UK government facing questions over 2023 review of 11 major data breaches

The UK government is facing pressure to explain why it has not yet fully implemented the recommendations from a review into a series of serious public sector security incidents. The review was initiated following the Police Service of Northern Ireland (PSNI) personal data breach in 2023, in which the personal details of more than 10,000 PSNI officers and civilian staff members were mistakenly published online.

The Cabinet Office's information security review examined 11 incidents across various departments, including the Ministry of Defence (MoD) and HMRC, which led to the exposure of data belonging to Afghan partners, child abuse victims, and disability claimants.

The review found that while public servants were generally acting in good faith, three common themes contributed to the breaches: a lack of controls over ad-hoc data downloads, the accidental release of sensitive information via "wrong recipient" emails, and the presence of hidden personal data in spreadsheets.

The report did not identify a single cause for the incidents but grouped its recommendations into four areas: process and governance, technology, policy, and culture and training. It suggested both short-term checks for departmental Permanent Secretaries to reduce immediate risks and central interventions to improve data security culture across the civil service. The review emphasised the importance of the cross-government data protection community in driving a more resilient and sustainable data security culture.

Separately, a letter titled "Stopping Data Breaches in Government" was sent by Information Commissioner John Edwards to Pat McFadden, the Minister for Intergovernmental Relations at the Cabinet Office. In the letter, Edwards calls on the government to "go further and faster to ensure Whitehall, and the wider public sector put their practices in order." Edwards added that the government should implement the full findings of the 2023 review as a "matter of urgency".

In a statement, Dame Chi Onwurah, Chair of the Science, Innovation and Technology Committee, said: "I'm glad that this information security review has finally been made public, but it's concerning that it took an intervention from my committee and the Information Commissioner to make this happen. The government still has questions to answer about the review. Why have only 12 of the 14 recommendations been implemented? And why has it kept the very existence of this review a secret for so long, even after the 2022 Afghan Breach became public? 

“I have asked Minister Pat McFadden and Information Commissioner John Edwards to appear before my committee to explain the circumstances around this review and how far its recommendations have been implemented. Proper scrutiny on this is desperately needed, and it’s crucial we have a better understanding of how the government plans to stop these dangerous data breaches.  

“For the government to fulfil its ambitions of using tech to boost the economy and transform our public sector, it needs the public to trust that it can keep their data secure. If it can’t, how can anyone be comfortable handing over their personal information?”

Additional reporting by The Guardian.

In a related LinkedIn post discussing Edwards' letter, data protection specialist Jon Baines asks whether the subtext is an admission that "the public sector [enforcement] approach might not be working as well as he might have hoped."

Editor's note 05/09/25: The link to the ICO letter is no longer active. We have inquired about the removal of the link but have not yet received a response.