Secretary of State for Defence – €409,500 Fine (United Kingdom, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The UK's Ministry of Defence accidentally revealed the email addresses of 265 people eligible for evacuation from Afghanistan. This mistake happened when they used the 'To' field instead of 'Bcc', putting individuals' safety at risk. The Information Commissioner's Office fined them because they failed to protect sensitive personal data properly.
What happened
The Ministry of Defence disclosed the email addresses of 265 individuals seeking evacuation from Afghanistan by using the 'To' field in an email.
Who was affected
Individuals eligible for evacuation from Afghanistan whose email addresses were exposed to all recipients.
What the authority found
The Information Commissioner's Office ruled that the Ministry of Defence did not have adequate security measures in place, violating Article 5(1)(f) of the UK GDPR.
Why this matters
This case highlights the importance of secure communication practices, especially when handling sensitive information. Organizations must ensure they have proper procedures to protect personal data to avoid similar costly mistakes.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 20 September 2021, following the Taliban's ascent to power, the Ministry of Defence (MoD) sent an email to a list of individuals eligible for evacuation from Afghanistan using the ‘To’ field rather than the ‘blind carbon copy’ (‘Bcc’) field. Following this incident, the MoD identified that two similar incidents involving the staff in charge of the UK's Afghan Relocations and Assistance Policy had already occurred. Overall, 265 unique email addresses were disclosed. The UK DPA (Information Commissioner's Office, ICO) started and investigation and found that the email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Additionally, MoD confirmed that two people ‘replied all’ to the entire list of recipients, with one of them providing their location. The ICO’s investigation found that the MoD infringed [https://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf Article 5(1)(f) (UK) GDPR] by failing to have appropriate technical and organization measures in place compromising the security of personal data. This Article is substantially equivalent to the duty of integrity and confidentiality under Article 5(1)(f) GDPR. The ICO determined that, at the time of the infringement, the MoD did not have operation procedures in place to ensure group emails were sent securely to individuals seeking relocation from Afghanistan. Instead, the staff in charge had to rely on the MoD's broader email policy and were not given specific guidance about the security risks of sending group emails when communicating sensitive information. The ICO noted that this human error led to the potential for unauthorized disclosure of sensitive information, putting the individuals’ lives at risk. Due to the risk of Taliban reprisals against supporters of Western forces, ICO emphasized that the personal data were highly sensitive and required careful handling. Accordingly, the ICO imposed the fine on the MoD in the amount of
Related Enforcement Actions (0)
No other enforcement actions found for Secretary of State for Defence in UK
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
7 December 2023
Authority
Information Commissioner's Office
Fine Amount
€409,500
350,000 GBP
GDPRhub ID
gdprhub-7634About this data
Cite as: Cookie Fines. Secretary of State for Defence - United Kingdom (2023). Retrieved from cookiefines.eu
Last updated: