UK government officials cite legacy IT infrastructure as the primary obstacle to implementing secure data-sharing systems following critical Afghan informant leaks, revealing only partial compliance with security recommendations amid parliamentary scrutiny.
The UK government faces significant technical hurdles in implementing critical data protection measures due to outdated legacy IT systems, ministers revealed during intense parliamentary scrutiny this week. This admission follows the catastrophic 2022 Ministry of Defence (MoD) breach where sensitive details of 19,000 Afghan informants were exposed through email errors, endangering lives.
During Tuesday's hearing before Parliament's Science, Innovation and Technology Committee, ministers acknowledged that legacy infrastructure prevents full implementation of the Information Security Review recommendations published in August 2025. The review, compiled in 2023 but withheld for two years, mandated eliminating email-based data transfers after identifying human error as the primary vulnerability in government data handling. Its 14 recommendations specifically require developing direct system-to-system data sharing protocols to prevent accidental disclosures.
Minister for Digital Government and Data Ian Murray confirmed that 'technical solutions blocking civil servants from attaching documents to emails' represent core compliance objectives. However, Chief Data Officer Aimee Smith detailed operational constraints: 'Where departments operate on various legacy systems, emailing attachments internally may be the only way to transfer information between systems. This complexity across departments and arm's-length bodies necessitates tailored support and investment.'
Technical compliance challenges escalate when sharing data externally. While Smith confirmed sufficient capability exists within Google Workspace and Microsoft 365 environments for internal secure sharing, cross-departmental transfers to external entities using incompatible legacy systems remain problematic. Recent year-end guidance now mandates departments to implement available secure transfer tools, though legacy integration issues persist.
The committee pressed ministers on accountability metrics, demanding transparency on progress. Security officials disclosed an October 2025 assurance exercise showing 90% compliance with data security standards across departments. Vincent Devine, Head of UK Government Security, noted departments receive confidential Red-Amber-Green (RAG) ratings for security measures, withholding specifics to avoid aiding threat actors. Despite this, Murray asserted that '13.5 of the 14 recommendations have been implemented,' citing pending technical meetings on governance structures for the incomplete item.
Committee Chair Dame Chi Onwurah challenged the government's standards amid upcoming digital ID initiatives: 'Government must get data protection right 100% of the time, especially with digital ID becoming foundational to service delivery.' Security Minister Dan Jarvis countered that human error remains unavoidable despite robust processes, emphasizing 'absolute determination to achieve the best outcome' through cultural change and technical safeguards.
Compliance professionals should note three critical action points:
- Departments must prioritize legacy system modernization to enable secure data pipelines
- Implementation of secure transfer protocols is now mandatory per year-end guidance
- Ongoing RAG assessments will track progress, though public reporting remains limited
The government faces continued pressure to resolve legacy IT constraints before the planned nationwide rollout of digital identity systems, with further committee hearings expected to monitor remediation efforts.
Comments
Please log in or register to join the discussion