The government is under pressure to clarify why it has not yet acted on all recommendations from the 2023 review. This includes findings concerning Afghans, victims of child sexual abuse, and 6,000 disability claimants working alongside the British military.

On Thursday, the Minister finally published an information security review. This move followed a 2023 leak involving personal data of approximately 10,000 military personnel from Northern Ireland’s police service.

The Cabinet Office’s review of 11 public sector data breaches revealed three overarching themes affecting entities such as HMRC, the Metropolitan Police, Benefits Systems, and the MOD.

• Insufficient control over incidental downloads and the aggregation of sensitive data.

• Disclosure of sensitive information through “wrong recipient” emails and improper use of BCC.

• Undisclosed personal data emerging from spreadsheets set for release.

The review was released 22 months after the database of 18,700 Afghans was finalized just a month following its publication and was praised by Chi Onwurah, chair of the Science, Innovation and Technology Committee. However, she remarked:

Data breaches concerning Afghans have instilled fear among those concerned for their safety under the Taliban and those wary of the UK government, which promised relocation to thousands of Afghans under a confidential plan.

The government reported that it has acted on 12 of the 14 recommendations aimed at enhancing data security. Onwurah stated: “There are still questions that the government must address regarding the review. Why have only 12 out of the 14 recommendations been executed?”

“For governments to leverage technology to boost the economy and fulfill their aspirations of public sector transformation, they must earn their citizens’ trust in safeguarding their data.

Intelligence Commissioner John Edwards urged the government to “encourage the broader public sector to expedite the organization of its practices to secure Whitehall.”

He emphasized to Cabinet Secretary Pat McFadden on Thursday, “It is imperative that the government fully actualizes the recommendations from the Information Security Review.”

It remains unclear which of the 14 recommendations are still pending implementation. The full list includes collaboration with the National Cybersecurity Centre to disseminate existing guidance on the technical management of “official” labeled products and services, marking of “official” information, launching a “behavioral impact communication campaign” to combat ongoing deficiencies in information processing, and the necessity for a “review of sanctions related to negligence.”

McFadden and Peter Kyle, the secretaries of state for science, innovation, and technology, communicated to Onwurah in a letter on Thursday.

A spokesperson for the government stated: “This review concluded in 2023 under the previous administration.

“Safeguarding national security, particularly government data security, remains one of our top priorities. Since taking office, we have introduced plans to enhance inter-sector security guidance, update enforcement training for civil servants, and improve the digital infrastructure throughout the public sector, aligning with the shift towards modern digital governance.”