In 2022, a data breach by the Ministry of Defence (“MoD”) resulted in the leaking of highly sensitive personal data of Afghans looking to resettle in the UK. Initially, the UK Government applied for a super injunction, preventing the media from reporting the leak. However, this was recently lifted in July 2025, allowing for public scrutiny and raising serious concerns about the MoD’s data processing security policies.
What is a super injunction?
A super injunction is a directive that prohibits both the public disclosure of any information relating to an issue. Additionally, it prohibits any disclosure of the existence of the directive itself. The difference between a super injunction and a regular injunction is that a super injunction imposes strict confidentiality on the very existence of legal proceedings. Only the High Court can grant a super injunction. Moreover, an applicant must meet strict legal tests such as necessity or the existence of a risk of serious harm. In 2023, Mr Justice Chamberlain proposed lifting the super injunction when he raised freedom of expression concerns. This was appealed by the Government, before being finally lifted in July 2025.
Data protection issues
The leak came when an MI6 employee inadvertently emailed a spreadsheet, containing the details of Afghans applying to relocate to the UK, outside the relevant government team. The leak raises serious concerns under the UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018. These are the two main legislative instruments governing data protection in England & Wales. Article 5 of the UK GDPR sets out six “principles” and a breach of any of these principles can result in enforcement action or claims against the controller and processor of information. Here, it appears that Article 5(1)(f), known as the “security” principle, has been breached due to the MoD’s apparent failure to protect “against unauthorised or unlawful processing and against accidental loss”. The spreadsheet contained names of individuals and family members relocating to the UK. Although such information is not sensitive per se, in this particular context, it relates to Afghans who served alongside British troops and who may be particularly vulnerable under the current Taliban regime. Such identifying information could present a major threat to them.
Enforcement and compensation
The data breach is believed to have affected thousands of individuals who had applied for relocation prior to January 2022. In England & Wales, enforcement action against data protection breaches is carried by the ICO. This is the Information Commissioner Office (the UK’s data protection regulator). Such enforcement actions can range from reprimands, to civil monetary penalties to dawn raids. In this case, the ICO decided not to take any action.
However, it also possible for data subjects effected by the leak to obtain compensation in their own right. Compensation for data protection breaches comes in the form of loss from material (i.e. financial) or non-material (which includes distress) under Article 82 of UK GDPR. In this case, the distress experienced by those fearing persecution from the Taliban would likely give grounds for compensation. Certainly, this is the case even where there is no evidence that Taliban actually harmed anyone as a direct result of the leak. There may also be a possible claim for a breach of Article 8 of the Human Rights Act 1998, which provides for the right to private and family life.
Conclusion
This leak has brought understandable concern surrounding the data security policies of the MoD. As Emily Keeney, deputy commissioner of the ICO, said the “stakes were simply too high”. Although the ICO decided not to carry out any enforcement action, there may be opportunities for individuals affected by the leak to bring a claim for compensation. Any immediate limitation issues in bringing such a claim are negated by the super injunction, lifted in July 2025.
At Taylor Hampton, we have extensive experience in representing clients in data protection claims. Please feel free to contact us here for a free call on 02074275970 for more information about us see: Our Legal Team – Taylor Hampton
Disclaimer: This article provides general guidance only and does not constitute legal advice. Civil procedure rules and case law can change. Always seek professional legal advice tailored to your specific situation before acting.