The Department of Health

What
Inappropriate processing of personal data

How much
Unknown.

Why
The personal details of junior doctors held on the Medical Training Application Service (MTAS) website was readily accessible to any person accessing the website.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that sensitive personal data held on the website must be encrypted. Instructions and advice as to the use of passwords and PIN numbers be given to the data controller to those entitled to access the site. Staff will be given appropriate training and regular penetration and vulnerability testing of developing applications and systems to minimise unauthorised access.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
4 December 2007

Links
View PDF of the Department of Health Undertaking (Breach Watch Archive)

The Foreign and Commonwealth Office

What
Loss of personal data

How much
Unknown.

Why
The ICO was informed by Ukvisas that there had been a breach of security in the VFS online visa application facility. The security breach resulted in the personal data of persons applying for visas to enter being viewable by others.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the VFS on-line application websites will not be re-opened and will be replaced by visa4UK. A strategic review of data processing will be undertaken by UKvisas in order to strengthen Data Protection Act risk management processes and a detailed audit carried out of the data processor’s data security procedures. The website will be regularly monitored and adequate and relevant data protection will be given to all UKvisas staff on an ongoing basis.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
19 October 2007

Links
View PDF of the Foreign and Commonwealth Office Undertaking (Breach Watch Archive)

The Northern Ireland Office

What
Inappropriate processing of personal data

How much
Unknown.

Why
The data controller failed to respond to a subject access request made by the data subject relating to the processing of personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all subject access requests received by the data controller are dealt with in compliance with the provisions contained within Section 7 of the Data Protection Act. Adequate and relevant training is provided to all employees who are engaged in the process of dealing with subject access requests.

Reason for action
The ICO had received a complaint about the data controller’s failure to respond to a subject access request.

When
9 July 2007

Links
View PDF of the Northern Ireland Office Undertaking (Breach Watch Archive)