The Department of Health has breached the Data Protection Act,
the Information Commissioner's Office has ruled following an
investigation into a
security breach on the Medical Training Application Service
(MTAS) website.
The security breach made details about junior doctors, including
religious beliefs and sexual orientation, available to anyone
accessing the site.
"This is an unacceptable breach of security. It is essential
that the Department of Health takes the appropriate measures that
we have outlined in order
to protect individuals' personal information," said Mick
Gorrill, assistant commissioner at the ICO.
The Information Commissioner's Office has made the Department of
Health sign a formal undertaking to comply with the principles of
the Data Protection Act.
The Department of Health will now be required to
encrypt any personal data on its website that could cause
distress to individuals if disclosed. Regular penetration and
vulnerability testing must also be carried out on developing
applications and systems to minimise unauthorised access. The
Information Commissioner's Office has also ruled that staff should
be trained in compliance with the Data Protection Act.
Failure to meet the terms of the undertaking is likely to lead
to further enforcement action by the ICO and could result in
prosecution.