Undertaking of the Foreign & Commonwealth Office

Formal undertaking to comply with the Data Protection Act








Data Controller:

The Foreign and Commonwealth Office




Old Admiralty Building
The Mall



I    [NAME & JOB TITLE REMOVED], in The Foreign and Commonwealth Office, Old Admiralty Building, The Mall, London, SW1A 2PA on behalf of The Foreign and Commonwealth Office hereby acknowledge the details set out below and undertake to comply with the terms of the following undertaking;


  1. The Foreign and Commonwealth Office is the data controller as defined in section 1(1) of the Data Protection Act 1998 (“the Act”), in respect of the processing of personal data carried on by The Foreign and Commonwealth Office and is referred to in this Undertaking as the “data controller”.  Section 4(4) of the Act provides that, subject to section 27(1) of the Act, it is the duty of a data controller to comply with the data protection principles in relation to all personal data in respect of which it is a data controller.


  1. The Information Commissioner (ICO) was informed by UKvisas, the Joint Home Office and Foreign and Commonwealth Office Directorate responsible for visa processing, that there had been a breach of security in the VFS online visa application facility. (VFS were contracted by UKvisas to operate this facility). The security breach resulted in the personal data of persons applying for visas to enter the United Kingdom being able to be viewed by others.


  1. The ICO has considered the data controller’s compliance with the provisions of the Act in the light of this matter.  The relevant provision of the Act is the Seventh Data Protection Principle. This Principle is set out at Part 1 of Schedule 1 to the Act. A copy of the Data Protection Principles is attached.


  1. At the direction of the Foreign Secretary, the circumstances of the security breach were independently investigated by Ms Linda Costelloe Baker and the Information Commissioner has been provided with a copy of her Investigation report. Following consideration of the findings of that investigation it has been agreed that, in consideration of the ICO










          not exercising his powers to serve an Enforcement Notice under

          section 40 of the Act, the data controller undertakes as follows:-


The data controller shall, as from the date of this undertaking and for so long as similar standards are required by the Act or other successor legislation from other data controllers in similar circumstances, ensure that personal data is processed in accordance with the Seventh Data Protection Principle in Schedule 1 Part 1 of the Act, and in particular that,

·        The VFS on-line application  websites will not be re-opened and will be replaced by visa4UK, the UKvisas online application facility which  will be the only online application system used by UKvisas,


·        a strategic review of data processing will be undertaken by UKvisas in order to strengthen Data Protection Act risk management processes and a detailed audit carried out of the data processor’s data security procedures.


·        regular monitoring of the visa4UK website will be undertaken to ensure that the systems in place to provide effective protection against unauthorised access are operating correctly


·        adequate and relevant data protection training will be given to all UKvisas staff on an ongoing basis











For The Foreign and Commonwealth Office




Mick Gorrill (Assistant Commissioner Regulatory Action Division)

For the Information Commissioner

Read more on IT risk management