Secretary of State for Defence – €409,500 Fine (United Kingdom, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 20 September 2021, following the Taliban's ascent to power, the Ministry of Defence (MoD) sent an email to a list of individuals eligible for evacuation from Afghanistan using the ‘To’ field rather than the ‘blind carbon copy’ (‘Bcc’) field. Following this incident, the MoD identified that two similar incidents involving the staff in charge of the UK's Afghan Relocations and Assistance Policy had already occurred. Overall, 265 unique email addresses were disclosed. The UK DPA (Information Commissioner's Office, ICO) started and investigation and found that the email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Additionally, MoD confirmed that two people ‘replied all’ to the entire list of recipients, with one of them providing their location. The ICO’s investigation found that the MoD infringed [https://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf Article 5(1)(f) (UK) GDPR] by failing to have appropriate technical and organization measures in place compromising the security of personal data. This Article is substantially equivalent to the duty of integrity and confidentiality under Article 5(1)(f) GDPR. The ICO determined that, at the time of the infringement, the MoD did not have operation procedures in place to ensure group emails were sent securely to individuals seeking relocation from Afghanistan. Instead, the staff in charge had to rely on the MoD's broader email policy and were not given specific guidance about the security risks of sending group emails when communicating sensitive information. The ICO noted that this human error led to the potential for unauthorized disclosure of sensitive information, putting the individuals’ lives at risk. Due to the risk of Taliban reprisals against supporters of Western forces, ICO emphasized that the personal data were highly sensitive and required careful handling. Accordingly, the ICO imposed the fine on the MoD in the amount of
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 20 September 2021, following the Taliban's ascent to power, the Ministry of Defence (MoD) sent an email to a list of individuals eligible for evacuation from Afghanistan using the ‘To’ field rather than the ‘blind carbon copy’ (‘Bcc’) field. Following this incident, the MoD identified that two similar incidents involving the staff in charge of the UK's Afghan Relocations and Assistance Policy had already occurred. Overall, 265 unique email addresses were disclosed. The UK DPA (Information Commissioner's Office, ICO) started and investigation and found that the email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Additionally, MoD confirmed that two people ‘replied all’ to the entire list of recipients, with one of them providing their location. The ICO’s investigation found that the MoD infringed [https://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf Article 5(1)(f) (UK) GDPR] by failing to have appropriate technical and organization measures in place compromising the security of personal data. This Article is substantially equivalent to the duty of integrity and confidentiality under Article 5(1)(f) GDPR. The ICO determined that, at the time of the infringement, the MoD did not have operation procedures in place to ensure group emails were sent securely to individuals seeking relocation from Afghanistan. Instead, the staff in charge had to rely on the MoD's broader email policy and were not given specific guidance about the security risks of sending group emails when communicating sensitive information. The ICO noted that this human error led to the potential for unauthorized disclosure of sensitive information, putting the individuals’ lives at risk. Due to the risk of Taliban reprisals against supporters of Western forces, ICO emphasized that the personal data were highly sensitive and required careful handling. Accordingly, the ICO imposed the fine on the MoD in the amount of
Related Enforcement Actions (0)
No other enforcement actions found for Secretary of State for Defence in UK
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
7 December 2023
Authority
Information Commissioner's Office
Fine Amount
€409,500
350,000 GBP
GDPRhub ID
gdprhub-7634About this data
Cite as: Cookie Fines. Secretary of State for Defence - United Kingdom (2023). Retrieved from cookiefines.eu
Last updated: