His audit director had been briefed at the time of auditing the 2023–24 accounts, that there was a secret matter that could not be shared, and it meant …
21
Conclusion
The C&AG highlighted to us the crucial importance to the audit opinion of being able to assess whether there was adequate provision in the accounts to cover the full costs of resettlement schemes.54 We challenged the Permanent Secretary about the decision not to make the C&AG aware of the data …
22
Conclusion
Accepted
The Department and the C&AG have discussed whether they might develop a protocol for use in similar circumstances in future. The Department told us that a super-injunction was so unprecedented it was hard to think of circumstances in which it was likely to see one again.56 It also said that, …
Government Response Summary
The department will continue to work with the Committee and The Treasury will issue guidance on principles and practicalities of sharing information in the event of a super-injunction. Target implementation date: Spring 2026
23
Conclusion
The Department is not able to determine exactly what it has spent on resettling people through the ARR scheme, because it did not separately identify the costs in its accounting system. The Department told us that it did this because reporting the costs separately would breach the super-injunction and because …
24
Conclusion
At the time of publication of the NAO’s report, the Department had not provided the NAO with enough evidence to have confidence in the completeness and accuracy of the Department’s cost estimates.62 The Department estimates the total cost of the ARR to be £850 million, of which about £400 million …
25
Conclusion
Not Addressed
The Department’s estimate of £850 million for the total costs related to the February 2022 data breach does not include legal costs, which the Department estimates will be at least £2.5 million, or compensation claims from people affected. In July 2025, following the public disclosure of the February 2022 data …
Government Response Summary
Since our evidence session the C&AG has qualified his regularity opinion on the departmental Annual Report and Accounts for the year ended 31 March 2025. The Department made a prior period adjustment to ensure that the legal and other provisions were materially stated as at 31 March 2024. In part this adjustment arose as a consequence of additional provisions being required to be recognized in respect of the anticipated cost of the Department’s established constructive obligation to resettle Afg
26
Conclusion
Not Addressed
Since our evidence session the C&AG has qualified his regularity opinion on the departmental Annual Report and Accounts for the year ended 31 March 2025. The Department made a prior period adjustment to ensure that the legal and other provisions were materially stated as at 31 March 2024. In part …
Government Response Summary
Since our evidence session the C&AG has qualified his regularity opinion on the departmental Annual Report and Accounts for the year ended 31 March 2025. The Department made a prior period adjustment to ensure that the legal and other provisions were materially stated as at 31 March 2024. In part this adjustment arose as a consequence of additional provisions being required to be recognized in respect of the anticipated cost of the Department’s established constructive obligation to resettle Afg