We resume today’s evidence session on the Afghan data breach and resettlement schemes. For our second panel, I am pleased that we have with us someone who is definitely well versed with the workings of the House of Commons Defence Committee: Mr David Williams, the former permanent secretary at the Ministry of Defence. I am also pleased that we have with us Mr Paul Lincoln, the former second permanent secretary at the Ministry of Defence. For this panel, we have about an hour and a quarter, so we will conclude at about 12.30 pm.

Good morning, gentlemen. A few months ago, I guested on the Public Accounts Committee to discuss the Department’s position on data handling and risk. I hope that we can take on board that evidence as part of our own investigation. Mr Williams, you were the then permanent secretary and you set out the Department’s position on the data-handling risk. I just want to revisit some of that evidence and test it against what we now know. Before February 2022, what concrete assurances did you have that the ARAP data risks were under control? What evidence did that assurance rely on?

Mr Bailey and Chair, thank you. I appreciate that we are tight for time, but if I may, I have two very brief points of contact before I come to the specific question. First, Mr Bailey, you mentioned my appearance in front of your sister Committee in the autumn. I would like to start this session by repeating the apology that I made there for this data breach, as permanent secretary of the MOD, to those affected by it, and its impact. This was a serious departmental failing in which the MOD fell well short of the standards that you might reasonably expect. I welcome the opportunity to come back today—albeit no longer a serving civil servant—because the work of this Committee and others in identifying lessons for the future, alongside the work that the Government are undertaking, is really important. Mr Lincoln and I have been reflecting on our own personal take on this, and during this hearing, I think we expect to explore some of our key personal takeaways. We can follow up in writing if need be. I would group our personal lessons around the importance of setting up for success, particularly in a cross-Government venture, how you transition from crisis to sustainable delivery, keeping a focus on the outcomes that you are looking at. Obviously, there are lessons around data protection and information security, which I think tend to the wider security culture in defence. There are questions of accountability and risk management, as Mr Bailey has asked. Of course, there are then important questions around transparency and scrutiny, particularly in the unprecedented circumstances of a super-injunction. I look forward to the opportunity to explore some or all of those themes with you today. Mr Bailey, you asked about risk management, and risks to data in the context of this resettlement scheme. Risks were identified in the period that you mentioned, but let me make a couple of observations. Firstly, the ARAP scheme—the Afghan relocations and assistance policy—was announced in December 2020 and launched in April 2021, just before I took up post as permanent secretary. Its expectations of the volumes of people who we might need to resettle turned out to be a materially low underestimate, in the light of the circumstances that then occurred with the UK and allied withdrawal from Afghanistan, and the collapse of the Afghan national Government. Point one on risk is about thinking through the volume of data that we were dealing with, which became increasingly apparent through the autumn of 2021 and into early 2022. To give context, at the time when the scheme was set up, we expected to maybe bring around 800 principals, and 4,000 people in total, back to the UK. The MOD scheme has had around 200,000 applications, so you can see the risk associated with scale. The other challenge was that the scheme itself was really set up and then tested through the summer of 2021 in a live operational environment. For a Department that is not set up to run what was effectively an immigration scheme, the systems that we had in place were essentially a combination of the ad hoc use of spreadsheets on Sharepoint sites, which do not have the data protection built in that you would get in an appropriate system. One of the decisions I took in the autumn of 2021 was to move responsibility for the ARAP scheme from our operational headquarters in PJHQ—during our presence in Afghanistan, it made sense for it to sit there—to a new directorate in the MOD head office to try to put it on a more sustainable footing. As an early piece of that work, the senior civil servant that I had appointed to lead this new team set out a range of issues that would be needed to establish the resettlement scheme successfully. That included flagging to me risks around data protection and information security in particular. There were specific issues about the need to move off as quickly as we could from the ad hoc use of spreadsheets, to ensure that Defence Digital was leaning in fully to support that work, and to investigate the adoption of Home Office systems—indeed, to move our data on to Home Office systems specifically designed for this purpose. That was the context and background of the work to develop the new DACS case management system, on which we began work in late 2021 or early 2022. It was introduced from May 2022, albeit too late to have an impact on the data breach that you are examining. You raised this point specifically with me in October: I do recognise that as you bring together individual pieces of information that, in and of themselves, may not be sensitive, the aggregation of that data can make the overall dataset more sensitive. I accept that that was the case here. I think the particular circumstances of the scheme meant that we were deliberately seeking to bring together as much data as possible to understand the eligibility of individuals that we wanted to bring back to the UK. It was a necessary part of the process, but it added to the sensitivity of the overall dataset. I will pause there.

For those of you who are not familiar with our Public Accounts Committee session, I think you have covered most of the questions we asked there and the to-ing and fro-ing. Part of what you covered is the recognition that you got the scale wrong, and therefore a problem was invited on the Department that it was never capable of coping with. I really appreciate your candour about the ad hoc nature of the systems that you were using, and therefore how some of the problems inherent in those systems were going to carry into any future issues. Do you reflect that this should have been a problem that the Department pushed outside at that moment? Rather than using Home Office systems, should you not have used Home Office professionals and systems?

I have a couple of observations, and then Mr Lincoln may want to come in on this. One of the lessons about setting up for success is absolutely being clear about the roles and responsibilities of individual Government Departments in what needs to be a joined-up response, as well as being clear about where the lead sits. In some ways, I think whether you follow a lead Department model, or whether it is a central Cabinet Office co-ordinated effort—in the end, with the appointment of a cross-Government SRO in early 2024, that is where we have ended up—getting that right is important but not as important as being clear about the roles and responsibilities of individual Departments within that model. There were good reasons, given the scale that we originally assumed would be in play and the operational nature of our presence and then withdrawal from Afghanistan under Op PITTING, for this to start as an MOD lead. Defence Ministers probably felt that debt of honour more keenly than others, given their responsibilities. It was very difficult to do. With hindsight, the right thing for us to have done in September 2021 would probably been to have closed the scheme, set up for success, and reopen it. The counterpart scheme run by the Home Office, with FCDO input—the ACRS scheme, not for people who had been supporting the UK armed forces in Afghanistan—was devised during that autumn and launched in early 2022. However, the operational imperative post-PITTING was to deal with those people whom we had been unable to evacuate during that period—a period with which you are personally well familiar. That kind of managed break was, at the time, an incredibly hard thing to do.

Paul, I would love to let you come in, but moving beyond this, because you have been so candid in filling the information gaps and tying this in with the previous discussion, I think we have a really full understanding of where you consider the risks were and the moments at which you transitioned past some opportunities to do things differently. One of the questions in my mind is about the moment at which things were invited upon the Department, because there is always a culture within the military and the civil service of not wanting to say no. You are always trained to say “Yes, but”, and it is the “Yes, but” that invites a problem. Was there a point here at which there should have been a clear no, and the problem should have been accepted by someone else or another Department? I know you have given us some judgment on that, but should there have a no?

May I echo Mr Williams’s sentiments about the apology, for the Department, for the mistake that was made? I welcome the opportunity to speak to the Committee today. If you go back to the lessons that Mr Williams mentioned about setting up for success, I would take them one step further and say, “Start thinking about the outcomes at the outset.” That is about having people who served with us in Afghanistan having productive lives in the UK, being settled as part of that and productive within society, and then working your way backwards. That then gives you a slightly different way of thinking about the organising principles for setting up schemes like that, particularly for the future. It would place much more focus on the Departments that are interested in reintegration, which is where some of the issues have fallen across the schemes in the past. Then you would think about how you would organise across Government, including the strong central co-ordination to do that. When it came to looking at whether other Departments like the Home Office should do other things, there was a question, as Mr Williams said, about who had the keenest interest in this. Equally, on some issues such as data, the Department did, in its time, look at whether it would have been more appropriate to use Home Office systems. But because Home Office systems were going through an upgrade at the time, that would have meant a delay, rather than the Ministry of Defence introducing its own casework system. Some independent reviews done over time have said that the caseworking done in the Ministry of Defence eventually was of a comparable standard to that done in the Home Office. That is not to say, though, as we said earlier, that you should not think at the start of a programme, “What are the individual Department’s strengths?” and maximise those from the outset.

To the specific question, I think there was a window of opportunity in late ’21 for us to take a different approach. Again—and we got there in the end, after the discovery of the data breach—do you reset the approach for dealing with that? There is some challenge over this period, in that the incentives and levers across Government were not necessarily well aligned. More of the incentives sat with the MOD, and quite a lot of the levers sat elsewhere.

Just before I hand over—because I think you have taken us to the point of the next question—I should say that we visited one of the reception centres the other day. Mr Lincoln, it talks to your point about the system working the other way around: understanding the outcomes that you want to get for these people. That makes it clear that it was almost like—I struggle to think of a useful analogy—the MOD was creating a problem, so to speak, over which the rest of Government really had ownership, in that this mass of people needed to be dispersed elsewhere through the system, and the thinking should have been otherwise. When this was tackled, if it was not from the official side, should that no have come from the Department’s leadership making the case that this was a whole-of-Government problem? Would you agree with that or offer a view on it, because this was a problem invited upon you?

I think that plays to the second of our lessons about how you shift from a crisis response to a sustainable programme. Part of the challenge here is that despite our best efforts, we were in a wave of crises, as it were, getting to the point early in 2022 when we had over 100,000 applications. Perfectly rightly, much of the parliamentary, media and public scrutiny was around how we were dealing with the backlog. The attention was on firefighting the next thing to happen, rather than, as Mr Lincoln says, working back from where we wanted to end up. I think that there are some really important lessons there.

Once the data breach was discovered in August 2023, how were the responsibilities divided within the MOD for managing the data risk, protecting the people affected and advising Ministers?

Do you want to start, Paul?

It is probably worth setting this out from my perspective. I was not in the Department in February 2022 when the breach occurred, but when I came back into the Department in May 2023, data protection, cyber security and the Afghan relocation assistance program fell under my overall broader responsibilities in the Department. In that sense, it made sense for me to do the lead, at a permanent secretary level, on a day-to-day basis. From my perspective, that consisted of six key elements. The first was about what the immediate crisis response is. The second was about ensuring that appropriate threat assessments have taken place. The third was about making sure that proper investigative action took place, including with the Metropolitan Police Service. The fourth was commissioning a full independent review of MOD’s data handling processes and policies. The fifth was working for a longer-term strategy with Ministers on how to deal with the issues we face. The sixth was making sure that there were sufficient arrangements, such as inquiry centres and surge teams, in place for a “break glass” moment, to be able to manage any level of inquiry that might be facing the Department.

The question was about how it was divided out within the MOD with those things in mind, not the list of what was to be done.

Within that, it depended on what it was. A significant chunk of it was led by the directorate for Afghan relocation and assistance. Depending on where they were, there were other sets of organisations. However, the co-ordination of that was done by a “gold group”, in inverted commas, which was led by the chief operating officer of the Department at the time.

But who divided up those responsibilities? Who was deciding which Department or person was in charge of a particular thing, whether that was the people affected who were put in danger, or managing the data risk, or advising the Ministers?

The central co-ordination of that, drawing on all the relevant parts of the Department, was led by the gold group, which was chaired by the chief operating officer.

So they decided all that—thank you. What concrete changes did you direct for data handling, assurance and governance in the immediate aftermath of the breach?

A number of steps were taken, which included referring within 72 hours to the Information Commissioner’s Office, which of course is the requirement for any major potential breach. Some immediate investigations within the directorate also took place. The most major undertaking was that I commissioned, on behalf of the Department’s executive committee, an independent report by a data protection expert, Neil McIvor. He undertook that review, which reported back in January 2024. A copy of that has been provided, I think both to this Committee and to the Public Accounts Committee.

The data breach happened in August 2023, and then the report was undertaken. Did you say that it reported back in January 2024?

The report, which looked at the entire Department’s data protection arrangements—yes. But that was in parallel to other actions looking at that particular directorate. It is probably worth putting this in context: previous reviews that had looked into that directorate had said that the things that needed to take place, in data handling terms, had broadly taken place. You will recall that there was a previous incident involving a blind copy addressee, which the Department was investigated and fined for. The reports on that demonstrated that the team, and also the Department, had taken action against the requirements set out in those recommendations.

Were any changes implemented prior to that report coming out?

Changes included, as Mr Williams said, things that involved removing the directorate from PJHQ, which was one of the recommendations. There was another one around setting up the DACS database, which regrettably was not in place and would probably have prevented it. Those are the kinds of actions that came out from previous data reviews in that area.

The implementation of the DACS database, for instance, meant much greater access controls—the ability to understand who was viewing data and to control that data view. We had introduced processes by which emails outside Government systems needed a double lock; that is not particularly relevant to this data breach. There had been a rolling programme of improvements in data handling, both within the direct Afghan resettlement team and across the Department, from the autumn of 2021 onwards. That is work that continued. Of course, this breach was a major factor behind commissioning the McIvor review. The review also looked at loss of personnel data as a result of a cyber-attack, at inadvertent email breaches—if you have .mil at the end, it goes to the US military, but if you have .ml it goes to Mali, so we had some issues with emails there—and at the original blind copy reviews as well. It was a comprehensive review of all of the Department’s data protection activity, not just this breach.

How quickly were the changes implemented?

There were 39 recommendations from McIvor and the majority of those were implemented pretty quickly—

Some people might have different views on what “pretty quickly” could mean. Could you give an actual timescale, please?

Recommendations around changes of policy, oversight of policy or introduction of controls were implemented, I would say, almost immediately, so within a month or two. That accounts for 25 or so of the 39 recommendations. There are also a number of recommendations that are, if you like, never really done. One of the important recommendations is about being clear about accountabilities by having explicit reference to data protection and information security in letters of delegation. But each time somebody issues a letter of delegation or a new person arrives and receives a letter of delegation—each time there is that handover—new letters of delegation are issued, so you have to keep including it. It is a permanent painting of the Forth rail bridge, if you like. Then there are a small number of recommendations—in the single figures—more linked to the way in which we were looking at commercially sensitive data in our procurement systems, rather than personnel data. Those are subject to some multi-year upgrades of Defence commercial IT and Defence record management systems.

When the injunction was first considered, did you express any concerns to Ministers about the possible risks of involving the courts?

On the decision by Ministers to utilise an injunction, the then Secretary of State asked for an injunction and the Court granted a super-injunction. The primary consideration was the ability to act at pace to ensure that the Department could put in place policies, procedures and actions to protect those people we thought were going to be at risk.

Did you express those concerns to Ministers at the time?

Those concerns were expressed to Ministers in the form of advice, including threat assessments setting out that if that information was to be released and then fall into the hands of the Taliban—I know you have just had Mr Rimmer report on some of this—it could have provided a threat to life, and Ministers on that basis decided to apply for an injunction.

It took 11 months from the point at which the breach was discovered for relocation decisions to be agreed and acted on for those not otherwise eligible under ARAP. Why did it take that long?

The initial focus, in terms of relocations and resettlement immediately after the breach, was to ensure that we were running the pipeline of ARAP-eligible individuals as well as we could. There is a substantial overlap, in terms of the dataset that was part of the data breach, between those who would be eligible under the ARAP scheme anyway, as opposed to widening it to different cohorts. So action to speed up relocation of at-risk individuals, based on a risk assessment, to get them out of Afghanistan into a safe third country, to the UK, and then for the resettlement package to kick in—that was a focus of activity through that autumn of 2023, but focused initially on ARAP-eligible cohorts, anyway. During those months, decisions were made to extend eligibility by, I think, initially a couple of hundred principals, which with family members would get you into maybe five, six times that number of people, before decisions were made in the last Cabinet Sub-Committee before the election in 2024 to broaden that cohort to around, I think, 2,000 principals. That decision was then confirmed in the first Cabinet Sub-Committee meeting of the new Government in the autumn of ’24. So it is not that nothing happened. Most of the focus in those immediate months was on bringing back the people who we knew were still in Afghanistan and were already eligible.

To what extent could the whole process have been speeded up if there had been the political will to do so?

At the start of this, during the autumn of 2023, Ministers actually took the decision to try to accelerate the relocation of people as swiftly as possible. There are a series of different factors, though, about how quickly you are able to remove people from Afghanistan to the UK through a series of different steps. The prime one, of course, is how you get people out of Afghanistan into a third country, which I know some members of the Committee have had a private briefing on, and there are genuine limits on capacity about what you can do, irrespective of the level of political will.

Did the changes of Secretary of State that took place at the time that the super-injunction was granted and over the general election have any practical consequences for the speed or nature of decision making?

I do not think that the handover between Ben Wallace and Grant Shapps particularly had a material impact on timeliness. As you will have heard from those former Ministers, we sought the injunction under Ben Wallace and it was granted two or three days later, by which time Grant Shapps was in post. But the ministerial lead within the Department through the Minister for the Armed Forces, James Heappey, provided a degree of continuity. There is no judgment here, but necessarily, with a change of Government, there is a need to read a set of new Ministers into the issues. If you think about that summer after the election, with the civil unrest, there were plenty of things for Ministers to be focused on. The Cabinet Sub-Committee came together formally for the first time to discuss these issues in October 2024. But during that time, certainly from Defence Ministers—and I think officials in other Departments would probably reflect the same—there was nevertheless a sense of the urgency of understanding both where we were on the issue and what practical choices the new Government had about the policy approach that we had previously adopted.

But the general election ultimately did slow the process down?

Yes, I think that is fair—but it is a fact of life.

After the injunction was in place, did either of you judge that operating under extreme secrecy was reinforcing existing institutional caution and thereby slowing practical action to reduce potential harm to affected Afghans and did you raise those concerns directly with Ministers?

Operating under a super-injunction has a number of different effects, and it was one of the lessons that we were drawing about transparency and scrutiny. However, from a practical perspective, imagine speaking to a local authority at one end—it is very difficult to have the conversation that people might want about the numbers of people who might need to be resettled. Every step of the journey that you are doing is a little bit more difficult to handle as a result of that. I do not think that there was particularly deliberate delaying in any of that; it is just a series of practical steps which people will have felt some level of frustration with.

Within central Government, in the end, the key people in other Departments who needed to be engaged were within the circle of knowledge of the super-injunction anyway. This can be quite easily overlooked, but I pay tribute to both the civil servants and members of the armed forces who worked under incredibly difficult circumstances during this period. Across the three resettlement schemes we have successfully brought out around 38,000 people from Afghanistan. My sense on the day that the super-injunction was lifted, and the Defence Secretary made his announcement to the House, was that the mood on the floor plate of the Afghan relocation team was one of a huge sense of relief that this weight had been lifted and that people could talk to colleagues or family members about the work that they were doing. That was a factor in terms of pressure on staff—and a factor that in an ideal world they would not have had to operate under.

Let us move on to the Triples. Mr Lincoln, after you became aware in early 2024 of problems with the verification of applications from former Triples, why did it take so long for those failures to be corrected and for decisions to be overturned?

As soon as the Department became aware of those, a combination of things, which included some court cases, brought our attention to the fact that as a Department we had not necessarily been making consistent decisions nor had the best records of the decisions that had been taken. Those were factors in this, with inconsistent decision making being one of the critical things. Advice was given to Ministers and Ministers—rightly, in my view—took the opinion that they should launch a review of the decisions of the Triples. That was done under the auspices of James Heappey as the Minister for the Armed Forces at the time.

You knew that you were dealing with particularly high-risk individuals. Those applications from specialist units and that whole system needed to be airtight. Instead, what was left behind was described as “slack and unprofessional verification processes”. It has let down a lot of good people—people who supported our brave servicemen and women. Are you aware of any meaningful individual accountability within the MOD for that slack and unprofessional verification process originally used in relation to Triples applications?

The processes that were undertaken were set out under the directorate as part of that, and the investigations that were done said that they were not as robust as they should have been. The processes were looked at robustly and, equally, the decisions were retaken in some 2,000 cases as part of the process of the phase 1 and phase 2 Triples review in order to make sure that the Department took that seriously. There was no suggestion as people looked at this that there was any deliberate sloppy decision making. As I say, it was inconsistent, and the record keeping to justify decisions had not been as good as it should have been, whatever that decision might have been in some cases.

Ultimately, we have had this huge data breach. Subsequently, hundreds of decisions—884, to be precise—had to be overturned. Nobody has taken accountability for that.

If I broaden it out from the Triples—I will come back to the Triples at the end—part of the reason I am sitting before you today as the former permanent secretary of the Ministry of Defence, rather than the current one, is that I accept that an element of the buck for this departmental failure has to stop with me. It is not the primary reason why I have moved on. I had been having conversations with the Defence Secretary about the opportunity of refreshing the senior leadership team in the MOD with a new perm sec, a new Chief of the Defence Staff and a new National Armaments Director to drive through the SDR and defence reform. In my own calculation, although if you are in a senior executive role of an organisation of around 200,000 people, you cannot know what each individual is doing on any given day, as Neil McIvor sets out in the introduction to his review, which we have talked about, in the end, ultimate responsibility for information and data security sits with the permanent secretary. Was that a factor in my agreeing to step down and the timing of that decision? Yes, and I am happy to own that.

Mr Williams, as the permanent secretary and principal accounting officer at the time of both the breach and the superinjunction, what do you personally accept responsibility for?

My direct responsibility was around whether the security culture and the system of data protection and information security were adequate to the task that we took on, as we discussed in response to Mr Bailey’s questions. Mr McIvor also says in his introduction that in his experience, most data breaches are the results of well-intentioned individuals doing something wrong with the best of intentions through a lack of awareness, because they are under pressure to act or because they are operating in a system that does not have adequate controls. In the new model, the Department of State takes responsibility for the overall system of information security, even if its implementation is out in the line. That is the point that weighed with me. I had had some conversations with the previous Cabinet Secretary and the previous Minister of State for the Armed Forces about whether I would need to stand down in due course when this came out.

Mr Williams, I want to put it on the record that I am very much appreciative of your candour and your acceptance of your role within that.

Thank you very much for being so candid in your previous remarks. They align with the discussion we had last time. It is very powerful to hear from you directly. Can you point to any other examples where there was meaningful personal accountability, or where there perhaps should have been?

Let me come back to another topic that we have discussed. When you think about data protection and information security, there is a point for me in the lesson about how the MOD is thinking about security in the round. We have had exchanges about RAF Lakenheath. That was not particularly at the forefront of my mind as I left the Department, but there is an underlying point here that—how shall I put it?—in the MOD that I joined in 1990, fresh from the cold war, seven years before the Good Friday agreement, everyone had a sense of security. It was a sense that you needed to think about information security, physical security and personnel security, because what you were doing, and how you were supporting the armed forces, was of interest to a range of people and could put you or your colleagues at risk. Over a couple of decades where our focus has been much more on the terrorist threat than the state threat, that has morphed into a particular set of concerns around security. In the world in which we currently find ourselves, where, frankly, the day-to-day activities of reasonably junior civil servants and reasonably junior members of the armed forces are of interest to state actors who do not have this nation’s interest at heart, there is a need for a broader reset of our attitude to security. I had started that work before I left, but it is something on which I would like to have made more progress. It is an essential part of the resilience of the organisation and the resilience of the armed forces to then be able to go and do the difficult things that we ask our servicemen and women routinely to do.

To add a small addendum, as one previous Chief of the General Staff said, “You need to treat personal data like you would your personal weapon. You need to look after it and care for it.” If you have that kind of attitude to the way in which you think about this across an organisation, you are probably more likely to be successful in the way you do it.

But if you are asking about others in the system, in the immediate investigations we did, we engaged with the Metropolitan police. There was no evidence of malicious intent or criminal wrongdoing. As I have already said, data breaches like this are often the case of well-intentioned individuals trying to do the right thing and not doing that. I am content with the fact that those individuals have not suffered direct consequences as a result of those actions.

To take you back to our previous discussion, that was kind of the point I was making: the human error is not the person who pressed send; the human error was perhaps the person who invited the problem upon the Department when it was not capable of coping with the problem in the first instance. That is why I was asking about that. You have given us a really powerful recognition of how you feel you were responsible for those outcomes, but ministerial responsibility was hidden entirely behind the super-injunction. Do you think that is something that we should revisit, or should have revisited, in our questions?

The question of super-injunctions and parliamentary transparency, as I said previously—I stand by this—is unprecedented. Of course, there is a point about what level of knowledge and insight you need for effective scrutiny. It will be a matter for the Committee to take a view on whether, if we had read in only the Chair of the Defence Committee, how well you would have felt that meant that scrutiny was being discharged. If you look at the ISC as a model for scrutiny of intelligence operations, it is about retrospective scrutiny, so there is a question about timing. Certainly to my mind—this reflects the conversations I had with Ministers in the previous Government at the time—there was absolutely an expectation that there would be full scrutiny by Parliament and the media once the injunction was lifted. It is a question of the timing of that scrutiny rather than the fact of it. It is not really for me to speculate whether, if we had not had the general election and if Ministers in post at the time of the breach or the time that the breach became known were still in post, such Ministers would be considering their positions. I suspect at least one of them would. We are in a situation where the Ministers currently in charge will take responsibility for how the resettlement programme has ended and how the super-injunction was lifted, but it is unrealistic for them to be responsible for decisions by their predecessors of a different party.

To put into context their predecessors and the thinking about parliamentary scrutiny, in September 2023, when Ministers spoke to both the Speaker of the House of Commons and the Lord Speaker, they were very clear in those conversations that the super-injunction would not affect parliamentary privilege, although clearly they would not wish them to exercise that privilege given the gravity of the situation. But equally the Ministers fully expected there to be, at the appropriate time, full parliamentary and media scrutiny of the actions that the Government took in this respect. It was always about delayed scrutiny, as opposed to no scrutiny.

I said this to the PAC in the autumn: I do not think that when the super-injunction was granted in early September 2023 anyone expected that it would still be in place in the summer of 2025. Certainly, in those opening exchanges, the Ministers present would probably have expected scrutiny of their actions while they were still in post. The timing and length of the injunction was not particularly something that we expected at the time.

It is not just about the scrutiny; it is more about the accountability for something like this. What does that look like? It is perhaps a very apposite discussion, bearing in mind the discussions that are happening elsewhere in the buildings: when a Minister of State invites a problem into their Department—I am conscious of the “yes, but” rather than “no” responses that we are inclined to give—what does accountability for a problem of this size look like?

One of the lessons that we drew from this, particularly from operating under a super-injunction, is that multiple layers of scrutiny exist, whether through Ministers who are democratically accountable, through the accounting officers, through Treasury, through Parliament, or through the media. Clearly in this case the super-injunction limited parliamentary and media scrutiny, but the other forms of accountability still exist. Secretaries of State are still accountable to the Prime Minister and Cabinet Committees. Accounting officers are still accountable. I know there was a debate about whether the Comptroller and Auditor General should have been informed as part of those debates, but Treasury officials and Treasury Ministers were involved throughout that set of processes. This is a question, as I put it and as Ministers saw it at the time, about delayed scrutiny in those two areas, rather than no accountability or scrutiny at all.

As an example of how Paul and I worked during this period, if the policy responsibility and response to the breach sat with Mr Lincoln, I retained the accounting officer responsibility, to provide just one degree of separation for approval of the spend on the policies that we were devising.

One final thing: you spoke about risk and risk management in the discussion that we had previously. I welcome your views on whether we are in, or have become in, the business of managing the risk of occurrence rather than the risk of consequence. Unfortunately, you would have been managing many risks that it would be easy for us to walk past if we quantify their risk of occurrence rather than focusing slightly more on their consequence. The consequences of this issue are hugely significant: in the order of between £5 billion and £6 billion, and numerous lives. It should not have been something that we walk past quite so easily.

You are certainly right that when we think about risk—when we set at the Defence Board level a risk appetite for the Department to operate within—we are thinking both about the likelihood of those risks materialising and the consequences of them doing so. Sometimes you can mitigate both parts of that equation, and sometimes you cannot, but there will be risks that the board worries about where the likelihood is very low but the consequences are very high. That does not mean that you can dismiss it. Some of the challenge here—the Committee touched on this in its previous session with Mr Rimmer—is trying to understand the consequence of this specific data breach for action by the Taliban and what additional risk it added to individuals still in country, over and above the general situation in Afghanistan or data that might otherwise be available to the Taliban Administration. It was in the end, first, essentially unknowable, and secondly, a matter of judgment. That is the kind of issue that both the Defence Intelligence assessment and then the Paul Rimmer work were looking to get to. I agree with you on the consequences in terms of taxpayers’ costs, although, just for the record, the £5.7 billion that I think the NAO has set out in its recent report is the total cost of all of the resettlement schemes from Afghanistan. At the time that the super-injunction was lifted last summer, I think the best departmental estimate—I say “best”, not necessarily fully robust—was that the cost of this data breach would be in the order of around £850 million, of which about half had already been spent. I think my successor at the MOD is planning to update the Committee on their latest estimate of costs before departmental witnesses give evidence next month, but the NAO has done a pretty thorough job on the costs, as far as I can see.

One of the lessons learned from this is about looking at occurrence rather than consequence. The previous Government invited a lot of risks on the Department based on the occurrence, so this may have been a decision that was invited on the Department. Let us take the management of the enterprise that looks after our surface and subsurface vessels—what would happen if they all called the enterprise at once? I am trying to understand the culture that allows us to manage these risks. You spoke of how we have changed over the last 10 years from a culture of warfighters to dealing with counter-terrorism. Is there a culture in the Department that focuses increasingly on the risk of occurrence rather than consequence? When these things play out, they play out very large, and the cost to the country is very significant.

First, risk in itself is not inherently wrong. The trick is setting your appetite for risk at an appropriate level that you can either manage or tolerate. If we had a very low risk appetite on everything, defence would be more expensive than it currently is, and we would not get anything done. It is about active management of risk that will ebb and flow. Where will we tolerate risks? Where do we need to take action, including financial resources to mitigate those? It is about clear line of sight from the risk appetite of Ministers, the Defence Board and senior officials through a Department as complex and large as the MOD to the day-to-day actions that individuals are taking—getting that right and aligned is really, really difficult. The lived experience of a lot of people in the system, notwithstanding the fact that we might encourage people to take risks, is that if you do take a risk and it goes wrong, you are not really thanked for it. So it is quite an interesting question, and the Committee has looked at this: what is it about the nature of our response to supporting Ukraine, which allows us to speed up processes, take more risk and cut corners, that we are unwilling to translate into peacetime activity? But that, I suspect, is a subject for another hearing.

Mr Williams, in terms of accountability, I appreciate your candour earlier, and your courage, but do you think that, in essence, you have been made to be the fall guy for this whole debacle—the data breach and its significant consequences thereafter?

No, I don’t think so. As I say, from conversation with the Defence Secretary, the principal reason why I have moved on is about that refresh of the leadership for the rest of the Parliament; I don’t think there are that many times when a Defence Secretary gets to get a new perm sec, a new CDS and a new National Armaments Director all in the space of a couple of months. At the time that it was announced that I was stepping down, the Defence Secretary expressed to me his regret that the link had been drawn in the media between the data breach and my going. I mean, I thought it was pretty obvious that that link would be drawn and, to the extent that it was a factor in my own decision making, I do not mind it being drawn. I think it is appropriate that, as the permanent secretary at the time of—as I said at the beginning—what was a serious failure of departmental performance, I am happy to own that. But if I am owning that, then I am also happy that that draws something of a line under it; I am not looking for lots of other colleagues to join me.

You are saying that you have owned some of it, but there is nobody else, in that whole process, who has been held accountable. Were you aware also that the then Foreign Office Minister asked the now First Sea Lord whether he would consider his position—whether he would be resigning?

I think I was aware of that before I left office, yes. And I know you have asked General Gwyn those questions.

Right. So you are happy that nobody else has taken accountability for this multibillion-pound debacle?

I am content that I am no longer the permanent secretary at the MOD.

Picking that up for a second, if I may, Mr Williams, have you been the subject of any criticism?

Well, I have been the subject of some criticism in the media.

No, I mean official criticism, within Government or by Ministers.

No.

So you are taking institutional accountability, as the perm sec at the time, but that leaves open the possibility that there may have been actual decisions made by your subordinates that were themselves questionable. In a sense, you are trying to deflect some of the pressure from those people by taking responsibility overall.

There is an element of that. There is also an element that goes to some of my earlier answers: my take on this data breach is that it is the result of a set of errors of judgment, or well-intended actions, taken under pressure to make rapid progress in a situation where lots of people were motivated by the need to protect life against the threat assessments that we were then working to, in a system and a culture that allowed those actions to happen, with the consequences that they had. I am happily carrying some responsibility for that latter part. I do not think that, for the specific individuals involved, this was a resignation issue, nor a disciplinary issue.

No—and you are also flying the flag for responsible leadership in the civil service.

Yes.

Yes—thank you. Can we just go on for a second? Given what you know, and what Mr Lincoln knows, imagine that we had the same crisis tomorrow, or something similar: a resettlement scheme needs to be set up in very short order. What do you now know that would make things different from what was done at the time, and how should the accountability work for that?

Our personal reflections on the lesson are about accepting that sometimes time does not allow that luxury. But, as far as possible, you want to be really clear about the outcomes that you are trying to achieve, and therefore really clear about the respective departmental responsibilities that need to be brought to bear to deliver those outcomes. You want Departments, and teams within Departments, to play to their strengths, rather than necessarily trying to pick up the whole set of responsibilities. There is a question about whether that can be delivered through a lead Department model, or whether you would look for Cabinet Office central co-ordination from the start. I think we would probably err towards that. I think central co-ordination is probably going to be a conclusion when the covid inquiry comes out, with DHSC having been in a similar position through their experience as the lead Department during covid-19.

I have some experience of that, as a viewer.

We got to a cross-Government SRO, albeit working out of the MOD, in spring of 2024. We have had a conversation about whether we could have got to that point either in the autumn of 2023 or at the end of 2021 or start of 2022. There may well have been some missed opportunities.

I apologise if I missed bits of that—I had to be at another Committee briefly. To pick up on that, a Cabinet Office SRO-led model would enable problems such as competition between Departments, unclear responsibilities and what you might call either overlaps or empire building. Presumably, those kinds of behaviours that inevitably get in the way of a co-ordinated, effective outcome. I think that is what you are saying.

Yes. First, I think that would have helped from the start. Secondly, I think it would definitely have helped earlier after the data breach. With the best will in the world—and I am thinking about a range of departmental responsibilities—this was a deeply toxic issue.

No one wants responsibility or they all want all of the responsibility.

In practice, the MOD ended up with all of the responsibility, but still quite a lot of the levers sat with other Departments. That is the mismatch that you need to get through.

When you think about accountability, how would that clarity of purpose relate to Ministers?

As you know, Ministers clearly have their own responsibilities within the departmental setting. There are also collective responsibilities. Even in those parts of this process where it has felt most like the MOD has been leading this, and leading it without necessarily fully aligned support, there has been cross-Government, Cabinet Committee oversight through what in the end became the DUAA. Small ministerial groups were meeting on the issue through the period. Ministers have been involved from Departments across Whitehall through this process. I touched on this briefly at the beginning: I think possibly Defence Ministers at the start of this process—in the immediate aftermath of Op PITTING and the withdrawal from Afghanistan—felt the weight of bringing Afghan nationals who supported UK armed forces back to the UK most personally.

Well, there had been a fiasco at the Foreign Office, so you can see why they might have thought, “We have got to step forward and actually lead”.

And they will have had views about the capability of other bits of Government to do it.

The need for clarity and tough choices is one that works itself out across Departments among permanent secretaries, but also in relation to Government Ministers and, potentially, No. 10. If you are moving to a Cabinet Office-led model, presumably it is more that it is in order to get more central direction.

Yes, I think so. In the end, you can have a nice, logical civil service official model of how Departments should work together under Cabinet Office co-ordination—and you need that underpinning—but you definitely also need the political will for it to happen.

Mr Lincoln, did you want to add something?

No, I was nodding in agreement with what Mr Williams just said.

In terms of accountability, what kind of model do you think would sort the problem out? A single Minister? A single SRO from within the civil service? A separate taskforce?

Do you want to have a go on that one?

Naturally, I would probably make some reflections back to covid—or Brexit days, actually—where there were central Committees that were driving operational matters. Much of this issue was an operational matter. For much of that, the CDL of the day was chairing. Unlike more traditional Cabinet Sub-Committees, it consisted both of Ministers and senior officials who had, not quite equal decision making but equal voice, in terms of how the options—and how things were put forward—so that experts were part of that process. It seems to me that if you were to do that again, having that kind of structure would probably be helpful in trying to drive that. To include some of the questions around pace, while I do not think that Ministers did not want pace, that kind of routine drumbeat, with that kind of executive authority, helps.

Neither of those cases were necessarily as effective as they might have been, but nonetheless, they were a better model than the one that we ended up with.

For this issue? I would probably say yes.

This has been a fascinating session. Thank you very much, Mr Williams and Mr Lincoln, for appearing before the Committee. Our job is to ask the difficult questions, but also to thank you for your many years of service to keep our country safe. On behalf of the Committee, I thank you for that.