Lauren Wills-Dixon quoted by Daily Mail on Ministry of Defence payroll system data breach

Lauren Wills-Dixon, lawyer and data privacy expert, has been quoted by the Daily Mail on the payroll data breach at the Ministry of Defence (MoD).

On 7 May, it was reported that a payroll system, which is managed by an external contractor, had been hacked and the records of more than 250,000 current and former armed forces personnel and MoD staff were breached.

The data is described as ‘personal HMRC-style information’ and relates to current and former members of the Royal Navy, Army and Royal Air Force over a period of several years. Based on early investigations, it is understood that data has not been removed from the payroll system.

Discussing the nature of the data involved in the breach, Lauren said: “From what we know, this data is not ‘special category’ or ‘sensitive’ personal data under data protection laws. This type of data usually results in higher risk breaches with identity theft being a key risk and examples include health records and identification documents.

“However, personal data of military and ex-military personnel is sensitive from a potential cyber espionage point of view.

“Whilst the MOD has indicated no personal data has been ‘removed’ from their systems, a breach of security leading to unauthorised access to personal data is classed as a personal data breach under data protection laws.

“In most cases, this comes with a regulatory obligation to notify the Information Commissioner, and where the breach is likely to result in a risk to individual rights and freedoms, those affected by the breach too.”

According to the MoD and in a statement made to Parliament by the Secretary of Defence, work started quickly after the breach became known on informing those affected, setting up a helpline and offering specialist advice.

It is understood that salary payments were not affected although there might be a slight delay in expenses payments.

Lauren said “This will be to contain and mitigate the effects of any breach and any further unauthorised access.”

Although the payroll system was managed by an external contractor, this issue highlights responsibilities around protecting employee data.

Commenting on this, Lauren said: “Whilst there are reports this was a ‘third party’ database which was compromised, the MOD – and any ‘data controller’ under data protection laws – remains primarily responsible for the security measures it adopts and external providers it engages to store and protect its personal data.

“Incidents like this are a reminder to any public or private sector organisation engaging third parties for things like IT and payroll systems to ensure that such third parties have robust security measures in place to protect personal and sensitive personal data.”

You can read Lauren’s comments in the Daily Mail here.

As employers continue to face escalating risks from data breaches and hackers, it is essential they have the right legal partner providing high-quality regulatory and data protection guidance. Find out more about what our data privacy lawyers can do for you.