ONEs is well known, the British civil servant has a great many employees, and a significant number of them are also members of the Civil Service Sports & Social Club. These active, outgoing types are well used to receiving correspondence about upcoming events, matches and the management of their club. But sometime in August 2023, an email was sent out to them containing officially sensitive data about a number of Afghan nationals who sought asylum in the UK after the fall of the Kabul government two years earlier, when the allied effort to contain the Taliban finally collapsed.
Unfortunately, which The independent reveals, it is far from the only egregious breach of confidentiality that has potentially put lives at stake in tragicomic fashion. Another accidental leak came from an official who left their laptop open on a train. There have also been examples of WhatsApp being used to share personal data in an insecure manner and flight manifests being exposed that include the details of Afghans arriving in the UK. All are serious cases and some may have put lives at risk.
In the most serious case, spreadsheets containing the personal and contact details of at least 18,700 Afghans who applied to come to the UK under the Afghan Relocations and Assistance Policy (Arap) and through a predecessor scheme were inadvertently sent to people outside official systems – with potentially fatal consequences; one piece of research suggests that 49 may have lost their lives as a result.
That is why the story – along with the subsequent decision to grant asylum to these Afghans regardless of the merits of individual claims – was covered up by the authorities for years. Ongoing lobbying and litigation at The independent eventually succeeded in bringing the whole scandal into the public domain, to widespread consternation.
But the more that is revealed about this scandal, the worse it gets – and the more questions need to be asked about the way the British civil servant handles data. It sounds like a dry debate, but as the Afghan saga proves, it can be a matter of life and death.
It is particularly poignant and shameful that so many Afghans who fought alongside US and British forces – including in the Afghan version of the SAS – should have been so cruelly denied asylum or betrayed by having their details mistakenly leaked to potential enemies. The independent proud to have campaigned to save these brave ex-soldiers from near-certain death and torture at the hands of the Taliban, but also frustrated, like so many, that the process has been both flawed and chaotic.
The permanent secretary at the Ministry of Defense has recently said he will leave his post in the wake of the scandal – but it is not clear that will be enough to force the cultural change so clearly needed across the civil service. A striking aspect of the largest data leak is that a civilian officer in the Ministry of Defense did not understand how tabs can be hidden in an Excel spreadsheet.
Of course, the risks surrounding data security have escalated in the digital age. This was evident almost 20 years ago when two computer disks – at a time when physical storage was still necessary – were sent unencrypted and lost in transit between the HMRC center in Washington, Tyneside and the National Audit Office in London. The discs contained personal information on all 10 million child benefit recipients plus 15 million children, including their names, addresses, dates of birth, National Insurance numbers and, in some cases, bank details. It seems that this particular trove was lost forever and was never put to nefarious purposes. But what should have been an end to a lesson back in 2007 was also quickly forgotten.
Today, cyber attacks are routine across the public and private sectors, causing enormous economic damage. The latest attack on Jaguar Land Rover, for example, is independently estimated to have cost 2 billion. If true, it makes it the most expensive in UK history – a measurable hit.
An obvious conclusion to be drawn from the series of data blunders and cyber-attacks in recent years is that Labour’s proposed digital ID card scheme must be so well designed that it is virtually impossible to hack, and immune to the risks arising from data being “left on a bus” in some way. Otherwise, the consequences of such an event would be too dire to contemplate – as they may have already proven to some Afghan allies in the West.