I [NAME &
JOB TITLE REMOVED], in The Foreign and Commonwealth Office,
Old Admiralty Building, The Mall, London, SW1A 2PA on behalf of The
Foreign and Commonwealth Office hereby acknowledge the details set
out below and undertake to comply with the terms of the following
undertaking; - The Foreign and Commonwealth Office is
the data controller as defined in section 1(1) of the Data
Protection Act 1998 (“the Act”), in respect of the processing of
personal data carried on by The Foreign and Commonwealth
Office and is referred to in this Undertaking as the “data
controller”. Section 4(4) of the Act provides that, subject to
section 27(1) of the Act, it is the duty of a data controller to
comply with the data protection principles in relation to all
personal data in respect of which it is a data
controller.
- The Information Commissioner (ICO) was
informed by UKvisas, the Joint Home Office and Foreign and
Commonwealth Office Directorate responsible for visa processing,
that there had been a breach of security in the VFS online visa
application facility. (VFS were contracted by UKvisas to operate
this facility). The security breach resulted in the personal data
of persons applying for visas to enter the United Kingdom being
able to be viewed by others.
- The ICO has considered the data
controller’s compliance with the provisions of the Act in the light
of this matter. The relevant provision of the Act is the Seventh
Data Protection Principle. This Principle is set out at Part 1 of
Schedule 1 to the Act. A copy of the Data Protection Principles is
attached.
- At the direction of the Foreign
Secretary, the circumstances of the security breach were
independently investigated by Ms Linda Costelloe Baker and the
Information Commissioner has been provided with a copy of her
Investigation report. Following consideration of the findings of
that investigation it has been agreed that, in consideration of the
ICO
not
exercising his powers to serve an Enforcement Notice
under section
40 of the Act, the data controller undertakes as
follows:- The data
controller shall, as from the date of this undertaking and for so
long as similar standards are required by the Act or other
successor legislation from other data controllers in similar
circumstances, ensure that personal data is processed in accordance
with the Seventh Data Protection Principle in Schedule 1 Part 1 of
the Act, and in particular that,
· The VFS on-line application
websites will not be re-opened and will be replaced by visa4UK, the
UKvisas online application facility which will be the only online
application system used by UKvisas, · a strategic review of data
processing will be undertaken by UKvisas in order to strengthen
Data Protection Act risk management processes and a detailed audit
carried out of the data processor’s data security
procedures. · regular monitoring of the
visa4UK website will be undertaken to ensure that the systems in
place to provide effective protection against unauthorised access
are operating correctly · adequate and relevant data
protection training will be given to all UKvisas staff on an
ongoing basis |