Government releases previously undisclosed review into public sector data breaches

The Cabinet Office commissioned the review in 2023 after a series of high-profile public sector data breaches, including a data breach which saw the email addresses of 245 applicants to an Afghan relocation programme copied into an email chain.

The existence of the document was not previously public, but it has now been published following pressure from the Chair of the Science, Innovation and Technology Committee, Dame Chi Onwurah.

The review looked at a series of previous data breaches and found that they had three themes in common:

• a lack of sufficient controls over ad-hoc downloads / exports of aggregations of sensitive data from databases;
• the release of sensitive information via 'wrong recipient' emails, and the release of membership of sensitive groups through the placing of their addresses in visible fields;
• the presence of hidden personal data within spreadsheets destined for publication or release.

Officials at the Cabinet Office and Department of Science, Innovation and Technology (DSIT) told the committee chair in a joint letter that 12 of the review's 14 recommendations had been implemented.

The review called on Departments to triage information requests to make sure that those which may involve personal data are identified and additional controls put in place, and included strengthened guidance on data handling for staff working in crisis.

It also recommended adopting the Government's new Microsoft Office 365 guidance developed alongside a new security classifications policy, to build checks into departments' IT systems.

Senior civil servants told Onwurah in a letter sent on Thursday (28 August) that the Government had taken "concrete action" to improve data security across Government in a broad range of areas, including strengthening its policies, creating better governance processes, and enhancing technological solutions since the Afghan Relocations and Assistance Policy (ARAP) data incident.

A separate letter sent by the Chancellor of the Duchy of Lancaster, Pat McFadden, meanwhile assured the committee chair that the review's recommendations had "been taken forward under the previous administration and under the current government".

He added: "Good progress has been made but we must guard against complacency. This is an area on which we must keep a consistent focus to ensure standards continue to improve."

Onwurah said it was "concerning" that it took an intervention from the committee and the Information Commissioner before the Government decided to publish the review.

She added: "The Government still has questions to answer about the review. Why have only 12 of the 14 recommendations been implemented? And why has it kept the very existence of this review a secret for so long, even after the 2022 Afghan Breach became public?"

She has since asked McFadden and Information Commissioner John Edwards to appear before her committee to explain the circumstances around this review and how far its recommendations have been implemented.

Adam Carey