The UK government's accidental disclosure of personal data belonging to Afghan nationals who worked with British forces raises serious concerns under the UK General Data Protection Regulation. The breach involved names, photographs, and contact details, placing individuals at significant risk and highlighting critical failures in data handling.
As soon as it became clear that the leaked data could be used by the Taliban to target individuals, the government launched a covert evacuation plan, ‘Operation Rubific’. The incident occurred under the previous Conservative government, which secured a superinjunction preventing media outlets from reporting on the breach. That injunction was lifted today.
Under the UK GDPR, personal data must be processed lawfully, fairly, and securely. Article 5 sets out clear principles, including purpose limitation, data minimisation, and integrity and confidentiality. In this case, however, transparency and security obligations appear to have been overridden by secrecy.
Data controllers are required to implement appropriate technical and organisational measures to protect personal information. When handling data that could impact the safety of individuals, these responsibilities become even more pronounced. The incident demonstrates a breakdown in governance and oversight, and underscores the legal and operational importance of robust data protection practices particularly in high-risk contexts.
