The UK Ministry Of Defence’s Afghan Data Breach: Apology Not Accepted

On 15 August 2021, the Taliban captured Kabul, the capital of Afghanistan, and regained control of the country, 20 years after they were ousted by the United States (US) led coalition. Following this, the US, and its allies, including the United Kingdom (UK), withdrew from Afghanistan. Consequently, many Afghans who had worked for and with the US-allied countries have either fled Afghanistan or gone into hiding in fear of attack from the Taliban. In early September 2021, the UK Ministry of Defence’s Afghan Relocations and Assistance Policy team (ARAP) sent two separate emails to more than 300 Afghan interpreters in hiding in Afghanistan who had worked with the UK government during their 20-year fight against the Taliban. The emails, which were seeking updates on the interpreters’ situations, mistakenly copied in the email addresses of the interpreters. Some interpreters replied to the email without noticing the data breach – that their email replies included their profile pictures and contact details which were then made visible to all recipients. The Ministry has publicly apologised for the breach, informed the affected parties, and launched an investigation into the breaches.

This response is, however, inadequate as the mistake not only breaches data handling regulations but puts the lives of the Afghan interpreters in grave danger. If the information revealed lands in the wrong hands, it could enable the Taliban to identify, locate, and potentially harm these Afghans who collaborated with the “enemies of the Taliban. This is therefore a significant breach of the UK’s international human rights obligations to respect the right to life of the Afghan interpreters.

It may look as though the UK has no human rights obligations towards these Afghans because they are not British citizens or living within the UK. However, article 2 (1) of the International Convention on Civil and Political Rights (ICCPR) establishes an extraterritorial obligation on states towards individuals outside their territory in certain situations. In General Comment 31, the Human Rights Committee (HRC) explained that this obligation includes a duty for a state party to respect and ensure the relevant rights of “anyone within the power or effective control of the forces of a state party acting outside its territory, regardless of the circumstances in which such power or effective control was obtained”. Considering that, from 2001 until 2021, the British armed forces maintained a controlling presence in Afghanistan, there is scope to say that the UK has a continuing obligation under the ICCPR to respect and ensure the rights of Afghan nationals. By putting their lives in danger, the UK has therefore breached its obligation to respect the right to private life of the Afghan interpreters and, more significantly, interfered with their right to life protected under article 2 of the European Convention on Human Rights (ECHR) and article 6 of the International Convention on Civil and Political Rights (ICCPR). More action is necessary to prevent any harm to the affected individuals and prevent such dangerous breaches from reoccurring.

THE RIGHT TO PRIVATE LIFE

Article 17 of the ICCPR and article 8 of the ECHR, both of which the United Kingdom is party to, state that there should be no arbitrary or unlawful interference with the privacy of individuals. The UK Human Rights Act of 1980 also reflects this right. This right includes the securing of personal data. As held in MS v Sweden, a 1997 case of the European Court of Human Rights; “the protection of personal data … is of fundamental importance to a person’s enjoyment of [their] right to respect for private and family life as guaranteed by article 8 of the Convention”. Therefore, the UK must prevent data breaches as such breaches compromise the personal data of data subjects without their consent, thereby unlawfully interfering with their privacy.

The UK has provided for such protection by enacting the Data Protection Act of 1998, which sets out strict rules for data handling. However, the government itself has failed to abide by these rules on several occasions in the way it handles data. In 2007, for example, the Chancellor of Exchequer revealed that Her Majesty’s Revenue and Customs had lost personal data of around 25 million people. Since then, there have been many other failures in data protection by the government, including another data breach by the Ministry of Defence in June 2021, when sensitive documents were found at a Kent bus stop. This government has continued its negligence by revealing the sensitive personal information of the Afghan interpreters. However, unlike the previous contraventions, these breaches have an added layer because it also potentially impacts on the right to life.

THE RIGHT TO LIFE

Article 6 of the ICCPR and article 2 of the ECHR, as reflected by the Human Rights Act of 1980, state that every human being has the inherent right to life, of which they shall not be arbitrarily deprived. Individuals are to be free “from acts and omissions that are intended or may be expected to cause their unnatural or premature death, as well as to enjoy a life with dignity”. Considering the current political climate in Afghanistan, this data breach could potentially cause the unnatural and premature death of the affected persons, thereby infringing on this right.

The British government employed the Afghans in receipt of these emails during their twenty-year involvement in Afghanistan. Naturally, these Afghans are considered traitors by the new Taliban government. Although the Taliban has promised amnesty for its enemies, several reports have recorded attacks against individuals who do not submit to the Taliban’s ideologies. A report by the Norwegian Centre for Global Analyses (RHIPTO), which provides intelligence for the United Nations, found that the Taliban had been going door-to-door, hunting those they considered “collaborators” of the West. Samira Hamidi, Amnesty International’s South Asia campaigner, also detailed that Taliban forces have threatened several prominent female activists.

The real risk to their lives has forced many Afghans still in Afghanistan into hiding while seeking relocation to the US, the UK, and other allied states. However, this relocation process has been painfully slow, so there is no telling when these individuals will be able to safely leave Afghanistan. Each day, these persons remain exposed to attacks from the Taliban. By revealing their names, profile pictures, and email addresses, the UK Ministry of Defence has essentially made it much easier for the Taliban to access the identity and location of these persons, thereby significantly increasing the risk to their lives.

MORE APPROPRIATE RESPONSES

Considering the dangerous consequences of this data breach, more concrete steps beyond the current response by the Ministry of Defence should be taken to protect the lives of the Afghan interpreters. For example, the quota of Afghans under the Afghan Relocations and Assistance Policy (ARAP) should be increased to ensure that more people who were employed by the British government will be relocated safely to the UK. Specifically, more definite steps should be taken to ensure the safety of the specific individuals that were affected by this data breach, either by granting them visas to travel to the UK or securing alternative safe accommodation for them in Afghanistan. Furthermore, the British government should consider using sanctions to ensure that the attacks of the Taliban against individuals who are associated with the UK are stopped.

To bring an end to the data breaches by government bodies once and for all, individuals responsible should receive sanctions to deter others in the future. The Ministry of Defence has suspended one individual so far and this is commendable. However, this breach is not down to only one person, so the Ministry should take more steps to identify and punish others responsible.

The investigation launched by the Ministry should produce concrete and practical steps to handle personal data in a more secure manner. Human rights bodies and lawyers should also continue to monitor the government to ensure they stick to their commitment to improving data handling, even when the media excitement around this breach dies down. Finally, the Information Commissioner's Office should undertake legal measures to ensure that the government is held accountable. As suggested by Gene Matthews, a specialist data breach lawyer at the law firm Leigh Day, there could be an independent review of the government’s data processing policies to prevent such errors in the future.

Considering that the government is a repeat offender for data breaches, they should not get away with just an apology and a promise of an investigation. Their negligence has a significant impact on the lives of many individuals, especially these Afghans in hiding, so a stronger response is needed to truly encourage respect for fundamental human rights.