The Department of Health has breached the Data Protection Act, the Information Commissioner's Office has ruled following an investigation into a security breach on the Medical Training Application Service (MTAS) website.
The security breach made details about junior doctors, including religious beliefs and sexual orientation, available to anyone accessing the site.
"This is an unacceptable breach of security. It is essential that the Department of Health takes the appropriate measures that we have outlined in order to protect individuals' personal information," said Mick Gorrill, assistant commissioner at the ICO.
The Information Commissioner's Office has made the Department of Health sign a formal undertaking to comply with the principles of the Data Protection Act.
The Department of Health will now be required to encrypt any personal data on its website that could cause distress to individuals if disclosed. Regular penetration and vulnerability testing must also be carried out on developing applications and systems to minimise unauthorised access. The Information Commissioner's Office has also ruled that staff should be trained in compliance with the Data Protection Act.
Failure to meet the terms of the undertaking is likely to lead to further enforcement action by the ICO and could result in prosecution.