The Information Commissioner’s Office has found the Department of Health guilty of breaching the Data Protection Act, following an investigation into a security fiasco that hit the department’s Medical Training Application Service (MTAS) website.
The site, which was designed to process junior doctors’ applications for training places but was plagued by problems, has since been axed for failing to provide a workable service.
The ICO began investigating a site security breach in April this year. A problem with the site meant that for a time junior doctors’ personal details, including religious beliefs and sexual orientation, were accessible to anyone accessing the site.
To protect against unauthorised access the DoH has been required to encrypt any personal data on its websites that could cause distress to individuals if disclosed.
Regular penetration and vulnerability testing must also be carried out on developing applications and systems to minimise unauthorised access. The information commissioner Richard Thomas has also ruled that staff are trained on compliance with the Data Protection Act.
The ICO has made the DoH sign a formal undertaking to fully comply with the data protection principles. Any further failures could result in prosecutions, the ICO has confirmed.
Mick Gorrill, assistant commissioner at the ICO, said: “This is an unacceptable breach of security. Organisations must ensure that the personal information they hold on us is secure – this is an important principle of the Data Protection Act.
“It is essential that the Department of Health takes the appropriate measures that we have outlined to protect individuals’ personal information.”