Exposed: How Afghan DNA samples were lost by the British Government after a “commercial decision”

The DNA was lost after DHL’s “commercial decision” to fly via Bahrain. // Photo: Dirk-Jan Kraan (Flikr/CC)

In February last year, British Embassy officials in Afghanistan sent a package on a flight to Britain containing DNA samples and a collection of sensitive personal documents.

But a “commercial decision” to take the delivery on a detour led to the bag being lost.

A series of delays, mistakes and poor decisions left the items unfound for nine months, while those responsible failed to apologise.

‘Diplomatic Bag’ number AF24 had been handed to delivery company DHL in Kabul. It contained DNA samples from an Afghan family who were applying for British visas. They were sent alongside their passport photos, Afghan identity cards, dates of birth and a picture of the whole family.

The bag also included a separate passport application, a set of Psychological Health Screening tests from Foreign and Commonwealth Office (FCO) staff, as well as a woman’s bank details, home address and invoices.

The delivery company held on to the bags in Afghanistan for more than two weeks “because of a local public holiday”, before loading it onto a plane on 2 March.

But rather than sending it straight to the UK, DHL chose to put the bag on a flight via Bahrain. At the time, Bahrain was in the middle of a political uprising which had started the previous month, meaning that security concerns in the country were raised.

Exactly what happened to diplomatic bag AF24 is still unclear. The storage warehouse in Bahrain told FCO services they had never received it, but FCO Services claimed there was proof it had been loaded on to the flight. The bag could not be found anywhere.

An FCO incident report written later in the year commented: “There has been conflicting evidence that they either reached Bahrain and were stuck there for some time due to the unrest in the country at that time or that they had never left Kabul.”

But DHL said it was unsafe for their staff to conduct a full search in Bahrain because of the uprising. The delays meant that worldwide searches did not start until the following month, with still no update from Bahrain.

By May, the case had been escalated to DHL’s top levels of management and searches were taking place warehouses in Leipzig, London Heathrow and the East Midlands, as well further desperate checks in Kabul and Bahrain.

Records suggest that, throughout this time, neither the FCO or DHL had made any attempt to inform people that their DNA, bank details and medical records had gone missing. One official at the British Embassy in Kabul sent an email to colleagues to tell them a bag had been lost, but it seems that individuals weren’t approached until much later in the year.

Eventually, in August, the embassy filled in a personal data incident form and sent it to the FCO’s Information Management Department (IMD). It followed an email from the IMD telling the embassy: “We would like to monitor data incidents involving diplomatic bags more rigorously.”

But the delays in dealing with the loss meant that finding the postage senders was much more unlikely. An embassy official explained: “Due to the high turnover of staff it may be that some of the other senders have left post.” They added: “As it’s been six months since the bag was sent if they didn’t come back to my colleague [who had emailed embassy staff in March] then I doubt they would remember now.”

With the IMD putting pressure on the British Embassy in Afghanistan to cough up details about the data loss, more was revealed about the role of DHL in catalogue of errors. On 16 August an IMD email was drafted to the department’s head, clearly setting out the failures of the delivery company.

“I have asked FCOS [Foreign and Commonwealth Office Services] to raise the fact that the bag was flown to Bahrain during the civil disturbances there,” it said. “Had another route been used the bag may not have gone missing. Had DHL advised FCOS of non-receipt earlier, we could have asked BE [British Embassy} Bahrain to try and retrieve it from the airport.”

The questions were put to DHL the following day. FCO Services have since commented: “The choice of routing was a commercial decision made by the courier company. FCO Services have discussed relevant lessons with the contractor and we are satisfied they have been taken on board.”

But amidst the internal discussions, many of the people affected by the data loss remained unaware that their privacy had been compromised – and DHL was failing to apologise.

By August, one FCO employee who had found out her personal details had been lost wrote to the British Embassy to complain. She claimed that one of the missing parcels “contained all the invoices, detailed records of my travel package, including my credit card details, home address.” She said: “Had someone looked into the missing bag earlier (it was at least a 5 week gap and only as a result of me following up my own mail) it might have been located.”

It appears it was only at this stage, six months on, that the IMD thought of telling Immigration and Passport Services – a procedure that is meant to be done within 48 hours. An official wrote: “I will advise them [British Embassy, Kabul] to alert the IPS in case anyone might try to use the missing information to make a fraudulent application.”

But it wasn’t until September when the FCO finally all the people affected about their lost details. Confidential medical records of three staff members were amongst the lost items – thought to be Psychological Health Screening Questionnaires which are completed every three months. But the identities of the three individuals was not found out until 15 September, when a simple email to the FCO Healthline confirmed which forms were missing.

The next day, the embassy in Kabul received an email from the IMD. “We need to say something to reassure them in case they are concerned about the information falling into the wrong hands. The loss of such personal info may well cause anxiety in those affected. Do you… have any ideas about this?” A reply came back commenting: “the most sensible thing to do is to tell the people concerned.”

Bt while the FCO were scrambling to close the case of bag AF24, which was still listed on a ‘missing in transit’ file, delivery firm DHL were doing little to help the situation. One British Embassy official wrote in August: “Regarding an apology, we’ve had nothing from DHL Kabul.”

He said: “Ultimately the responsibility lay with DHL as from our point of view we’d followed the correct procedures. It would have been nice to have received something from DHL to forward on to the senders in the way of an apology but we’ve had nothing.”

By the end of October, the FCO was finally ready to close the case of the still-missing AF24 diplomatic bag. Then suddenly, on 2 November an email arrived, out of the blue.

“I have just heard this afternoon that a DHL lost and found depot in UK has Kabul AF24 in their possession… Once we confirm it is AF24 we can investigate with DHL UK and the lost and found warehouse where it has been for the last 9 months.”

An FCO spokesperson has now said the bag was “found undamaged, and there is no evidence to suggest that any personal data may have been compromised.”

The saga of AF24 was closed and neatly hushed up by the FCO. When enquiries about data losses were first made at the start of 2012, the FCO chose not to cough up any detail about the DNA debacle, instead listing it alongside other more minor losses in a few cells of a spreadsheet.

When asked for more details an official from the IMD emailed the FCO’s press office saying: “My feeling is that we should stick with the lines we have produced and agreed – there is enough info there and in the table itself,” adding that “none of the info was highly classified.”

The FCO Press Office emailed back. “We’re ok, hopefully on background we have talked them out of the story (or dulled it down, anyway).”

Note: Parts of this story were first mentioned in an article I did for the Bureau of Investigative Journalism about government data losses. 

Exclusive: Met Police website taken offline after AccessDocs exposes privacy breach

Offline: The Met website's disclosure log, after 105 files found with private data

Updated: 19/10/11

The Metropolitan Police has been forced to remove part of its website, after a mass privacy breach was exposed by this blog.

More than 100 documents had accidentally been published online containing confidential information in the files’ meta-data. This included names, email addresses and employment history of members of the public.

An “urgent investigation” has now been launched by police into the breach, and the entire section of the website has been taken down. The Information Commissioner has also launched its own investigation after receiving a number of complaints.

The documents had been online for months – free for anyone to read and find through Google. They were legitimately listed on a Freedom of Information disclosure log – but data within the files gave away people’s personal details.

The Met told AccessDocs: “The MPS has temporarily disabled the website whilst we carry out an urgent investigation. As an interim measure, we have removed all the PDFs that contain disclosure information from the server to ensure no further loss of personal information… We apologise for any inconvenience this may cause and aim to have the site restored as soon as possible.”

“NB – first indications show that email addresses may have been published.”

Police originally claimed to have “disabled” the website on Tuesday, but it later transpired that all the documents were still online. Instead of removing it, the home page of the information was simply moved. This meant that although old links to the data didn’t work, it could still be found through Google, or by editing the URL. This further error was reported on Tuesday evening, but it took around 12 hours to finally be taken offline.

Police also confirmed that one individual who had her personal details published has already registered a complaint. An email from the Met to the woman said: “It has been brought to our attention that your personal details have appeared on the Metropolitan Police Service website”.

Other people who had personal details published by the Met include an ex-policeman, a professor, a solicitor, an American student and a Daily Mirror journalist.

At least two people have now sent complaints to the Information Commissioner’s Office (ICO). A spokesman for the commissioner said: “We will be making enquiries into the circumstances of this alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.” The ICO has the power to prosecute and impose penalties of up to £500,000 on organisations for private data breaches.

The Disclosure Log, which has been taken down as a result of the privacy breach, provides copies of the responses to Freedom of Information (FOI) requests that are sent to the Met.  Disclosure logs are a valuable and positive part of transparency – FOI campaigners will therefore be pleased that the Met have confirmed that this move is only a temporary one. A press officer for the police said that they would go through each of the hundreds of documents individually, if necessary – but that they would get the disclosure log back online as soon as possible. 

In future, Data Protection and Freedom of Information should not be an either/or. 

NB:  For all queries about this story, please contact me on , or see the ‘about’ page, or see my website.  

Exclusive: 100 private documents accidentally published on police website

File info showing name and email address of a member of public who had requested information from the police. (Here, the private details are blanked out, but they are still online on the Met's website).

Privacy breaches by the Metropolitan Police have left more than 100 documents online which contain confidential information.

Names, email addresses and employment details are among the private data which can still be viewed on the Met’s website.

Police publish all their responses to questions in an online disclosure log. But staff are routinely failing to remove personal information from the titles of files – leaving people’s details, and their questions, free to be found through Google and read by anyone.

The breaches include the details of an ex-policeman, a professor, a solicitor, an American student and a Daily Mirror journalist. In total, around 105 files contain privacy breaches, with a sharp increase in breaches since August.

Some of the documents also include whole paragraphs of personal information about the members of public making Freedom of Information (FOI) Requests. Police uploading responses to the internet have simply copied and pasted sections of correspondence which give personal information.

A rise in the number of privacy breaches follows record levels of FOI requests to the Met, suggesting that privacy is being overlooked. New figures show that requests rocketed this summer after the police force came under criticism over the hacking scandal and the August riots.

NB: Some people submitting FOI requests choose to make their information public by using, but a large number of requests are done confidentially for personal, journalistic or employment reasons. For instance, someone trying to gather information about an employer may not want to be ‘found out’ by future employers. 

See also:  ‘How police lost your personal data’ (from August 2011)

UPDATE: The Metropolitan Police have removed their entire online disclosure log as a result of this blog post. Several of the people who had personal details published have expressed their anger at the police. More updates to come. All enquiries to Martin Williams  –

Revealed: How the police lost your personal data

A document published by the Metropolitan Police this week lists every accidental loss of personal data that has been recorded since 2009.

The data they have lost includes names, addresses, court details and details about people’s criminal offences. Data has also included information about the race, sexuality and disabilities of Metropolitan Police staff.

Ways in which the data was lost included:

  • “Waste sack split, spilling Restricted waste into street”
  • “Misdirected documents – sent to incorrect individuals”
  • “Box of paperwork found in street”
  • “Unredacted FoI request sent in error”

Altogether, the personal data of at least 113 people was “lost”.

View the document here: