The Department of Health

What
Inappropriate processing of personal data

How much
Unknown.

Why
The personal details of junior doctors held on the Medical Training Application Service (MTAS) website was readily accessible to any person accessing the website.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that sensitive personal data held on the website must be encrypted. Instructions and advice as to the use of passwords and PIN numbers be given to the data controller to those entitled to access the site. Staff will be given appropriate training and regular penetration and vulnerability testing of developing applications and systems to minimise unauthorised access.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
4 December 2007

Links
View PDF of the Department of Health Undertaking (Breach Watch Archive)

FCA/FSA (7)	£ 7,777,000
ICO DPA (55)	£ 5,573,500